Security Champions: How to Build an Alliance with Developers

Transcript

1. @chriseng Chris Eng ISSA-LA Summit X May 4, 2018 Security

   Champions: How to Build an Alliance with Developers

2. @chriseng Who are you? Developer Security Operations Other

3. @chriseng My Background • VP Strategic Research, CA Veracode •

   20 years in application security: building, breaking, and defending • Lead the team responsible for the security analysis capabilities of Veracode’s product portfolio as well as product security across all development teams • Speak at lots of conferences and to the media

4. Trends

5. @chriseng Domino's has almost turned itself into a technology company

   that maybe just happens to sell pizza on the side. We look at metrics like orders per minute, actual transactions out to stores, and that can tell us what customers are ordering, in real time. - Russ Turner, IT Manager Apps Tied to Bottom Line 78% of enterprises believe that the shift to becoming a software-driven business will be a critical driver of competitive advantage. Over 40% say it is already affecting new product and service development. 1 Digital sport, as we call it at Nike, is incredibly important to us. We think it's going to be a bigger and bigger factor in terms of the experience that consumers have with the products that we create….We are focusing more on the software side of the experience. - Mark Parker, CEO At its heart, Tesla is a software developer dressed in a carmaker's robes… This software focus affords Tesla a flexible and dynamic approach to updating its fleet, something that few, if any, other carmakers have been able to accomplish. - Leah Niu, Motley Fool Airbnb makes its money in real estate. But everything inside of how Airbnb runs has much more in common with Facebook or Google or Microsoft or Oracle than with any real estate company. What makes Airbnb function is its software engine…. It’s a tech company. - Marc Andreesen, Investor All Companies are Software Companies

6. @chriseng PLAN DEV QA OPS = Handoff Waterfall Business Intent

   App Knowledge Ops Knowledge Agile Business Intent App Knowledge Ops Knowledge DevOps Continuity Development Practices are Evolving

7. @chriseng Traditional Security Teams Don’t Scale IMAGES: Creative Commons (CC-BY)

   people by Studio Het Mes from the Noun Project, confuse by Gan Khoon Lay from the Noun Project

8. @chriseng The Evolving Developer Mindset Security is everyone’s job now,

   not just the security team’s. With continuous integration and continuous deployment, all developers have to be security engineers... We move too fast for there to be time for reviews by the security team beforehand. That needs automation, and it needs to be integrated into your process. Each and every piece should get security integrated into it... before and after being deployed. – Werner Vogels, Amazon CTO at AWS re:Invent 2017

9. Laying Groundwork

10. @chriseng Develop Relationships • If you’re in security, who is

    your peer in development (and vice-versa)? • Do you understand how they are goaled? • What are their struggles? • How often do you meet with them? • How’s the empathy level? IMAGES: Creative Commons (CC-BY) Handshake by Gan Khoon Lay from the Noun Project

11. @chriseng Share Accountability • Shared between development and security •

    Part of annual goals for both teams • Measured and reported regularly

12. @chriseng Learn About Their World • Read • The Phoenix

    Project • The DevOps Handbook • Attend some scrum ceremonies • Learn their tools • Write security stories and/or code

13. @chriseng Developers, You’re Not Off the Hook • Understand security

    mindset as well as practical techniques • Read • Agile Application Security • Security Engineering • The Art of Deception • Smashing the Stack for Fun and Profit (seminal article) • Talk to your product security team about what they’re working on

14. Starting to Scale

15. @chriseng Build Security Champions • Security teams can’t be everywhere

    at once • Your security team does not scale indefinitely! • Build and train a team to take on specific tasks and to be the “security conscience” on their respective teams

16. @chriseng Bootstrapping a Security Champions Program • Pick the right

    people • Start strong • Empower, within limits • Maintain momentum

17. @chriseng Staffing Considerations • Volunteer > voluntold • 2+ per

    team for redundancy • Influential people, not just developers! • Not too new to company, team, or product • Not already responsible for a major role, e.g. ScrumMaster IMAGES: Creative Commons (CC-BY) chosen by Gilbert Bages from the Noun Project

18. @chriseng Ramping Up • Security fundamentals: instructor-led works well •

    Reinforce with eLearning • Review previously fixed vulnerabilities in familiar codebases to learn real-world scenarios • Supplement with CTFs

19. @chriseng Empower, Within Limits • Day-to-day tasks such as story

    grooming, code reviews • Make grooming checklists: new features, new architectures, new security controls, new forms, fixes for pen test finding, any code that touches AuthN, AuthZ, cryptography, etc. • Focus code review goals to security controls they have proven they understand, e.g. data validation, parameterization, encoding, etc.

20. @chriseng The Conscience of the Security Team • One of

    the most important skills: understanding when and how to escalate • Keep an eye out for SCs who never escalate anything

21. Keeping momentum Keeping Momentum

22. @chriseng Measuring and Managing

23. @chriseng Measuring and Managing • Baseline security maturity • Code

    review certifications • Individual and team goals • Quarterly reviews

24. @chriseng Using a Maturity Model (this level of granularity works

    for us, but maybe not for you)

25. @chriseng Goal Setting • Goals for champions • Code review

    certification • Spot check grooming decisions • Goals for teams • Against maturity model • Baseline and update • Are you getting what you expect?

26. @chriseng Maintain High Touch • Support, not abandonment • Monthly

    group meetings to compare experiences and share information • Slack channel, mailing list — however the developers prefer to communicate • Periodic check-ins, e.g. quarterly maturity model check-ins • Joint projects (e.g. VSSL)

27. @chriseng Rewards and Recognition • Additional training opportunities • Internal

    (mentoring) • External (conferences) • Teach them to hack • Internal CTF sessions • Swag, badges, certifications

28. Conclusions

29. @chriseng In Summary • Solid relationship with your development counterpart(s)

    is a must-have • Pick the right people, train them, and empower them • Measure progress (maturity models vastly superior to vulnerability counting or other “minivan” metrics) • Maintain momentum through open communication and incentives

30. @chriseng Chris Eng VP, Strategic Research CA Veracode @chriseng Thank

    you!