Getting over the finish line: Loom Security Journey.
Narayan Gowraj, Nishant Jain
BSidesSF 2024 · Day 1
This talk, "Getting over the finish line: Loom Security Journey," delivered by Narayan Gowraj, Head of Security at Loom, and Nishant Jain, Security Engineer at Loom, provides a comprehensive look into the evolution of a security program within a rapidly growing startup. The presentation chronicles Loom's security efforts from 2021, when Narayan joined as the founding security engineer, through its acquisition by Atlassian at the end of 2023. It delves into the practical challenges and strategic decisions involved in scaling security processes, tools, and automation, fostering cross-team collaboration, and navigating significant security incidents.
AI review
This talk details Loom's security journey, from a founding security engineer to an acquisition. While the 'scaling security' narrative is familiar, the deep dive into their 2022 CDN misconfiguration incident, which led to session exposure and service outage, provides critical, actionable lessons on subtle caching behaviors and cookie attributes. The discussion on WAF deployment for GraphQL and their bug bounty program's evolution also offers practical insights.