|Joe Basirico, VP of Services

Joe is responsible for leading the Professional Services business at Security Innovation. He leverages his unique experience as a development lead, trainer, researcher, and test engineer to direct the security consulting team in the delivery of high-quality, impactful risk and software assessment and remediation solutions to the company’s customers. His ability to blend deep technical skills with risk-based business and compliance analysis are a powerful combination. In the fifteen years in the industry Joe has worked with countless clients to help reduce their overall software security risk in order to help them build, deploy, and maintain more secure software in a reliable, repeatable way. Joe has spent most the much of his professional career analyzing software, finding vulnerabilities, and helping his clients mitigate risk. Through this research, he has developed an understanding of application threats, tools, and methodologies that assist in the discovery and removal of security problems both software and process related.
Collaborating with Hackers and Researchers with a Bug Bounty Program
In today’s environment there is no arguing that a comprehensive secure development process is necessary. Fitting tools, technology, and security reviews into our current development cycle has become table stakes for companies building the software of tomorrow. Breaking the “find and fix” vulnerability based assessment cycle so that software is developed with security in mind from start to finish is critically important, but doing this without leveraging a collaborative and social security program that leverages bug bounty programs, security researchers, and every aspect of vulnerability disclosure misses a huge opportunity. In this talk I will explore how your security program can reach beyond the Secure SDLC. We will discuss: * **Bug Bounty Programs** – Why you want to *invite* security researchers to hack your products * **Marketing your Security Program** – How and why to market your security program. What to say, how to say it, and where to say it for maximum effectiveness. * **How to Communicate with Security Researchers** – What are security researchers expecting in communication, responsiveness, transparency, and time to fix. * **Vulnerability Disclosure Options** – What public vs. responsible disclosure means and how to handle each * **Integration with an Existing Security Program** – You may already be training your developers, using outside vendors, and performing internal security testing, where do these other aspects fit in?
Schedule of Events