Security Culture: Here be Hackers

Security Culture: Here be Hackers

RFC1983 clarifies hacker term as "a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular". Let's say we want our developers and other IT stuff be security hackers. So they can look at their duties from a security perspective: develop more secure applications, seek for security flaws in it and be inside the security culture in general. We will talk about construction of bridges from security team to other IT stuff (mostly developers): knowledge spreading and communication. How not to make from scratch yet another developer's guide? How to make all developers know about presence (yes, presence) of security team from the first work days? How to interest them in application security? How to increase this knowledge? Let's ask on these questions!

OWASP Global AppSec Tel Aviv 2019

5b723186bd1e23af569bd623f193a2b9?s=128

oxdef

May 29, 2019
Tweet

Transcript

  1. 2.

    2 /about • 10+ years in security • Top Internet

    companies in Russia • Product security team lead in OZON • OWASP Russia chapter leader • @oxdef
  2. 4.

    4 «a person who delights in having an intimate understanding

    of the internal workings of a system, computers and computer networks in particular» RFC 1983
  3. 5.

    5 We want to • Avoid questions about typical vulnerabilities

    • Make developers aware of security processes and controls • Make developers read security guides • Make it possible for developers to improve security in the products • Developers to become security hackers
  4. 7.

    7 Security in developer’s life • Interview • Bootcamp •

    The first day at work • ... cup of coffee • ... lines of code • … product meeting • ... security audit and security issues
  5. 9.

    9 The first day at work • Welcome meeting and

    small introduction talk about security processes • Internal staff portal with API • Use this API to monitor for new developers • Automatically send them welcome letter from security team
  6. 10.

    10 How to write secure code at our company Dear

    Mike, Welcome to our team! Here at our company we make beautiful, functional, fast AND secure services! Security team had prepared security guides for you: https://internal-security-portal/guides. Please, find some time to read them as soon as possible. If you have any questions feel free to contact us. -- Your Product Security Team
  7. 11.

    11 Corporate messenger • #help-security for asking questions • #news-security

    for IT security news and awareness posts from security team • @security for calling security team • @security-bot for security alerts • Loading screen messages
  8. 12.

    12

  9. 13.

    13 Communication channels • Welcome letter • Tickets about security

    issues in bug tracking system • Small channels in dev tools like banners • Internal security portal with active blog • Channels and chats in messenger • Internal tech meetups • Security mailing list
  10. 14.

    14 Internal security portal • Security guides • Quick links

    to security self-checking services • «Ask Security» contact form • Latest posts from internal security blog • Current projects
  11. 16.

    16 Structure • Separate guides for web, mobile and C/C++

    developers • From common topics and practices to typical issues and specific cases • Use cards as a format for publicating complex issues • Developers Humans don’t want to read “long read” articles • Content should be easily searchable • Integrated self-assessment quiz and feedback form
  12. 17.

    17 Content • High-level best practices: authentication/authorization, input validation, output

    encoding, error handling • Security team internal processes, services and controls • Typical threats and mitigations • Specific internal topics and processes
  13. 19.

    19 Combine • OWASP Proactive Controls • OWASP Top 10

    • Specific for your case topics Base
  14. 21.

    21 Quizzes and courses • To measure how well developers

    read the guides • Should not take a lot of time • Should not be boring! • Use FOSS, e.g. learning management system like Moodle • Other interesting tools: OWASP Security Knowledge Framework, Hacksplaining, Codebashing
  15. 22.

    22 Developer’s profile • Badges for various security activities •

    Special flags, e.g. for reading our guides • Security “karma” • Use this information to make more accurate threat analysis of new releases
  16. 23.

    23 Blueprint and metrics • OWASP SAMM: Education & Guidance

    • 60% developers briefed on security guides within the past year • No more less questions about security issues • More followers in internal security channels
  17. 24.
  18. 25.

    25 Takeaways • Application security should be closer to developers

    • Help developers to make secure applications • Make possible for developers to help you in your duties • Let developers be security champions • It should be fun ☺
  19. 26.

    26 Movies for weekend • Mr.Robot series • Hackers •

    23 • WarGames • The IT crowd • Kung Fury :)