Rootconf Pune edition

On security, network engineering and distributed systems

Making people happy - a story of compliance

Submitted by Shreyansh Pandey (@weirdpanda) on Jul 12, 2019

Section: Full talk (40 mins) Category: Security Status: Rejected

Abstract

Over the last couple of years, I have seen an ever-growing trend: a software engineer writes some bit of code which is checked by a senior engineer of the team and is, later, deployed to production with little or no manual testing. This is the story of how I handled PCI-DSS compliance systems at a small FinTech in Delhi and how a team of 2 people designed, developed, deployed (a lovely alliteration there?) and tested a n-tier architecture complete with automation.

This talk aims at providing some view into the dark alleys of software development, of development operations and of systems engineering. At the end of the talk, the audience will have a good grasp of what to do when they are faced with similar challenges and how to handle a 480 page report.

Outline

The Payment Card Industry - Data Security Standard v3.2.1 is a humoungous list of control parameters which a company has to undergo in order to ensure that they are able to process card data. As a security analyst, we focus on the not-so-obvious parts of how an attacker can take advantage of a system and use it for their own good. Withoug divulging a lot of information (remember the ZK-Proof), we’ll be taking a deep dive into how exactly a compliant infrastructure works, what are the methods engineers with various roles need to follow and how someone would deal with a possible vulnerability.

This talk is a collation of my experience as a systems’ engineer, infrastructure and software architect and a software engineer distilled into a single 40 minute talk which will touch on topics oftentimes forgotten by many engineers. As a bonus, this also includes some interations I have had with “qualified infrastructure engineers” (note the quotes) and a method I found best to filter out some of the candidates.

It’s an interactive session so during the conversation - rather than a talk - feel free to interrupt me (I do not understand INT 10H) and ask whatever your mind wants; please be a little technical, though?

Requirements

Basic understanding of how networks work;
Knowledge of a cloud-provider of your choice; and
A linux machine. (You can use Windows, too; but I shall not be held responsible if your OS asks for random updates during the presentation)

Speaker bio

I have worked with infrastructure and backend systems for around 5 years now and over those years, I have seen some patterns which I want to debunk and tell the people about so that they do not get into the same thought spiral of doom as I did a while back. With experience in Golang, Node.js, (DevOps Tools…) with AWS, I will make sure that this talk is as platform agnostic as possible.

Currently, I work at a small FinTech in Delhi which is producing some amazing products to reduce the weight of your wallet.

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('You need to be a participant to comment.') }}

{{ formTitle }}
{{ gettext('Post a comment...') }}
{{ gettext('New comment') }}

{{ errorMsg }}