Tweet
Tweet

Slide 1

Slide 1 text

Security Champions Playbook Moscow, 17.11.2017 Alexander Antukh

Slide 2

Slide 2 text

•  Head of AppSec •  Opera Software •  @c0rdis Whoami

Slide 3

Slide 3 text

Champions, really?

Slide 4

Slide 4 text

“New era of software with modern appsec” Nice presentation “Security champions v1.0” Previous work

Slide 5

Slide 5 text

•  Many projects •  Even more teams •  Different technologies •  No strong security culture Imagine theoretical situation VS YOU

Slide 6

Slide 6 text

•  … it’s good enough for now •  … these risks are not relevant •  … it’s just a pilot project •  … we’re changing too fast •  … third-party will do it for us •  … we don’t want no formalisms „Security is important! But…”

Slide 7

Slide 7 text

So what’s with the Champions?

Slide 8

Slide 8 text

•  Developers •  QAs •  Architects •  Designers •  … •  Anyone interested! Security Champions

Slide 9

Slide 9 text

someone with an insight to the project internal kitchen Security Champion is …

Slide 10

Slide 10 text

someone who becomes the team’s security SPOC Security Champion is …

Slide 11

Slide 11 text

someone who wants to upgrade security But what’s more important, it’s …

Slide 12

Slide 12 text

Benefits of having sec champs •  Scaling security through multiple teams •  Engaging “non-security” folks •  Creating a security culture

Slide 13

Slide 13 text

Security Champions at

Slide 14

Slide 14 text

Security Champions at •  Security Champion survey •  11 questions, 7 yes/no + proposals/ideas •  20 respondents •  CISOs •  project leaders •  developers •  testers •  architects

Slide 15

Slide 15 text

Security Champions expectations 0 10 20 30 40 50 60 70 80 90 100 Share knowledge Help decision making Guard best practices Build threat models Security reviews R&D initiatives Bug bounty

Slide 16

Slide 16 text

•  Attend security conferences •  Define best practices •  Prioritize security-relevant stories in Backlog •  Monitor vulnerabilities in tools/libraries •  Write security tests for identified risks More outcomes: http://bit.do/security_champions Other selected expectations

Slide 17

Slide 17 text

•  You’re alone with a million of security problems •  ????? •  Champions appear and solve them So far it looks like that: PROFIT!

Slide 18

Slide 18 text

Security Champions Playbook

Slide 19

Slide 19 text

Security Champions Playbook 1.  Identify the teams 2.  Define the role 3.  Nominate champions 4.  Set up communication channels 5.  Build solid knowledge base 6.  Maintain interest

Slide 20

Slide 20 text

•  1 product = 1 team? •  Technologies? •  Documentation? •  Communication? •  Management? •  Current reviews? •  Release calendar? 1. Identify the teams

Slide 21

Slide 21 text

•  Expected outcome after this step: 1. Identify the teams (contd.) Product Team Technologies Security contact Team lead Product manager BTS Comments Product1 Alpha Python, Django Vasya Pupkin Vasya Pupkin Kleopatra Stepanovna HELO Usage of Bandit tool Product1 Beta … … … … … …

Slide 22

Slide 22 text

•  Measure current security state among the teams •  Define goals you plan to achieve in mid-term •  Identify places where Champions could help •  Produce clearly defined roles for the Champions 2. Define the role

Slide 23

Slide 23 text

Depending on current progress and strategy, roles descriptions could be: •  Verify security reviews •  Control best practices within the team •  Raise issues for risks in the existing code •  Build threat models for new features •  Conduct automated scans for the code •  Investigate bug bounty reports 2. Define the role (contd.)

Slide 24

Slide 24 text

Not appoint!! Enthusiasm, remember? ;) 3. Nominate Champions

Slide 25

Slide 25 text

• Get approvals on all levels • … • Because otherwise you’ll hear the worst argument ever • I HAD NO TIME FOR SECURITY!!! 3. Nominate Champions (contd.)

Slide 26

Slide 26 text

Once nominated, make him feel like a Champion: • entry to the security meta-team • official introduction to the peers • insignia ;) 3. Nominate Champions (contd.)

Slide 27

Slide 27 text

• Slack? • IRC? • Skype? • Keybase? • Yammer? • Mailing lists? 4. Set up communication channels

Slide 28

Slide 28 text

Internal wiki as the main resource! •  Security meta-team with listed champs •  Clearly defined roles and procedures •  Secure development best practices •  Risks & vulnerabilities •  Checklists 5. Build solid knowledge base ü  Web/mobile security checklist ü  Third-party security checklist ü  UI security checklist ü  Privacy checklist ü  …

Slide 29

Slide 29 text

Open source to the rescue! • Security Knowledge Framework • ASVS + MASVS • CERT secure coding standards • and many more… 5. Build solid knowledge base (contd.)

Slide 30

Slide 30 text

• Workshops & trainings •  Strategy / best practices •  Security quizes •  Hacker Thursday •  "Month of bugs” • Keep them motivated! 6. Maintain interest

Slide 31

Slide 31 text

6. Maintain interest (contd.) https://github.com/Simpsonpt/AppSecEzine https://github.com/paragonie/awesome-appsec

Slide 32

Slide 32 text

Monthly security newsletters •  Updates & plans •  Recognition for leaders •  Another source of communication •  Also serve as checkpoints for all 6. Maintain interest (contd.)

Slide 33

Slide 33 text

Security conference calendar •  Start here: https://infosec-conferences.com •  Add local events… •  And participate in OWASP chapter meetings J 6. Maintain interest (contd.)

Slide 34

Slide 34 text

https://github.com/c0rdis/security-champions-playbook

Slide 35

Slide 35 text

• The playbook will allow you to get sec reinforcements but THINK BIGGER! • Once established properly, they will greatly help you in spreading security across the company and in achieving future sec goals • … and the best is to see how they develop themselves! Afterword

Slide 36

Slide 36 text

Questions? @c0rdis