Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Champions: How to Build an Alliance with Developers

Security Champions: How to Build an Alliance with Developers

Are you responsible for more than just AppSec? What do you do when you have more teams to support than security experts? How can you make security champions out of dissenters in the development team?

There just aren’t enough security experts to go around. You have to support the multitude of Agile and DevOps teams that are making production software changes anywhere from once a month to several times a day. The lack of resources coupled with the ever increasing responsibilities can make you feel like a rogue warrior in the battle against cybercrime. What’s a security professional to do? Whether you are a team of one or five, there aren’t enough hours in the day, and even if there was more budget, good luck finding enough security professionals. What if I told you that through careful selection and good training it is possible to build your own army from the very people who own the development process?

What you will learn:

1. Who to recruit as security champions
2. How to train these champions in productive application security
3. How to measure success
4. How to build a scalable security program
5. What to expect from champions (responsibilities)

20b25a4e0db77fa2c02dd45ee9ba3eb1?s=128

chriseng

May 04, 2018
Tweet

Transcript

  1. @chriseng Chris Eng ISSA-LA Summit X May 4, 2018 Security

    Champions: How to Build an Alliance with Developers
  2. @chriseng Who are you? Developer Security Operations Other

  3. @chriseng My Background • VP Strategic Research, CA Veracode •

    20 years in application security: building, breaking, and defending • Lead the team responsible for the security analysis capabilities of Veracode’s product portfolio as well as product security across all development teams • Speak at lots of conferences and to the media
  4. Trends

  5. @chriseng Domino's has almost turned itself into a technology company

    that maybe just happens to sell pizza on the side. We look at metrics like orders per minute, actual transactions out to stores, and that can tell us what customers are ordering, in real time. - Russ Turner, IT Manager Apps Tied to Bottom Line 78% of enterprises believe that the shift to becoming a software-driven business will be a critical driver of competitive advantage. Over 40% say it is already affecting new product and service development. 1 Digital sport, as we call it at Nike, is incredibly important to us. We think it's going to be a bigger and bigger factor in terms of the experience that consumers have with the products that we create….We are focusing more on the software side of the experience. - Mark Parker, CEO At its heart, Tesla is a software developer dressed in a carmaker's robes… This software focus affords Tesla a flexible and dynamic approach to updating its fleet, something that few, if any, other carmakers have been able to accomplish. - Leah Niu, Motley Fool Airbnb makes its money in real estate. But everything inside of how Airbnb runs has much more in common with Facebook or Google or Microsoft or Oracle than with any real estate company. What makes Airbnb function is its software engine…. It’s a tech company. - Marc Andreesen, Investor All Companies are Software Companies
  6. @chriseng PLAN DEV QA OPS = Handoff Waterfall Business Intent

    App Knowledge Ops Knowledge Agile Business Intent App Knowledge Ops Knowledge DevOps Continuity Development Practices are Evolving
  7. @chriseng Traditional Security Teams Don’t Scale IMAGES: Creative Commons (CC-BY)

    people by Studio Het Mes from the Noun Project, confuse by Gan Khoon Lay from the Noun Project
  8. @chriseng The Evolving Developer Mindset Security is everyone’s job now,

    not just the security team’s. With continuous integration and continuous deployment, all developers have to be security engineers... We move too fast for there to be time for reviews by the security team beforehand. That needs automation, and it needs to be integrated into your process. Each and every piece should get security integrated into it... before and after being deployed. – Werner Vogels, Amazon CTO at AWS re:Invent 2017
  9. Laying Groundwork

  10. @chriseng Develop Relationships • If you’re in security, who is

    your peer in development (and vice-versa)? • Do you understand how they are goaled? • What are their struggles? • How often do you meet with them? • How’s the empathy level? IMAGES: Creative Commons (CC-BY) Handshake by Gan Khoon Lay from the Noun Project
  11. @chriseng Share Accountability • Shared between development and security •

    Part of annual goals for both teams • Measured and reported regularly
  12. @chriseng Learn About Their World • Read • The Phoenix

    Project • The DevOps Handbook • Attend some scrum ceremonies • Learn their tools • Write security stories and/or code
  13. @chriseng Developers, You’re Not Off the Hook • Understand security

    mindset as well as practical techniques • Read • Agile Application Security • Security Engineering • The Art of Deception • Smashing the Stack for Fun and Profit (seminal article) • Talk to your product security team about what they’re working on
  14. Starting to Scale

  15. @chriseng Build Security Champions • Security teams can’t be everywhere

    at once • Your security team does not scale indefinitely! • Build and train a team to take on specific tasks and to be the “security conscience” on their respective teams
  16. @chriseng Bootstrapping a Security Champions Program • Pick the right

    people • Start strong • Empower, within limits • Maintain momentum
  17. @chriseng Staffing Considerations • Volunteer > voluntold • 2+ per

    team for redundancy • Influential people, not just developers! • Not too new to company, team, or product • Not already responsible for a major role, e.g. ScrumMaster IMAGES: Creative Commons (CC-BY) chosen by Gilbert Bages from the Noun Project
  18. @chriseng Ramping Up • Security fundamentals: instructor-led works well •

    Reinforce with eLearning • Review previously fixed vulnerabilities in familiar codebases to learn real-world scenarios • Supplement with CTFs
  19. @chriseng Empower, Within Limits • Day-to-day tasks such as story

    grooming, code reviews • Make grooming checklists: new features, new architectures, new security controls, new forms, fixes for pen test finding, any code that touches AuthN, AuthZ, cryptography, etc. • Focus code review goals to security controls they have proven they understand, e.g. data validation, parameterization, encoding, etc.
  20. @chriseng The Conscience of the Security Team • One of

    the most important skills: understanding when and how to escalate • Keep an eye out for SCs who never escalate anything
  21. Keeping momentum Keeping Momentum

  22. @chriseng Measuring and Managing

  23. @chriseng Measuring and Managing • Baseline security maturity • Code

    review certifications • Individual and team goals • Quarterly reviews
  24. @chriseng Using a Maturity Model (this level of granularity works

    for us, but maybe not for you)
  25. @chriseng Goal Setting • Goals for champions • Code review

    certification • Spot check grooming decisions • Goals for teams • Against maturity model • Baseline and update • Are you getting what you expect?
  26. @chriseng Maintain High Touch • Support, not abandonment • Monthly

    group meetings to compare experiences and share information • Slack channel, mailing list — however the developers prefer to communicate • Periodic check-ins, e.g. quarterly maturity model check-ins • Joint projects (e.g. VSSL)
  27. @chriseng Rewards and Recognition • Additional training opportunities • Internal

    (mentoring) • External (conferences) • Teach them to hack • Internal CTF sessions • Swag, badges, certifications
  28. Conclusions

  29. @chriseng In Summary • Solid relationship with your development counterpart(s)

    is a must-have • Pick the right people, train them, and empower them • Measure progress (maturity models vastly superior to vulnerability counting or other “minivan” metrics) • Maintain momentum through open communication and incentives
  30. @chriseng Chris Eng VP, Strategic Research CA Veracode @chriseng Thank

    you!