Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Why can't developers make it secure?

Why can't developers make it secure?

Dee939e8aa52d13793b2f0c5e463777b?s=128

Julia Potapenko

September 03, 2021
Tweet

Transcript

  1. Why can’t developers make it secure? Julia Potapenko

  2. Security Software Engineer Julia Potapenko @julepka We help companies to

    protect their sensitive and valuable data.
  3. If you ask developers what is the problem…

  4. • Tight deadlines • Feature priorities If you ask developers

    what is the problem…
  5. • Tight deadlines • Feature priorities • Lack of security

    expertise • Security controls con f lict with other features If you ask developers what is the problem…
  6. • Tight deadlines • Feature priorities • Lack of security

    expertise • Security controls con f lict with other features • Lack of secure architecture If you ask developers what is the problem…
  7. https://www.guardsquare.com/state-of-mobile-application-security-report Tight deadlines

  8. https://www.guardsquare.com/state-of-mobile-application-security-report Security controls con f lict with other features Necessity

    of communication https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/
  9. https://www.microfocus.com/en-us/assets/security/application-security-risk-report Lack of security expertise No secure coding skills https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/

    https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/ https://www.veracode.com/state-of-software-security-report
  10. Secure coding is a separate skill Developers can learn general

    best practices and platform speci f ic recommendations. • Security trainings • Online education materials • Conferences
  11. Secure coding is a separate skill Examples: • Data minimisation

    principle (do not store what you don’t really need) • Validate any input from external sources (user input, network requests, etc) • Deny access by default
  12. SDLC Requirements Design Develop Test Deploy

  13. SDLC Requirements Design Develop Test Deploy Secure coding

  14. Security is invisible - No direct business value. - You

    can’t see if it’s working, you can see when it fails.
  15. The more we delay security – the more effort it

    takes to be added – the more chances it has to be ignored
  16. The longer it takes to f ix an issue, the

    less chances it has to be f ixed https://www.veracode.com/state-of-software-security-report
  17. SDLC Requirements Design Develop Test Deploy Secure coding Security assessment

  18. Secure SDLC Requirements Design Develop Test Deploy Risk assessment Threat

    modelling & design review Secure coding & static analysis Code review & security testing Security assessment & secure con f iguration
  19. Secure SDLC Requirements Design Develop Test Deploy Risk assessment Threat

    modelling & design review Secure coding & static analysis Code review & security testing Security assessment & secure con f iguration Software developers
  20. Secure SDLC Requirements Design Develop Test Deploy Risk assessment Threat

    modelling & design review Secure coding & static analysis Code review & security testing Security assessment & secure con f iguration Software developers Architectural decision
  21. In a fast-pacing environment… People make poor decisions under the

    pressure. Secure architecture is about decision making. People mess up the processes under the pressure. Secure architecture is about following the process.
  22. Secure Architecture Isn’t it a typical responsibility for developers?

  23. Secure architecture – is a combination of structural security decisions

    that ef f iciently addresses risks considering business goals.
  24. Secure architecture – is a combination of structural security decisions…

    that ef f iciently addresses risks considering
  25. Secure architecture – is a combination of structural security decisions

    that ef f iciently addresses risks… considering business g
  26. Secure architecture – is a combination of structural security decisions

    that ef f iciently addresses risks considering business goals.
  27. Secure Architecture - is about decision making process - is

    based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-speci f ic
  28. You operate risks and business goals, abstracting from the tools

    You operate tools, you don’t make business decisions Secure Architecture - is about decision making process - is based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-speci f ic
  29. You operate risks and business goals, abstracting from the tools

    You operate tools, you don’t make business decisions Creating structure Adding details Secure Architecture - is about decision making process - is based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-speci f ic
  30. BUSINESS GOALS BUILD THE ARCH DECISIONS & DESIGN RISKS &

    TRADEOFFS Building Secure Architecture
  31. Building Secure Architecture BUSINESS GOALS BUILD THE ARCH DECISIONS &

    DESIGN RISKS & TRADEOFFS BUSINESS OWNERS DEV TEAM
  32. Building Secure Architecture BUSINESS GOALS BUILD THE ARCH DECISIONS &

    DESIGN RISKS & TRADEOFFS BUSINESS OWNERS DEV TEAM SECURITY EXPERTS
  33. Building Secure Architecture BUSINESS GOALS BUILD THE ARCH DECISIONS &

    DESIGN RISKS & TRADEOFFS BUSINESS OWNERS DEV TEAM SECURITY EXPERTS
  34. Shared Responsibility No one can know everything Who makes decisions?

    Who plans the work and sets priorities? Who will address security?
  35. • Business owners • Product and project managers • Software

    developers • UI/UX Designers • DevOps team • QA engineers • … Shared Responsibility No one can know everything Who makes decisions? Who plans the work and sets priorities? Who will address security?
  36. Shared Responsibility No one can know everything Each platform is

    different. Secure architecture requires security expertise in each of them. Example: Force upgrade Unlike web, you can’t control when the user updates desktop or mobile app, unless you have implemented additional feature for that. It requires changes from both client and backend.
  37. Shared Responsibility No one can know everything Each platform is

    different. Secure architecture requires security expertise in each of them. Example: Screenshot prevention You can’t prevent screenshots for web apps. Why would you want it for Android app? Because users usually automatically sync photos with Google Photos, iCloud, etc.
  38. Ownership If you own, you care

  39. Ownership • Understand your role • Know what you are

    doing are what for • Communicate The goal: each team member knows who to ask questions. If you own, you care
  40. Ownership Example: Owning the features • Understand its value •

    Closer look at related PRs • Keep an eye on updates • Be ready to speak up If you own, you care
  41. Ownership Example: Reading security docs “Have you read security policy

    of your compony?” “Have you read risk assessment and threat modelling docs of your project?” If you own, you care
  42. Secure architecture requires security expertise processes shared responsibility ownership

  43. Want to learn more? “Designing stack agnostic, modern, secure architectures”

    by Eugene Pilyankevich https://www.infoq.com/presentations/design-secure-architectures/ “Secure Development Lifecycle” by Jim Manico https://youtu.be/M7qMP3C5bkU https://owasp.org/www-pdf-archive/Jim_Manico_(Hamburg)_-_Securiing_the_SDLC.pdf Collections of security stats reports https://techbeacon.com/security/27-data-security-stats-matter https://techbeacon.com/security/30-app-sec-stats-matter
  44. Thank you! Follow me @julepka