Security is one of the most relevant features when facing a new project, because a single, simple error - or chain of small errors - may lead you and your team to disaster (reputation loss, legal issues, etc.)
The client assumes the site is secure, so do the users. Also, it's not unusual that developers are wrongly confident about their tools - frameworks, libraries - being secure enough, or they may think the security level on their code has nothing to do with their skills and knowledge. Business people tend to consider security as a waste of money instead of an investment, and they consider the team will be able to develop the project in the more secure way - even without spending a single cent on security. Systems administrators ... well, they are from outer space - if everything is not blowing up, it's usually thanks to them :)
However, reality comes to show us that most people involved in an IT project don't even know about what is making their new site insecure (each one at their own level - technical, management, etc.). It should not be a surprise to realize that application's data may have been published on Pastebin, black market or, even worse, on press.
The goal of this session is to describe the security on an IT project from the very starting point of the life cycle to the moment where the server is switched off, so everyone attending will have more knowledge and resources to take decisions related to this important aspect of the software. Managers will learn that to invest on security is to invest in tranquility, developers will realize about the importance of basic security training, and staff in general will be able to manage the security of the project without dying on the attempt.
Intended Audience & Skill Level
All team members involved in an IT project, from the junior programmer to the most experienced project manager, including business people, systems administrators, designers, and basically everyone concerned about how to improve security on their projects.
This is a non-technical session, so there is no minimum recommended level on IT security - just come and, maybe, learn about good habits and best practices to make your work environment more secure!
About the speaker
My name is Ezequiel "Zequi" Vázquez, and I am a developer on Lullabot. I am a web engineer specialized in PHP & Drupal development, with strong background on DevOps, virtualization & cloud computing, and highly interested on high performance & availability. IT security is one of my passions.
I have been working for different companies on the last years, helping in the development of awesome Drupal projects, and performing a good number of security audits to well known sites, including a big bunch of Drupal ones. I have been speaker on last four DrupalCamp Spain editions and on DrupalCon Europe 2015, and usually collaborate with local meeting groups and local universities to talk mainly about web security and Drupal.