$30 off During Our Annual Pro Sale. View Details »

Why can't developers make it secure?

Julia Mezher
September 03, 2021

Why can't developers make it secure?

Julia Mezher

September 03, 2021
Tweet

More Decks by Julia Mezher

Other Decks in Programming

Transcript

  1. Why can’t developers


    make it secure?
    Julia Potapenko

    View Slide

  2. Security Software Engineer
    Julia Potapenko


    @julepka
    We help companies to protect their
    sensitive and valuable data.

    View Slide

  3. If you ask developers what
    is the problem…

    View Slide

  4. • Tight deadlines


    • Feature priorities
    If you ask developers what
    is the problem…

    View Slide

  5. • Tight deadlines


    • Feature priorities


    • Lack of security expertise


    • Security controls con
    f
    lict with
    other features
    If you ask developers what
    is the problem…

    View Slide

  6. • Tight deadlines


    • Feature priorities


    • Lack of security expertise


    • Security controls con
    f
    lict with
    other features


    • Lack of secure architecture
    If you ask developers what
    is the problem…

    View Slide

  7. https://www.guardsquare.com/state-of-mobile-application-security-report
    Tight deadlines

    View Slide

  8. https://www.guardsquare.com/state-of-mobile-application-security-report
    Security controls con
    f
    lict with other features


    Necessity of communication
    https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/

    View Slide

  9. https://www.microfocus.com/en-us/assets/security/application-security-risk-report
    Lack of security expertise


    No secure coding skills
    https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/
    https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/
    https://www.veracode.com/state-of-software-security-report

    View Slide

  10. Secure coding is a separate skill
    Developers can learn general best practices
    and platform speci
    f
    ic recommendations.


    • Security trainings


    • Online education materials


    • Conferences

    View Slide

  11. Secure coding is a separate skill
    Examples:


    • Data minimisation principle (do not store
    what you don’t really need)


    • Validate any input from external sources
    (user input, network requests, etc)


    • Deny access by default

    View Slide

  12. SDLC
    Requirements Design Develop Test Deploy

    View Slide

  13. SDLC
    Requirements Design Develop Test Deploy
    Secure coding

    View Slide

  14. Security is invisible
    - No direct business value.


    - You can’t see if it’s working, you can see when it fails.

    View Slide

  15. The more we delay security –


    the more effort it takes to be added –


    the more chances it has to be ignored

    View Slide

  16. The longer it takes to
    f
    ix an issue,
    the less chances it has to be
    f
    ixed
    https://www.veracode.com/state-of-software-security-report

    View Slide

  17. SDLC
    Requirements Design Develop Test Deploy
    Secure coding Security
    assessment

    View Slide

  18. Secure SDLC
    Requirements Design Develop Test Deploy
    Risk assessment


    Threat modelling


    & design review


    Secure coding &
    static analysis


    Code review &
    security testing
    Security
    assessment &
    secure
    con
    f
    iguration

    View Slide

  19. Secure SDLC
    Requirements Design Develop Test Deploy
    Risk assessment


    Threat modelling


    & design review


    Secure coding &
    static analysis


    Code review &
    security testing
    Security
    assessment &
    secure
    con
    f
    iguration
    Software


    developers

    View Slide

  20. Secure SDLC
    Requirements Design Develop Test Deploy
    Risk assessment


    Threat modelling


    & design review


    Secure coding &
    static analysis


    Code review &
    security testing
    Security
    assessment &
    secure
    con
    f
    iguration
    Software


    developers
    Architectural


    decision

    View Slide

  21. In a fast-pacing environment…


    People make poor decisions under the pressure.


    Secure architecture is about decision making.


    People mess up the processes under the pressure.


    Secure architecture is about following the process.

    View Slide

  22. Secure Architecture
    Isn’t it a typical responsibility for developers?

    View Slide

  23. Secure architecture – is a combination of
    structural security decisions that ef
    f
    iciently
    addresses risks considering business goals.

    View Slide

  24. Secure architecture – is a combination of
    structural security decisions… that
    ef
    f
    iciently addresses risks considering

    View Slide

  25. Secure architecture – is a combination of
    structural security decisions that ef
    f
    iciently
    addresses risks… considering business g

    View Slide

  26. Secure architecture – is a combination of
    structural security decisions that ef
    f
    iciently
    addresses risks considering business goals.

