Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Context Over Control: Security's New Path @ Dev...

Context Over Control: Security's New Path @ DeveloperWeek

DevSecOps isn't working. In many organizations, it has been used to add more control over developers and add roadblocks to delivering applications. Across the board, there has been a negative impact on the CI/CD pipeline, resulting in longer cycle times, and worst of all, the systems aren't getting more secure. We know this because the breaches keep coming.

DevSecOps needs to find a new way. This talk explores what is missing in most organizations, the intersection points between developers and security, and what to do about it. We'll discuss how composition and context work together, how to improve CI/CD pipeline issues, reduce the time for discovery of security issues, and provide collaboration between groups.

Developers and security engineers alike will find this session useful as they find ways to work together along with tools, tips, and examples to overcome common obstacles.

Talk originally delivered on August 16th at DeveloperWeek in San Mateo, CA.

James Wickett

August 23, 2023
Tweet

More Decks by James Wickett

Other Decks in Programming

Transcript

  1. Problems for the Security Industrial Complex — Threat landscape shifting

    — The breaches aren't stopping — Negative developer economics — Productivity deceleration
  2. Clearly something is wrong. The root of the problem is

    twofold: we're protecting the wrong things, and we're hurting productivity in the process. — Steven Bellovin
  3. The Penalties of the Shift Left — Increase in security

    work — New gates and added complexity — Decoding findings (FP vs. TP) — Slower build times
  4. many security teams work with a worldview where their goal

    is to inhibit change as much as possible
  5. James Wickett — Co-founder & CEO @ DryRun Security —

    LinkedIn Learning Author: DevOps, Security — Formerly: Signal Sciences, Verica, NI, Mentor — Austin, TX — @wickett || wickett AT dryrun .security
  6. — Security is an Epistemological Wasteland — The Path to

    DevOps Enlightenment for InfoSec — DevSecOps is the Furthering of DevOps into Security — Security Context Delivered To Dev & Ops
  7. 4 Radical Things I Believe — Security is a Function

    of Quality — Security is Value not Cost — Developers Care About Security — We need Contextual Security Analysis
  8. Security as Composition — What are my code dependencies? —

    Where did they come from? — What vulnerabilities or flaws am I inheriting?
  9. Security as Context — Who wrote the code? — What

    does the app do? — What are app areas that are important? — Are there any critical functions? — Did the developer pass secure code training? — Is the code brittle in certain areas?
  10. Contextual Security Analysis Contextual Security Analysis uses all available context

    gathered as developers are writing code to make contextually aware assertions.
  11. Security Context — Commit or PR — Author — Codepaths

    & Functions — Dependencies — Sectool findings — Past problem areas
  12. SLIDE Context Factors — Surface - the application shape —

    Language - the language and framework — Intent - the person making the change — Detection - the output from sectools — Environment - the purpose in the organization
  13. static-findings: - controllers/home.js: Unvalidated Redirect and Forwards - app.js: Session

    HttpOnly Misconfigured in Node Express - app.js: Default Session Name used in Session Cookie in Node Express
  14. Benefits of Contextual Security Analysis — Better decision-making — Improved

    collaboration — Greater agility — Increased visibility
  15. Ideas to Get Started — SLIDE into CI/CD workflow (ref

    arch: Monocle) — Try a Sensitive Codepath workflow — Use AI for security bug triage
  16. GitHub Action for Sensitive Codepaths — This GitHub action checks

    for changes in specified sensitive codepaths in your repository. — wickett/sensitive-codepaths — github.com/marketplace/actions/sensitive-codepaths-check — MIT License
  17. Book Recommender API in Node Express — Let auth'ed users

    upload books — Ask the API endpoint /random-book
  18. name: Check changes in specified codepaths on: pull_request: types: -

    opened - synchronize jobs: check_changes: runs-on: ubuntu-latest steps: - uses: wickett/[email protected] with: token: ${{ secrets.MY_GITHUB_PAT }}
  19. Steps for Contextual Security Analysis 1. Democratize Security Tools 2.

    Ask Security for Context 3. Synthesize Output
  20. /sb: What is the Default Session Name used in Session

    Cookie in Node Express vulnerability and why is it a security issue? /sb: How do we do auth in for this application? /sb: Can your provide the security guidelines for this application?
  21. The Summary — Control vs. Composition vs. Context — Contextual

    Security Analysis — The SLIDE Model — CSA Guide