You spend your time configuring HTTP headers and hardening your containers. Meanwhile your CFO just downloaded a Chrome extension to make the font in Gmail Comic Sans. What are Chrome extensions, exactly? This talk will dive into details, including format, contents, static analysis with custom rules, threat modeling (when does this even matter?), and some of the unique challenges of building a security scanner. A tool will be demoed that has just been released for this: CRXaminer (crxaminer.tech). You will learn how you can immediately start using it.

This workshop is a hands-on exercise in building a good security program. The presenters have built security programs from scratch at multiple companies and have found that, while the companies can vary, the fundamentals remain roughly the same. The goal here is to bridge the gap between common infosec vendor jargon and practical security engineering work. There’s no shortage of acronyms being invented every week in the realm of security engineering. Instead of wading through these buzzwords that might not even be around by the end of the year, this workshop will dig into the principles that make for a good security program. These principles will then be applied with practical hands-on exercises where you’ll use free and open source security tools to build continuous security automation and alerting similar to ones that have been built when starting new security programs.