Da qualche tempo è buona prassi accorpare sviluppo e operazioni. Che dire invece della sicurezza? Nel mondo "business" c'è un modello interessante che descrive due diverse figure: Hunter e Farmer, uno più esplorativo e adatto alle novità, uno più sociale e costruttivo. In questo incontro fornirò un'interpretazione di questo modello con lo scopo di semplificare la convivenza tra metodologie significativamente diverse.

1. Dev(Sec)Ops and the Hunter/Farmer model
Fabrizio Zeno Cornelli
CODEMOTION MILAN - SPECIAL
EDITION 10 – 11 NOVEMBER 2017

2. Thanks to Randall Munroe: xkcd.com

3. Get a Good Password
$ dd if=/dev/random count=1
| base64 | cut -c1-22
c4EdYgLedpD30qKJ6YAKjQ
Use 128 bit

4. $ gsort -R ˜/dict/words.txt
| head -4 | paste -sd ‘-‘ -
Get a Good Password
Use dictionary

5. 11 bits to index words.txt?
128/11 !" 12
Get a Good Password
How many words?

6. Why Password0! Is not good?

7. HOW TO CRACK A PASSWORD

9. How passwords work
stored[user] = hash(password)
hash(password) !" stored[user]
$→ auth

10. How to crack a password
Retrieve stored hashes
Deduce hash
Plaintext? Done :
- Bruteforce attack
- Dictionary attack

11. Brute force Attack
Test every single possible
password.
From ‘a’ up to ‘ZZZZZZZZ..ZZZ’

12. Dictionary Attack
hash(guess) !" stored $→ (^-^)
$ john stored.txt

13. stored = set(‘abFZSxKKdq5s6’, ‘ulMGRyl03i2gm’ …)
dic = [‘password’, ‘12345’, …]
rules = [‘:’, ‘u’, … ‘so0’, ‘cAz[0-9][!$§]’]
_guesses = jexpand(dic, rules) # [‘password’,
‘PASSWORD’, …, ‘passw0rd’, ‘Password0!’…]
[ g for g in _guesses if hash(g) in stored ]
How to crack a password

14. So what?

16. FABRIZIO CORNELLI
zeno@sicurieffetti.it

17. CV
CTO, Enterprise srl
DEV / QA Manager, HT
Consultant, from 2016

19. DEVELOPER
“if it ain’t broke, don’t fix it”

20. Constructive

21. Design then code (and test)

22. High level languages
Good Practices
RTFM
Frameworks and Libraries
Progra()ing
skills
(some languages)

23. Don’t reinvent the wheel

24. DRIVEN BY
Sense of order
Growth
Collaboration
Planning/OCD issues

25. Dev Proverbs
The ends does not justify the mean
Choose two: good, fast, cheap
Any fool can write code that a
computer can understand. Good
progra()ers write code that humans
can understand. [M. Fowler]

26. HACKER
“shit happens”

27. Deconstructive: Reverse Engineer

28. Lateral Thinking

29. Subvert the manual

30. Shortcut / quick and dirty

31. Must be the first

32. Low level
Languages
(C, asm)

33. DRIVEN BY
Challenge
Showing off
Boring issues

34. Hacking Proverbs
the ends justify the means
a clever person solves a
problem, a wise person avoids
it
a lot goes a shecat to the
grease, that she leaves the
little arm

35. Comparative table
Deductive Inductive
Deconstructive Constructive
Reverse Engineering Progra()ing skills
Lateral Thinking Good Practice
Shortcut Design then code
Subvert the manual RTFM
Shortcut Frameworks and libs
Incautious Conservative
Low level lang High level lang
Hacker Developer

36. Shared values

37. Discipline / Focus

38. Imagination

39. Patience

41. Farmer Hunter model
B2B Sales model

42. Hunter
focused on creating new sales opportunities, prospecting and closing.
“eat what they kill.”

43. Farmer
manages and sells to existing relationships. account manager

44. Hunter vs Farmer
Take charge Let things develop
Aggressive Laid Back
Prospector Planner
Competitive Collaborative
Always be closing So, what do you think
Individualist Team player
Short term Long term
Risky Safe

45. Hunter vs Farmer
Really a coincidence?
Is there any anthropologic root?

46. STONE AGE
anthropologic session

47. Small clans
Nomadic
Hunters

48. Resources
Developer
Language
and politics
Villages
and cities
Farmers

49. Hunter vs Farmer
nomadic / autonomy permanent settlements
innovation tradition
initiative patience
indipendence collaboration

50. Are we changed?
We still “feel” the
connection with cats and dogs
Trium Brain theory (Paul MacLean)

51. PALEOLITHIC HUNTER HACKER

52. NEOLITHIC FARMER DEVELOPER

53. Are we Hunters or Farmers?
Both of them

54. Be a hunter
get your POC

55. Be a farmer:
evolve an idea to a product

56. Make your team
0
20
40
60
80
POC Project Dev Maintain/PT
Hunter Farmer

57. DEVSECOPS
“hunter as a service”

58. Defenders cannot win

59. Defenders cannot win
Defending is more difficult
Attackers can abuse any
vulnerability

60. Multi Layer defence

61. Multi Layer defence
Defending is expensive
How can I prove that I’m
secure?

62. Popper’s refutability

63. Popper’s refutability
the inherent possibility that
a statement can be proven
false
- Halting problem
- “this system is secure”

64. Popper’s refutability
POSITIVISM
proof $→ true
REFUTABILITY
paradox $→ false

65. DevSecOps’ Refutability
each part should be testable
and tested
devsecops is the continuous
invalidation process

66. anti pattern

67. security by obscurity

68. Russell’s inductivist turkey
PART 1

69. Russell’s inductivist turkey
PART 2

70. Hiring

71. Hiring
“I’m looking for a
hacker”
“We need a developer”

72. Hiring
You have a few hours to match
Does your candidate fits your
job needs?
Does your job appeal to the
candidate?
Is your candidate a person or
a resource?

74. 1,2,3,4,5?
That's amazing! I've got the same
combination on my luggage.

75. Thanks
Fabio Sangiovanni
Mariachiara Pezzotti
Federico Gandellini
Luciano Colosio

76. THANK YOU
hacked potato for you
(no animal was harmed in the making of this presentation)