$30 off During Our Annual Pro Sale. View Details »

Security Culture: Here be Hackers

oxdef
May 29, 2019
Programming
0
340

Security Culture: Here be Hackers

RFC1983 clarifies hacker term as "a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular". Let's say we want our developers and other IT stuff be security hackers. So they can look at their duties from a security perspective: develop more secure applications, seek for security flaws in it and be inside the security culture in general. We will talk about construction of bridges from security team to other IT stuff (mostly developers): knowledge spreading and communication. How not to make from scratch yet another developer's guide? How to make all developers know about presence (yes, presence) of security team from the first work days? How to interest them in application security? How to increase this knowledge? Let's ask on these questions!

OWASP Global AppSec Tel Aviv 2019

oxdef

May 29, 2019
Tweet

More Decks by oxdef

See All by oxdef
How to improve software security with OWASP open source initiatives
oxdef
0
110
Keynote at ZeroNights X (2021)
oxdef
0
76
OWASP Top 10 - 2017 What’s inside?
oxdef
0
300
И разработчик станет хакером!
oxdef
0
32
Implementing Content Security Policy at a Large Scale
oxdef
0
360
Security in developer’s life: knowledge is power
oxdef
0
230
HTTPS by default - no more clear
oxdef
0
23
Web Application Security: future standards and technologies
oxdef
0
230
Content Security Policy - the panacea for XSS or placebo?
oxdef
0
240

Other Decks in Programming

See All in Programming
フロントエンドの書くべきだったテスト、書かなくてよかったテスト
takefumiyoshii
31
11k
Spring + Localstack : usando aws de forma gratuita
kamilahsantos
2
110
​고군분투 LLM 프로덕트 적용기: Blind Prompting 부터 Agent까지
huffon
2
960
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
58k
OSBT: OpenID Connect Scenario-Based Tester – CODE BLUE 2023
melonattacker
0
210
Input object ではじめる入力値検証/input-value-validation-using-input-object
sanfrecce_osaka
0
200
Flutter アプリにおけるテスト戦略の見直しと自動テストの導入
ostk0069
1
2.1k
Next.js App Router での MPA フロントエンド刷新
mugi_uno
26
8.8k
從零開始打造可觀測性平台
blueswen
3
1.4k
弊社の開発体験の良いところは?メンバーに訊いてみた!
texmeijin
0
180
How to Be a Responsible Open Source Citizen
ivargrimstad
0
1.3k
「defineCustomElement」を活用した サービス共通のUIコンポーネントライブラリ
piyoppi
0
180

Featured

See All Featured
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.3k
WebSockets: Embracing the real-time Web
robhawkes
58
6.6k
Happy Clients
brianwarren
91
6.1k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
6
7.3k
Rails Girls Zürich Keynote
gr2m
90
12k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
140k
How STYLIGHT went responsive
nonsquared
89
4.5k
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
Documentation Writing (for coders)
carmenintech
55
3.4k
For a Future-Friendly Web
brad_frost
168
8.4k

Transcript

  1. Security Culture: Here be
    Hackers
    Taras Ivashchenko

    View Slide

  2. 2
    /about

    10+ years in security

    Top Internet companies in Russia

    Product security team lead in OZON

    OWASP Russia chapter leader

    @oxdef

    View Slide

  3. 3
    Who are hackers?

    View Slide

  4. 4
    «a person who delights in having an intimate
    understanding of the internal workings of a system,
    computers and computer networks in particular»
    RFC 1983

    View Slide

  5. 5
    We want to

    Avoid questions about typical vulnerabilities

    Make developers aware of security processes and controls

    Make developers read security guides

    Make it possible for developers to improve security in the
    products

    Developers to become security hackers

    View Slide

  6. 6
    Do developers even know
    if the security team exists?

    View Slide

  7. 7
    Security in developer’s life

    Interview

    Bootcamp

    The first day at work

    ... cup of coffee

    ... lines of code

    … product meeting

    ... security audit and security issues

    View Slide

  8. 8
    The communication

    View Slide

  9. 9
    The first day at work

    Welcome meeting and small introduction talk about
    security processes

    Internal staff portal with API

    Use this API to monitor for new developers

    Automatically send them welcome letter from
    security team

    View Slide

  10. 10
    How to write secure code at our company
    Dear Mike,
    Welcome to our team!
    Here at our company we make beautiful, functional, fast AND secure services!
    Security team had prepared security guides for you: https://internal-security-portal/guides.
    Please, find some time to read them as soon as possible. If you have any questions
    feel free to contact us.
    --
    Your Product Security Team

    View Slide

  11. 11
    Corporate messenger

    #help-security for asking questions

    #news-security for IT security news and awareness
    posts from security team

    @security for calling security team

    @security-bot for security alerts

    Loading screen messages

    View Slide

  12. 12

    View Slide

  13. 13
    Communication channels

    Welcome letter

    Tickets about security issues in bug tracking system

    Small channels in dev tools like banners

    Internal security portal with active blog

    Channels and chats in messenger

    Internal tech meetups

    Security mailing list

    View Slide

  14. 14
    Internal security portal

    Security guides

    Quick links to security self-checking services

    «Ask Security» contact form

    Latest posts from internal security blog

    Current projects

    View Slide

  15. 15
    The guide

    View Slide

  16. 16
    Structure

    Separate guides for web, mobile and C/C++ developers

    From common topics and practices to typical issues and specific
    cases

    Use cards as a format for publicating complex issues

    Developers Humans don’t want to read “long read” articles

    Content should be easily searchable

    Integrated self-assessment quiz and feedback form

    View Slide

  17. 17
    Content

    High-level best practices:
    authentication/authorization, input validation, output
    encoding, error handling

    Security team internal processes, services and controls

    Typical threats and mitigations

    Specific internal topics and processes

    View Slide

  18. 18
    Do not write yet another security
    guide from scratch!

    View Slide

  19. 19
    Combine

    OWASP Proactive Controls

    OWASP Top 10

    Specific for your case topics
    Base

    View Slide

  20. 20
    Test yourself

    View Slide

  21. 21
    Quizzes and courses

    To measure how well developers read the guides

    Should not take a lot of time

    Should not be boring!

    Use FOSS, e.g. learning management system like Moodle

    Other interesting tools: OWASP Security Knowledge
    Framework, Hacksplaining, Codebashing

    View Slide

  22. 22
    Developer’s profile

    Badges for various security activities

    Special flags, e.g. for reading our guides

    Security “karma”

    Use this information to make more accurate
    threat analysis of new releases

    View Slide

  23. 23
    Blueprint and metrics

    OWASP SAMM: Education &
    Guidance

    60% developers briefed on security
    guides within the past year

    No more less questions about
    security issues

    More followers in internal security
    channels

    View Slide

  24. 24
    Next steps

    CTFs

    Security months

    Gamification
    ● Security Champions
    and Ninjas

    View Slide

  25. 25
    Takeaways

    Application security should be closer to developers

    Help developers to make secure applications

    Make possible for developers to help you in your duties

    Let developers be security champions

    It should be fun ☺

    View Slide

  26. 26
    Movies for weekend

    Mr.Robot series

    Hackers

    23

    WarGames

    The IT crowd

    Kung Fury :)

    View Slide

  27. 27
    Thank you!

    View Slide