Security Culture: Here be Hackers

Transcript

1. Security Culture: Here be Hackers Taras Ivashchenko

2. 2 /about • 10+ years in security • Top Internet

   companies in Russia • Product security team lead in OZON • OWASP Russia chapter leader • @oxdef

3. 3 Who are hackers?

4. 4 «a person who delights in having an intimate understanding

   of the internal workings of a system, computers and computer networks in particular» RFC 1983

5. 5 We want to • Avoid questions about typical vulnerabilities

   • Make developers aware of security processes and controls • Make developers read security guides • Make it possible for developers to improve security in the products • Developers to become security hackers

6. 6 Do developers even know if the security team exists?

7. 7 Security in developer’s life • Interview • Bootcamp •

   The first day at work • ... cup of coffee • ... lines of code • … product meeting • ... security audit and security issues

8. 8 The communication

9. 9 The first day at work • Welcome meeting and

   small introduction talk about security processes • Internal staff portal with API • Use this API to monitor for new developers • Automatically send them welcome letter from security team

10. 10 How to write secure code at our company Dear

    Mike, Welcome to our team! Here at our company we make beautiful, functional, fast AND secure services! Security team had prepared security guides for you: https://internal-security-portal/guides. Please, find some time to read them as soon as possible. If you have any questions feel free to contact us. -- Your Product Security Team

11. 11 Corporate messenger • #help-security for asking questions • #news-security

    for IT security news and awareness posts from security team • @security for calling security team • @security-bot for security alerts • Loading screen messages

12. 12

13. 13 Communication channels • Welcome letter • Tickets about security

    issues in bug tracking system • Small channels in dev tools like banners • Internal security portal with active blog • Channels and chats in messenger • Internal tech meetups • Security mailing list

14. 14 Internal security portal • Security guides • Quick links

    to security self-checking services • «Ask Security» contact form • Latest posts from internal security blog • Current projects

15. 15 The guide

16. 16 Structure • Separate guides for web, mobile and C/C++

    developers • From common topics and practices to typical issues and specific cases • Use cards as a format for publicating complex issues • Developers Humans don’t want to read “long read” articles • Content should be easily searchable • Integrated self-assessment quiz and feedback form

17. 17 Content • High-level best practices: authentication/authorization, input validation, output

    encoding, error handling • Security team internal processes, services and controls • Typical threats and mitigations • Specific internal topics and processes

18. 18 Do not write yet another security guide from scratch!

19. 19 Combine • OWASP Proactive Controls • OWASP Top 10

    • Specific for your case topics Base

20. 20 Test yourself

21. 21 Quizzes and courses • To measure how well developers

    read the guides • Should not take a lot of time • Should not be boring! • Use FOSS, e.g. learning management system like Moodle • Other interesting tools: OWASP Security Knowledge Framework, Hacksplaining, Codebashing

22. 22 Developer’s profile • Badges for various security activities •

    Special flags, e.g. for reading our guides • Security “karma” • Use this information to make more accurate threat analysis of new releases

23. 23 Blueprint and metrics • OWASP SAMM: Education & Guidance

    • 60% developers briefed on security guides within the past year • No more less questions about security issues • More followers in internal security channels

24. 24 Next steps • CTFs • Security months • Gamification

    • Security Champions and Ninjas

25. 25 Takeaways • Application security should be closer to developers

    • Help developers to make secure applications • Make possible for developers to help you in your duties • Let developers be security champions • It should be fun ☺

26. 26 Movies for weekend • Mr.Robot series • Hackers •

    23 • WarGames • The IT crowd • Kung Fury :)

27. 27 Thank you!