Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Culture: Here be Hackers

oxdef
May 29, 2019
Programming
0
300

Security Culture: Here be Hackers

RFC1983 clarifies hacker term as "a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular". Let's say we want our developers and other IT stuff be security hackers. So they can look at their duties from a security perspective: develop more secure applications, seek for security flaws in it and be inside the security culture in general. We will talk about construction of bridges from security team to other IT stuff (mostly developers): knowledge spreading and communication. How not to make from scratch yet another developer's guide? How to make all developers know about presence (yes, presence) of security team from the first work days? How to interest them in application security? How to increase this knowledge? Let's ask on these questions!

OWASP Global AppSec Tel Aviv 2019

oxdef

May 29, 2019
Tweet

More Decks by oxdef

See All by oxdef
How to improve software security with OWASP open source initiatives
oxdef
0
82
Keynote at ZeroNights X (2021)
oxdef
0
47
OWASP Top 10 - 2017 What’s inside?
oxdef
0
270
И разработчик станет хакером!
oxdef
0
30
Implementing Content Security Policy at a Large Scale
oxdef
0
320
Security in developer’s life: knowledge is power
oxdef
0
190
HTTPS by default - no more clear
oxdef
0
14
Web Application Security: future standards and technologies
oxdef
0
200
Content Security Policy - the panacea for XSS or placebo?
oxdef
0
200

Other Decks in Programming

See All in Programming
サイト信頼性を高める前に開発チームからの信頼性を高めよう
syossan27
9
2.1k
オンボーディングのために 私はプロダクト考古学者になりました!
akitotsukahara
3
230
SwiftSyntaxが面白い
ryu_hu03
1
380
LLMによるプロット生成の試み(スターウォーズ)
hitokun
0
1.1k
JRuby: Looking Forward
headius
1
100
Kotlin Multiplatform Library 배포하기
fornewid
0
200
Multiverse Ruby
shioyama
1
2.5k
失敗から学ぶBtoB SaaSでカオスを招かない個社カスタマイズ開発の考え方 #開発話
77web
1
350
デザイナーと協業しているNuxtプロジェクトを、ChromaticによるVRTでさらに改善した話
mozu1206
0
260
Ruby JIT Hacking Guide / RubyKaigi 2023
k0kubun
0
3.6k
The Adventure of RedAmber - A data frame library in Ruby
heronshoes
0
810
スクラムマスターを目指すためにギャルになってみた話
kinocoboy2
7
2.3k

Featured

See All Featured
Designing the Hi-DPI Web
ddemaree
273
33k
Build your cross-platform service in a week with App Engine
jlugia
222
17k
Making the Leap to Tech Lead
cromwellryan
118
7.8k
Building Your Own Lightsaber
phodgson
96
5k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
1.5k
Adopting Sorbet at Scale
ufuk
66
8k
GraphQLの誤解/rethinking-graphql
sonatard
41
8.2k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
8.4k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
9
780
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
4 Signs Your Business is Dying
shpigford
171
20k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
3.7k

Transcript

  1. Security Culture: Here be
    Hackers
    Taras Ivashchenko

    View Slide

  2. 2
    /about

    10+ years in security

    Top Internet companies in Russia

    Product security team lead in OZON

    OWASP Russia chapter leader

    @oxdef

    View Slide

  3. 3
    Who are hackers?

    View Slide

  4. 4
    «a person who delights in having an intimate
    understanding of the internal workings of a system,
    computers and computer networks in particular»
    RFC 1983

    View Slide

  5. 5
    We want to

    Avoid questions about typical vulnerabilities

    Make developers aware of security processes and controls

    Make developers read security guides

    Make it possible for developers to improve security in the
    products

    Developers to become security hackers

    View Slide

  6. 6
    Do developers even know
    if the security team exists?

    View Slide

  7. 7
    Security in developer’s life

    Interview

    Bootcamp

    The first day at work

    ... cup of coffee

    ... lines of code

    … product meeting

    ... security audit and security issues

    View Slide

  8. 8
    The communication

    View Slide

  9. 9
    The first day at work

    Welcome meeting and small introduction talk about
    security processes

    Internal staff portal with API

    Use this API to monitor for new developers

    Automatically send them welcome letter from
    security team

    View Slide

  10. 10
    How to write secure code at our company
    Dear Mike,
    Welcome to our team!
    Here at our company we make beautiful, functional, fast AND secure services!
    Security team had prepared security guides for you: https://internal-security-portal/guides.
    Please, find some time to read them as soon as possible. If you have any questions
    feel free to contact us.
    --
    Your Product Security Team

    View Slide

  11. 11
    Corporate messenger

    #help-security for asking questions

    #news-security for IT security news and awareness
    posts from security team

    @security for calling security team

    @security-bot for security alerts

    Loading screen messages

    View Slide

  12. 12

    View Slide

  13. 13
    Communication channels

    Welcome letter

    Tickets about security issues in bug tracking system

    Small channels in dev tools like banners

    Internal security portal with active blog

    Channels and chats in messenger

    Internal tech meetups

    Security mailing list

    View Slide

  14. 14
    Internal security portal

    Security guides

    Quick links to security self-checking services

    «Ask Security» contact form

    Latest posts from internal security blog

    Current projects

    View Slide

  15. 15
    The guide

    View Slide

  16. 16
    Structure

    Separate guides for web, mobile and C/C++ developers

    From common topics and practices to typical issues and specific
    cases

    Use cards as a format for publicating complex issues

    Developers Humans don’t want to read “long read” articles

    Content should be easily searchable

    Integrated self-assessment quiz and feedback form

    View Slide

  17. 17
    Content

    High-level best practices:
    authentication/authorization, input validation, output
    encoding, error handling

    Security team internal processes, services and controls

    Typical threats and mitigations

    Specific internal topics and processes

    View Slide

  18. 18
    Do not write yet another security
    guide from scratch!

    View Slide

  19. 19
    Combine

    OWASP Proactive Controls

    OWASP Top 10

    Specific for your case topics
    Base

    View Slide

  20. 20
    Test yourself

    View Slide

  21. 21
    Quizzes and courses

    To measure how well developers read the guides

    Should not take a lot of time

    Should not be boring!

    Use FOSS, e.g. learning management system like Moodle

    Other interesting tools: OWASP Security Knowledge
    Framework, Hacksplaining, Codebashing

    View Slide

  22. 22
    Developer’s profile

    Badges for various security activities

    Special flags, e.g. for reading our guides

    Security “karma”

    Use this information to make more accurate
    threat analysis of new releases

    View Slide

  23. 23
    Blueprint and metrics

    OWASP SAMM: Education &
    Guidance

    60% developers briefed on security
    guides within the past year

    No more less questions about
    security issues

    More followers in internal security
    channels

    View Slide

  24. 24
    Next steps

    CTFs

    Security months

    Gamification
    ● Security Champions
    and Ninjas

    View Slide

  25. 25
    Takeaways

    Application security should be closer to developers

    Help developers to make secure applications

    Make possible for developers to help you in your duties

    Let developers be security champions

    It should be fun ☺

    View Slide

  26. 26
    Movies for weekend

    Mr.Robot series

    Hackers

    23

    WarGames

    The IT crowd

    Kung Fury :)

    View Slide

  27. 27
    Thank you!

    View Slide