Snakeoil AcademySpeak at PyCon AU 2021

All Hands on Deck - Handling Security Issues

Markus Holtermann

he/him

Markus Holtermann works as a back-end and infrastructure engineer at Crate.io. He has been a Django contributor since 2014. He is a member of the Django security and operations team as well as an organizer of DjangoCon conferences. Markus has been a project lead at the German ubuntuusers.de community support platform where he discovered Python and Django in 2010.

All Hands on Deck - Handling Security Issues

We live in a world of technology. Unfortunately, the software we build has bugs and sometimes vulnerabilities that cause headaches and haunt us at night. It is on us as engineers to not make security issues in the first place. But it is on everybody involved to provide support when an issue exists.

We live in a world of technology and engineering where almost everything around us requires software. Unfortunately, the software we use or build has bugs. While most bugs can "just" be fixed, there are these other types of bugs, called vulnerabilities. Vulnerabilities can be found in our own infrastructure, on customers' infrastructure, or — worse — around user data.

Sadly, we see reports of leaked personal data on a daily basis. And when it comes to the companies who just had data leaked, it is astounding how rattled and unprepared they are for the situation. In fact, a lot of companies are puzzled when someone external approaches them about a possible security issue publicly. They don't know how to react and often react in the worst possible way: denial. But it is also about issues that are found from within the company. Issues that may not directly affect personal information. There is more to do than telling customers there is a security release of some software.

IT security is a sheer endless topic to talk about. It is a mindset and a company culture that must be lived by each and everyone within a company. In this talk, I will point out what roles individual departments play. Because there are more questions to be answered than “how and when are customers informed about an issue and a corresponding solution”. Are details about the issue released, and if so, when, and will the details be released publicly or only to customers? How will a public outcry about an issue on social media be dealt with? Is the social media team equipped to handle the masses? Will the sales and marketing teams be able to handle a hesitant customers base? What legal implications does the issue have? Who coordinates, makes decisions, and stays on top all of these moving parts?

Conference schedule listing