May 24, 2016

Live Blog: 5/24/2016: Meet the Fitbit Security Team @ Fitbit-Boston

A few weeks ago, Fitbit's Security team organized a talk through the Security of Things Meetup:
What: Meet The Fitbit Security Team!
When: Tuesday, May 24, 2016, 6:30 PM
Where: 1 Marina Park Drive, Boston, MA
Signup At: http://www.meetup.com/The-Security-of-Things/events/231198245/ 
"[T]he folks at Fitbit have extended an invitation to the Security of Things Meetup: an opportunity to meet with Fitbit's product security team next Tuesday, May 24th at the FitBit offices in downtown Boston.

"This is a great opportunity to talk with the folks responsible for securing the hottest wearable technology in the market right now. Fitbit isn't just a wearable activity monitor: its a sensing platform for a wide range of health monitoring activities: from fitness and weight loss to sleep monitoring and social networking.

"Come hear about how the Fitbit team addresses the security and privacy challenges of its growing and enthusiastic user base, while also developing next generation features to keep their technology relevant and cutting edge".




At last count, there were ninety-two people signed up to attend at Fitbit-Boston's office, here at One Marina Park Drive, Suite 701, Boston, MA.

I wonder how many will come? Chairs have all been set up...


Pizza has been ordered...


After a quick meet-and-greet, the talk can begin!

6:34 pm
Paul Roberts, Editor-In-Chief of The Security Ledger and founder of The Security of Things Meetup spoke briefly. This was the second security meetup this month. Last week, the group was at Akamai.

Paul introduced, Chris Stasonis, Senior Engineering Manager at Fitbit, who Paul reached out to a few months ago, so the Security of Things meetup could host a meetup When the San Francisco based Security team came to visit the Boston office.

Chris mentioned that the Boston office has been around for almost three years, primarily as an engineering office, with a huge firmware department, and a lot of exciting products going on.

If you are a firmware engineer, check out http://fitbit.com/jobs.

Sasha Birkup, Directory of Security, spoke a bit about the team. The current Security Organization is around 13 people. They are building out a security features team. The features team consists more of developers who want to focus on security than security who want to dictate to developers.

Sasha mentioned that Fitbit is ultimately a startup and has startup like issues such as competing for resources, and that time to market is king and queen. Field testing and QA are high commodities. And the best part of Fitbit is that the two co-founders are technical. The CEO, James Park, can be considered the first security officer.



Members of the team spoke about how they focus not just on Firmware and Hardware, but web & mobile applications, too, making sure they are all secure from end-to-end.

They also do what I found to be unique when auditing code for security issues: Code reviews. They check to see if an API, for example which is known not to be safe, is being used. They look for interesting commits that may have code vulnerabilities.

They also use accurate threat modeling as a basis for discussion of which risks that are priorities, examining the external boundaries first, then internal ones.




The security team mentioned that they do offer Bug Bounties for bugs found. You can check out Bugcrowd at https://bugcrowd.com/fitbit. Please note: This program does not allow disclosure. With the bug bounty program, you should not release information about vulnerabilities found in this program to the public.

What is BugCrowd?

"Companies are in an unfair fight when it comes to cybersecurity. Regardless of how robust security efforts are, companies will always be outnumbered by the thousands of malicious hackers worldwide. We bring thousands of good hackers to the fight, helping companies even the odds and find bugs before the bad guys do".

-T.J. Maher
Sr. QA Engineer,
Fitbit-Boston

// QA Engineer since Aug. 1996
// Automation developer for [ 1 ] year and still counting!
Post a Comment