Security Is Everybody's Job ... Literally. – Tanya Janca

Transcript

1. @SheHacksPurple

2. @SheHacksPurple

3. @SheHacksPurple

4. @SheHacksPurple

5. @SheHacksPurple Slide Credit: Pete Cheslock

6. @SheHacksPurple Slide Credit: DevSecCon

7. This is me. I’m Tanya Janca. @SheHacksPurple AKA: @SheHacksPurple

8. This is me. I’m a Senior Cloud Developer Advocate at:

   What does THAT mean? @SheHacksPurple

9. This is me. I’m a Senior Cloud Developer Advocate I

   work to make security features easier to use. I help developers use our products more securely. I provide feedback to internal teams so they can make our products more secure. @SheHacksPurple I do security research and share it with the community. Security research, such as this presentation, OWASP DevSlop, and much more.

10. This is me. Application Security Evangelist @SheHacksPurple

11. This is me. Application Security Evangelist @SheHacksPurple

12. This is me. Ethical hacker I want to know how

    things work. @SheHacksPurple

13. This is me. I’m obsessed with OWASP! @SheHacksPurple Open Web

    Application Security Project An international non-profit that operates chapters, projects and conferences all over the globe, in efforts to help everyone create more secure software.

14. This is me. OWASP Ottawa Chapter Leader @SheHacksPurple

15. This is me. OWASP DevSlop Project Leader @SheHacksPurple

16. @SheHacksPurple This is me. Software Developer (since the late 90’s)

    That’s over 20 years! AHHHHHHHHHHHH! @SheHacksPurple

17. This is me. Goal: to change the way we make

    software so that the easiest way to do something is also the most secure way. @SheHacksPurple Photo: DevSecCon, Singapore, 2018

18. Let’s do this. @SheHacksPurple

19. @SheHacksPurple

20. @SheHacksPurple

21. Verizon Data Breach Investigation Report (DBIR) for 2017 and 2016.

    @SheHacksPurple

22. @SheHacksPurple

23. @SheHacksPurple Photo: #WOCTechChat

24. @SheHacksPurple 100 / 10 / 1

25. @SheHacksPurple Photo: Winged Beast

26. @SheHacksPurple

27. @SheHacksPurple

28. @SheHacksPurple

29. @SheHacksPurple

30. @SheHacksPurple

31. @SheHacksPurple

32. @SheHacksPurple

33. @SheHacksPurple The Three Ways

34. Left -> Right = speed @SheHacksPurple

35. @SheHacksPurple Requirements Design Code Testing Release

36. @SheHacksPurple Photo: #WOCTechChat

37. • Assisting in tuning SAST and DAST tools • Reusing

    known good code • Using up-to-date images • Using the Security Pipeline • Making negative unit tests • Severe security bugs break the build • We cannot do it without them on board @SheHacksPurple

38. @SheHacksPurple Photo: #WOCTechChat Ensure Dev and Ops are not waiting

    on you. We CANNOT be a bottleneck. Make processes that WORK.

39. @SheHacksPurple Photo: #WOCTechChat Breaking security activities into smaller pieces

40. • Ensure Dev & Ops are not waiting on you

    • Tuning security tools so they do not produce false positives • Breaking security activities into smaller pieces so that they fit into the “sprints” • Make processes that work , and match pace • Providing secure templates and code samples that a known-secure (sec code library) @SheHacksPurple

41. @SheHacksPurple Photo: #WOCTechChat Create a security pipeline. For more in-

    depth testing.

42. @SheHacksPurple Photo: #WOCTechChat Write your own code libraries, for your

    business’ specific needs.

43. • Create a security pipeline • Buy licenses for dev

    and ops for sec tools • This does not mean doing 100% of the work yourself, it means making it possible for Dev & Ops to perform security as part of their daily work. • Writing your own tools and libraries, see RepoKid from Netflix • Enable Dev and Ops, in every way you can. @SheHacksPurple

44. @SheHacksPurple

45. @SheHacksPurple Requirements Design Code Testing Release

46. Fixing costs of quality & security issues rises significantly as

    the development cycle advances CODING PRODUCTION QA & SECURITY BUILD Source: Ponemon Institute Research $80/defect $240/defect $960/defect $7,600/defect @SheHacksPurple

47. @SheHacksPurple Photo: #WOCTechChat Providing feedback to the security team what

    they are concerned about. The security team listening and taking action. Participating in security activities.

