@chriseng Chris Eng ISSA-LA Summit X May 4, 2018 Security Champions: How to Build an Alliance with Developers

@chriseng Who are you? Developer Security Operations Other

@chriseng My Background • VP Strategic Research, CA Veracode • 20 years in application security: building, breaking, and defending • Lead the team responsible for the security analysis capabilities of Veracode’s product portfolio as well as product security across all development teams • Speak at lots of conferences and to the media

Trends

@chriseng Domino's has almost turned itself into a technology company that maybe just happens to sell pizza on the side. We look at metrics like orders per minute, actual transactions out to stores, and that can tell us what customers are ordering, in real time. - Russ Turner, IT Manager Apps Tied to Bottom Line 78% of enterprises believe that the shift to becoming a software-driven business will be a critical driver of competitive advantage. Over 40% say it is already affecting new product and service development. 1 Digital sport, as we call it at Nike, is incredibly important to us. We think it's going to be a bigger and bigger factor in terms of the experience that consumers have with the products that we create….We are focusing more on the software side of the experience. - Mark Parker, CEO At its heart, Tesla is a software developer dressed in a carmaker's robes… This software focus affords Tesla a flexible and dynamic approach to updating its fleet, something that few, if any, other carmakers have been able to accomplish. - Leah Niu, Motley Fool Airbnb makes its money in real estate. But everything inside of how Airbnb runs has much more in common with Facebook or Google or Microsoft or Oracle than with any real estate company. What makes Airbnb function is its software engine…. It’s a tech company. - Marc Andreesen, Investor All Companies are Software Companies

@chriseng PLAN DEV QA OPS = Handoff Waterfall Business Intent App Knowledge Ops Knowledge Agile Business Intent App Knowledge Ops Knowledge DevOps Continuity Development Practices are Evolving

@chriseng Traditional Security Teams Don’t Scale IMAGES: Creative Commons (CC-BY) people by Studio Het Mes from the Noun Project, confuse by Gan Khoon Lay from the Noun Project

@chriseng The Evolving Developer Mindset Security is everyone’s job now, not just the security team’s. With continuous integration and continuous deployment, all developers have to be security engineers... We move too fast for there to be time for reviews by the security team beforehand. That needs automation, and it needs to be integrated into your process. Each and every piece should get security integrated into it... before and after being deployed. – Werner Vogels, Amazon CTO at AWS re:Invent 2017

Laying Groundwork

@chriseng Develop Relationships • If you’re in security, who is your peer in development (and vice-versa)? • Do you understand how they are goaled? • What are their struggles? • How often do you meet with them? • How’s the empathy level? IMAGES: Creative Commons (CC-BY) Handshake by Gan Khoon Lay from the Noun Project

@chriseng Share Accountability • Shared between development and security • Part of annual goals for both teams • Measured and reported regularly

@chriseng Learn About Their World • Read • The Phoenix Project • The DevOps Handbook • Attend some scrum ceremonies • Learn their tools • Write security stories and/or code

@chriseng Developers, You’re Not Off the Hook • Understand security mindset as well as practical techniques • Read • Agile Application Security • Security Engineering • The Art of Deception • Smashing the Stack for Fun and Profit (seminal article) • Talk to your product security team about what they’re working on

Starting to Scale

@chriseng Build Security Champions • Security teams can’t be everywhere at once • Your security team does not scale indefinitely! • Build and train a team to take on specific tasks and to be the “security conscience” on their respective teams

@chriseng Bootstrapping a Security Champions Program • Pick the right people • Start strong • Empower, within limits • Maintain momentum

@chriseng Staffing Considerations • Volunteer > voluntold • 2+ per team for redundancy • Influential people, not just developers! • Not too new to company, team, or product • Not already responsible for a major role, e.g. ScrumMaster IMAGES: Creative Commons (CC-BY) chosen by Gilbert Bages from the Noun Project

@chriseng Ramping Up • Security fundamentals: instructor-led works well • Reinforce with eLearning • Review previously fixed vulnerabilities in familiar codebases to learn real-world scenarios • Supplement with CTFs

@chriseng Empower, Within Limits • Day-to-day tasks such as story grooming, code reviews • Make grooming checklists: new features, new architectures, new security controls, new forms, fixes for pen test finding, any code that touches AuthN, AuthZ, cryptography, etc. • Focus code review goals to security controls they have proven they understand, e.g. data validation, parameterization, encoding, etc.

@chriseng The Conscience of the Security Team • One of the most important skills: understanding when and how to escalate • Keep an eye out for SCs who never escalate anything

Keeping momentum Keeping Momentum

@chriseng Measuring and Managing

@chriseng Measuring and Managing • Baseline security maturity • Code review certifications • Individual and team goals • Quarterly reviews

@chriseng Using a Maturity Model (this level of granularity works for us, but maybe not for you)

@chriseng Goal Setting • Goals for champions • Code review certification • Spot check grooming decisions • Goals for teams • Against maturity model • Baseline and update • Are you getting what you expect?

@chriseng Maintain High Touch • Support, not abandonment • Monthly group meetings to compare experiences and share information • Slack channel, mailing list — however the developers prefer to communicate • Periodic check-ins, e.g. quarterly maturity model check-ins • Joint projects (e.g. VSSL)

@chriseng Rewards and Recognition • Additional training opportunities • Internal (mentoring) • External (conferences) • Teach them to hack • Internal CTF sessions • Swag, badges, certifications

Conclusions

@chriseng In Summary • Solid relationship with your development counterpart(s) is a must-have • Pick the right people, train them, and empower them • Measure progress (maturity models vastly superior to vulnerability counting or other “minivan” metrics) • Maintain momentum through open communication and incentives

@chriseng Chris Eng VP, Strategic Research CA Veracode @chriseng Thank you!