Security Culture: Here be Hackers Taras Ivashchenko

2 /about ● 10+ years in security ● Top Internet companies in Russia ● Product security team lead in OZON ● OWASP Russia chapter leader ● @oxdef

3 Who are hackers?

4 «a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular» RFC 1983

5 We want to ● Avoid questions about typical vulnerabilities ● Make developers aware of security processes and controls ● Make developers read security guides ● Make it possible for developers to improve security in the products ● Developers to become security hackers

6 Do developers even know if the security team exists?

7 Security in developer’s life ● Interview ● Bootcamp ● The first day at work ● ... cup of coffee ● ... lines of code ● … product meeting ● ... security audit and security issues

8 The communication

9 The first day at work ● Welcome meeting and small introduction talk about security processes ● Internal staff portal with API ● Use this API to monitor for new developers ● Automatically send them welcome letter from security team

10 How to write secure code at our company Dear Mike, Welcome to our team! Here at our company we make beautiful, functional, fast AND secure services! Security team had prepared security guides for you: https://internal-security-portal/guides. Please, find some time to read them as soon as possible. If you have any questions feel free to contact us. -- Your Product Security Team

11 Corporate messenger ● #help-security for asking questions ● #news-security for IT security news and awareness posts from security team ● @security for calling security team ● @security-bot for security alerts ● Loading screen messages

12

13 Communication channels ● Welcome letter ● Tickets about security issues in bug tracking system ● Small channels in dev tools like banners ● Internal security portal with active blog ● Channels and chats in messenger ● Internal tech meetups ● Security mailing list

14 Internal security portal ● Security guides ● Quick links to security self-checking services ● «Ask Security» contact form ● Latest posts from internal security blog ● Current projects

15 The guide

16 Structure ● Separate guides for web, mobile and C/C++ developers ● From common topics and practices to typical issues and specific cases ● Use cards as a format for publicating complex issues ● Developers Humans don’t want to read “long read” articles ● Content should be easily searchable ● Integrated self-assessment quiz and feedback form

17 Content ● High-level best practices: authentication/authorization, input validation, output encoding, error handling ● Security team internal processes, services and controls ● Typical threats and mitigations ● Specific internal topics and processes

18 Do not write yet another security guide from scratch!

19 Combine ● OWASP Proactive Controls ● OWASP Top 10 ● Specific for your case topics Base

20 Test yourself

21 Quizzes and courses ● To measure how well developers read the guides ● Should not take a lot of time ● Should not be boring! ● Use FOSS, e.g. learning management system like Moodle ● Other interesting tools: OWASP Security Knowledge Framework, Hacksplaining, Codebashing

22 Developer’s profile ● Badges for various security activities ● Special flags, e.g. for reading our guides ● Security “karma” ● Use this information to make more accurate threat analysis of new releases

23 Blueprint and metrics ● OWASP SAMM: Education & Guidance ● 60% developers briefed on security guides within the past year ● No more less questions about security issues ● More followers in internal security channels

24 Next steps ● CTFs ● Security months ● Gamification ● Security Champions and Ninjas

25 Takeaways ● Application security should be closer to developers ● Help developers to make secure applications ● Make possible for developers to help you in your duties ● Let developers be security champions ● It should be fun ☺

26 Movies for weekend ● Mr.Robot series ● Hackers ● 23 ● WarGames ● The IT crowd ● Kung Fury :)

27 Thank you!