Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA
Back To Schedule
Thursday, October 11 • 3:30pm - 4:05pm
SCORE Bot: Shift Left, at Scale!

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In today’s DevSecOps world, “shift to the left” is not a new mantra for AppSec practitioners. It is imperative to notify developers about potential security issues as early as possible.

While heavy-weight static and dynamic analysis tools and fuzzers exist to find generic technical security flaws, finding custom security issues that are specific to an organization’s proprietary frameworks, APIs, libraries, etc. is often tricky, time-consuming and expensive to capture and maintain as “custom rules” in those tools. IDE plug-ins are often messy to deploy and maintain at scale in the real-world when you are dealing with highly diverse programming languages/frameworks and thus various versions of different IDE products.

Secure COde REview Bot (SCORE Bot) fills that gap and provides real-time, in-context security-oriented code review that focusses on org-specific security issues. It does that by automatically hooking into the GitHub Pull Request (PR) process and posts PR comments with not only the details about the identified security vulnerabilities but also remediation advice so that developers have actionable guidance to fix those security issues.

Driven by insights from behavioral science and experimentation (A/B testing), SCORE Bot became our reliable eyes-and-ears of the code being written at PayPal and a trusted security peer reviewer for our developers.

In this talk, we’ll share the lessons-learned from rolling out SCORE Bot at PayPal with details on what worked, what proved challenging with some real-world metrics from our deployment that scaled to cater to diverse programming languages, frameworks and CI/CD pipelines.

avatar for Vidhu Jayabalan

Vidhu Jayabalan

Security Architect, PayPal Inc.
Vidhu works at PayPal Inc. as a Security Architect in the Application Security Engineering organization and leads the development of a suite of products that enable Secure Product LifeCycle program at PayPal. Vidhu loves spending time on engineering & building products that are at... Read More →
avatar for Laksh Raghavan

Laksh Raghavan

Head of AppSec & Innovation, PayPal Inc.
Laksh Raghavan is the Head of Security Products Development at PayPal Inc. He is currently responsible for managing the Secure Product Lifecycle Program for all PayPal applications including the web and mobile apps supporting PayPal's more than 325 million active accounts. Laksh has... Read More →

Thursday October 11, 2018 3:30pm - 4:05pm PDT
  Gold, Intermediate
  • NEW FIELD 1 Track 3