48. @SheHacksPurple Photo: #WOCTechChat Providing feedback earlier, and more often. Pushing

    Left

49. @SheHacksPurple

50. @SheHacksPurple Photo: #WOCTechChat

51. • Automate as much as humanly possible, then teach dev

    and ops to understand the results • Tune the tools, so they don’t waste anyone’s time • Add security into each phrase of the SDLC, including requirements and design • Insist that the build breaks if a large security vulnerability is introduced, security is a part of quality • Rename functions you want to phase out • Check out Netflix’s RepoKid! @SheHacksPurple

52. @SheHacksPurple Photo: #WOCTechChat Positive testing determines that your application works

    as expected. If an error is encountered during positive testing, the test fails. Negative testing ensures that your application can gracefully handle invalid input or unexpected user behavior.

53. @SheHacksPurple Photo: #WOCTechChat Inviting Dev and Ops to participate in

    Security Activities. Incidents Threat Modelling Security Sprints Etc.

54. @SheHacksPurple Photo: #WOCTechChat Use Metrics to track trends Create unit

    tests out of PenTest Results

55. • If a PenTest is done, check all apps for

    those vulns • Use tools like OWASP DefectDojo to provide feedback on metrics and trends to Dev & Ops • Invite Dev & Ops to participate in Security activities, for feedback and teaching • Don’t be afraid to try new things and get creative, writing your own tools likely is to provide your best results. • Add negative use cases as unit tests, not just positive use cases (Morgan Roman, @Hackimedes) @SheHacksPurple

56. @SheHacksPurple

57. @SheHacksPurple Photo: #WOCTechChat

58. @SheHacksPurple Photo: #WOCTechChat

59. @SheHacksPurple Photo: #WOCTechChat

60. • Offer security training to Dev & Ops. Pay for

    it. • Share information widely when you fix or find new security issues, • Run Security Exercises or Incident Simulations • Provide and analyze metrics from security testing, look for patterns or systemic issues • Checkout Netflix Chaos Monkey • Never forget that your focus is to enable Dev and Ops to get their jobs done, securely. @SheHacksPurple

61. @SheHacksPurple Photo: #WOCTechChat

62. @SheHacksPurple Photo: #WOCTechChat

63. • Share information widely when you fix something • EVERYTHING

    goes into a knowledge base. * • Ensure you perform blameless post mortems • Talk about security incidents after they are over • Teaching developers and ops what the output from security tools actually mean • Create formal lessons and learning opportunities, if at all possible (lunch and learns, white papers, formal training, job shadowing) @SheHacksPurple

64. Culture Change @SheHacksPurple

65. @SheHacksPurple Photo: #WOCTechChat

66. @SheHacksPurple Photo: #WOCTechChat

67. @SheHacksPurple Photo: #WOCTechChat

68. @SheHacksPurple Photo: #WOCTechChat

69. @SheHacksPurple Photo: #WOCTechChat

70. @SheHacksPurple

71. @SheHacksPurple https://stories.visualstudio.com/

72. @SheHacksPurple https://www.owasp.org/index.php/OWASP_DevSlop_Project

73. @SheHacksPurple https://aka.ms/GettingStartedWithAppSec

74. @SheHacksPurple

75. @SheHacksPurple Twitter: @SheHacksPurple https://medium.com/@SheHacksPurple https://www.slideshare.net/TanyaJanca https://DevSlop.co

76. @SheHacksPurple

77. @SheHacksPurple

78. @SheHacksPurple Thank You Cloud Developer Advocate, Microsoft OWASP Ottawa Chapter

    Leader OWASP DevSlop Project Leader Tanya Janca [email protected] [email protected] @SheHacksPurple