Securing Billions: Application Security Teams at Top Tech Companies
In this talk, we will dive into the intricate world of application security at leading tech companies, focusing on how these organizations protect their large codebases and user data. We will explore the organizational structure of security teams, highlighting the distinct roles and responsibilities within these groups. The discussion will cover the implementation and impact of program analysis in detecting and preventing vulnerabilities in code. Additionally, we will examine the critical role of bug bounty programs in supporting internal security teams, detailing how external security researchers collaborate with internal teams to enhance the overall security posture.
Ibrahim M. ElSayed is a Senior Staff Security Engineer at Lacework. He obtained his BSc in Computer Engineering from The American University in Cairo and his MSc in Information Security from Royal Holloway, University of London.
Ibrahim focuses on using program analysis to scale security vulnerability detection and prevention. He is currently leading the code security team at Lacework, creating tools to enable developers and security teams to detect and prevent impactful vulnerabilities. Previously, he spent 8 years at Meta, building various static analysis tools such as Zoncolan, Pysa, and Mariana-Trench to analyze hundreds of millions of lines of Meta’s codebase, including PHP, Python, and Java. This static analysis program enabled the security team to detect more than 50% of Meta’s security vulnerabilities through tooling.
Ibrahim has shared his work in conferences, such as Blackhat MEA 2022, Blackhat US 2021, Pycon 2021, OWASP London and Arab security conference. He has been a guest lecturer at several universities including Ecole 42 in France, University of Alberta in Canada, University College London and Royal Holloway in the UK, Arab Academy for Science, Technology & Maritime Transport in Egypt. In these lectures, he has presented on the role of an application security engineer and the use of program analysis at industry level.