    View Slide

  27. Secure Architecture


    - is about decision making process


    - is based on risks and business goals


    - is an abstraction


    Secure Coding


    - is about writing code


    - is based on industry guidelines


    - is platform-speci
    f
    ic

    View Slide

  28. You operate risks and business goals,


    abstracting from the tools
    You operate tools,


    you don’t make business decisions
    Secure Architecture


    - is about decision making process


    - is based on risks and business goals


    - is an abstraction


    Secure Coding


    - is about writing code


    - is based on industry guidelines


    - is platform-speci
    f
    ic

    View Slide

  29. You operate risks and business goals,


    abstracting from the tools
    You operate tools,


    you don’t make business decisions
    Creating structure
    Adding details
    Secure Architecture


    - is about decision making process


    - is based on risks and business goals


    - is an abstraction


    Secure Coding


    - is about writing code


    - is based on industry guidelines


    - is platform-speci
    f
    ic

    View Slide

  30. BUSINESS


    GOALS
    BUILD


    THE ARCH
    DECISIONS


    & DESIGN
    RISKS &


    TRADEOFFS
    Building Secure Architecture

    View Slide

  31. Building Secure Architecture
    BUSINESS


    GOALS
    BUILD


    THE ARCH
    DECISIONS


    & DESIGN
    RISKS &


    TRADEOFFS
    BUSINESS


    OWNERS
    DEV TEAM

    View Slide

  32. Building Secure Architecture
    BUSINESS


    GOALS
    BUILD


    THE ARCH
    DECISIONS


    & DESIGN
    RISKS &


    TRADEOFFS
    BUSINESS


    OWNERS
    DEV TEAM
    SECURITY


    EXPERTS

    View Slide

  33. Building Secure Architecture
    BUSINESS


    GOALS
    BUILD


    THE ARCH
    DECISIONS


    & DESIGN
    RISKS &


    TRADEOFFS
    BUSINESS


    OWNERS
    DEV TEAM
    SECURITY


    EXPERTS

    View Slide

  34. Shared Responsibility
    No one can know everything
    Who makes decisions?


    Who plans the work and sets priorities?


    Who will address security?

    View Slide

  35. • Business owners


    • Product and project managers


    • Software developers


    • UI/UX Designers


    • DevOps team


    • QA engineers


    • …
    Shared Responsibility
    No one can know everything
    Who makes decisions?


    Who plans the work and sets priorities?


    Who will address security?

    View Slide

  36. Shared Responsibility
    No one can know everything
    Each platform is different.


    Secure architecture requires security
    expertise in each of them.
    Example: Force upgrade


    Unlike web, you can’t control
    when the user updates desktop
    or mobile app, unless you have
    implemented additional feature
    for that.


    It requires changes from both
    client and backend.

    View Slide

  37. Shared Responsibility
    No one can know everything
    Each platform is different.


    Secure architecture requires security
    expertise in each of them.
    Example: Screenshot prevention


    You can’t prevent screenshots for
    web apps. Why would you want it
    for Android app?


    Because users usually
    automatically sync photos with
    Google Photos, iCloud, etc.

    View Slide

  38. Ownership
    If you own, you care

    View Slide

  39. Ownership
    • Understand your role


    • Know what you are doing are
    what for


    • Communicate


    The goal: each team member
    knows who to ask questions.
    If you own, you care

    View Slide

  40. Ownership
    Example: Owning the features


    • Understand its value


    • Closer look at related PRs


    • Keep an eye on updates


    • Be ready to speak up
    If you own, you care

    View Slide

  41. Ownership
    Example: Reading security docs


    “Have you read security policy of
    your compony?”


    “Have you read risk assessment
    and threat modelling docs of
    your project?”
    If you own, you care

    View Slide

  42. Secure architecture requires


    security expertise


    processes


    shared responsibility


    ownership

    View Slide

  43. Want to learn more?
    “Designing stack agnostic, modern, secure architectures” by Eugene Pilyankevich


    https://www.infoq.com/presentations/design-secure-architectures/


    “Secure Development Lifecycle” by Jim Manico


    https://youtu.be/M7qMP3C5bkU


    https://owasp.org/www-pdf-archive/Jim_Manico_(Hamburg)_-_Securiing_the_SDLC.pdf


    Collections of security stats reports


    https://techbeacon.com/security/27-data-security-stats-matter


    https://techbeacon.com/security/30-app-sec-stats-matter

    View Slide

  44. Thank you!
    Follow me @julepka

    View Slide