$30 off During Our Annual Pro Sale. View Details »

Security Culture: Here be Hackers

Security Culture: Here be Hackers

RFC1983 clarifies hacker term as "a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular". Let's say we want our developers and other IT stuff be security hackers. So they can look at their duties from a security perspective: develop more secure applications, seek for security flaws in it and be inside the security culture in general. We will talk about construction of bridges from security team to other IT stuff (mostly developers): knowledge spreading and communication. How not to make from scratch yet another developer's guide? How to make all developers know about presence (yes, presence) of security team from the first work days? How to interest them in application security? How to increase this knowledge? Let's ask on these questions!

OWASP Global AppSec Tel Aviv 2019

oxdef

May 29, 2019
Tweet

More Decks by oxdef

Other Decks in Programming

Transcript

  1. Security Culture: Here be
    Hackers
    Taras Ivashchenko

    View Slide

  2. 2
    /about

    10+ years in security

    Top Internet companies in Russia

    Product security team lead in OZON

    OWASP Russia chapter leader

    @oxdef

    View Slide

  3. 3
    Who are hackers?

    View Slide

  4. 4
    «a person who delights in having an intimate
    understanding of the internal workings of a system,
    computers and computer networks in particular»
    RFC 1983

    View Slide

  5. 5
    We want to

    Avoid questions about typical vulnerabilities

    Make developers aware of security processes and controls

    Make developers read security guides

    Make it possible for developers to improve security in the
    products

    Developers to become security hackers

    View Slide

  6. 6
    Do developers even know
    if the security team exists?

    View Slide

  7. 7
    Security in developer’s life

    Interview

    Bootcamp

    The first day at work

    ... cup of coffee

    ... lines of code

    … product meeting

    ... security audit and security issues

    View Slide

  8. 8
    The communication

    View Slide

  9. 9
    The first day at work

    Welcome meeting and small introduction talk about
    security processes

    Internal staff portal with API

    Use this API to monitor for new developers

    Automatically send them welcome letter from
    security team

    View Slide

  10. 10
    How to write secure code at our company
    Dear Mike,
    Welcome to our team!
    Here at our company we make beautiful, functional, fast AND secure services!
    Security team had prepared security guides for you: https://internal-security-portal/guides.
    Please, find some time to read them as soon as possible. If you have any questions
    feel free to contact us.
    --
    Your Product Security Team

    View Slide

  11. 11
    Corporate messenger

    #help-security for asking questions

    #news-security for IT security news and awareness
    posts from security team

    @security for calling security team

    @security-bot for security alerts

    Loading screen messages

    View Slide

  12. 12

    View Slide

  13. 13
    Communication channels

    Welcome letter

    Tickets about security issues in bug tracking system

    Small channels in dev tools like banners

    Internal security portal with active blog

    Channels and chats in messenger

    Internal tech meetups

    Security mailing list

    View Slide

  14. 14
    Internal security portal

    Security guides

    Quick links to security self-checking services

    «Ask Security» contact form

    Latest posts from internal security blog

    Current projects

    View Slide

  15. 15
    The guide

    View Slide

  16. 16
    Structure

    Separate guides for web, mobile and C/C++ developers

    From common topics and practices to typical issues and specific
    cases

    Use cards as a format for publicating complex issues

    Developers Humans don’t want to read “long read” articles

    Content should be easily searchable

    Integrated self-assessment quiz and feedback form

    View Slide

  17. 17
    Content

    High-level best practices:
    authentication/authorization, input validation, output
    encoding, error handling

    Security team internal processes, services and controls

    Typical threats and mitigations

    Specific internal topics and processes

    View Slide

  18. 18
    Do not write yet another security
    guide from scratch!

    View Slide

  19. 19
    Combine

    OWASP Proactive Controls

    OWASP Top 10

    Specific for your case topics
    Base

    View Slide

  20. 20
    Test yourself

    View Slide

  21. 21
    Quizzes and courses

    To measure how well developers read the guides

    Should not take a lot of time

    Should not be boring!

    Use FOSS, e.g. learning management system like Moodle

    Other interesting tools: OWASP Security Knowledge
    Framework, Hacksplaining, Codebashing

    View Slide

  22. 22
    Developer’s profile

    Badges for various security activities

    Special flags, e.g. for reading our guides

    Security “karma”

    Use this information to make more accurate
    threat analysis of new releases

    View Slide

  23. 23
    Blueprint and metrics

    OWASP SAMM: Education &
    Guidance

    60% developers briefed on security
    guides within the past year

    No more less questions about
    security issues

    More followers in internal security
    channels

    View Slide

  24. 24
    Next steps

    CTFs

    Security months

    Gamification
    ● Security Champions
    and Ninjas

    View Slide

  25. 25
    Takeaways

    Application security should be closer to developers

    Help developers to make secure applications

    Make possible for developers to help you in your duties

    Let developers be security champions

    It should be fun ☺

    View Slide

  26. 26
    Movies for weekend

    Mr.Robot series

    Hackers

    23

    WarGames

    The IT crowd

    Kung Fury :)

    View Slide

  27. 27
    Thank you!

    View Slide