Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Realizing Near-Zero Security Flaws in Your Software

1,865 views

Published on

Building enterprise software is difficult. Building secure enterprise software is even harder. In a modern, agile, software company, there are dozens of factors that could easily fight against a goal of building secure software. This talk will explore the pitfalls and achievements of attempting to reach "near-zero" security flaws in software products at a fast growing startup.

Published in: Software
  • Be the first to comment

Realizing Near-Zero Security Flaws in Your Software

  1. 1. —— GARTNER SECURITY & RISK MANAGEMENT SUMMIT 2018 REALIZING NEAR-ZERO SECURITY FLAWS IN YOUR SOFTWARE Nick Percoco
  2. 2. SECTION 01 My Journey
  3. 3. 3Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 WHAT BROUGHT ME HERE? • Wrote first computer program in 1981 • Chicagoland BBS rat in 80s and early 90s • Internet Security Systems in late 90s • Founder of SpiderLabs, Creator of THOTCON • Co-Founder of “I am The Cavalry” movement • Global Services lead at Rapid7 • Advisor to industry / non-industry startups • Chief Security Officer at Uptake • Launched Secure SDLC at hyper-growth startup
  4. 4. 4Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 WHAT’S THIS TALK ABOUT? • Setting a vision • Starting small • Making mistakes • Learning • Failing • Evolving • Transparency
  5. 5. 5Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 SCOPE
  6. 6. 6Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 TEAM SIZE
  7. 7. 7Copyright © 2018 Uptake – CONFIDENTIALSecurity at Uptake Program Structure UPTAKE SECURITY PROGRAM Risk & Compliance Security Cloud & Networking Application Security Threat Exposure Management Hackers & Hunters Security Audit MORETECHNICALMORECOMPLIANCE CSOOVERSIGHT&PROGRAMMANAGEMENT SecurityAdvisoryCouncil UptakeStakeholders CustomerStakeholders Physical Security Cryptography
  8. 8. 8Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 NEAR-ZERO SECURITY FLAWS
  9. 9. SECTION 02 Start: A Complete Program Assessment
  10. 10. 10Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 FOUR AREAS OF FOCUS – DIFFICULT QUESTIONS Inventory + Visibility — What applications do we have? — Who owns what? — How are we discovering/documenting? Discovery — How are we discovering security vulnerabilities? — Includes scans, pentests, bug bounty, internal reporting, etc. Management — How are we documenting vulnerabilities discovered? — How are we managing known vulnerabilities and remediations? Culture — How are we promoting security throughout our culture? — How are we gaining “buy-in” from engineering and product teams?
  11. 11. SECTION 03 Our Journey: Phase 1
  12. 12. 12Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture
  13. 13. 13Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Initial Team and Prod. Definitions Initial Team & Product Definitions — High level — Tried to align to agile teams Problem — Teams and products were continually changing — Non standardized “owners” - mixing of business and engineering teams — Unclear definitions - mixing “products” with “services”
  14. 14. 14Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture 3rd Party Pentest Initial Team and Prod. Definitions 3rd Party Pentest — Customer requirement driven — Brought in 3rd party for pentest — First time in-depth security testing was performed — Performed on just one product (the most mature)
  15. 15. 15Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Security Code Scanning — Mentality was to just scan everything Problem — Organized on initial definitions — Did not map static scan profiles to our definitions — Did not have foresight for organization or easily visible metrics — Did not have clear ownerships for vulnerability fixes
  16. 16. 16Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Onboarding Slides 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding New Hires — Overview of what security means and how to work with the team — Goal was to show value from security and break down barriers Problem — Overcoming problem of siloization
  17. 17. 17Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding Slides Internal Pentesting — Thoughtfully choosing new applications, products, and acquisitions — Created a schedule to pentest everything at least once a year Problem — Ownership of issues found
  18. 18. 18Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding Slides Bug Bounty — Recognize that we had more surface area for testing than could be handled by single team Problem — Were not able to use production client data — Heavy engineering investment for new environment — Needed more buy-in from engineering and support for remediation — Underestimated the effort required to stand this up — Overestimated our maturity
  19. 19. 19Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Onboarding Slides Tracking — Tracked source of finding (eg pentest, static scan), severity, and exploitability — A central location to see vulnerabilities and risk Problem — Little monitoring of assignee or ownership — Little monitoring of validation of fixes
  20. 20. 20Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engineering Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Onboarding Slides Assigning Issues — Added vulnerability tickets directly to engineering teams’ queues — Tickets ended up in backlogs Problem — Hard to see overview of risks per product — Tickets ended up being ignored/not updated
  21. 21. 21Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Mtgs. / Office Hours Onboarding Slides Team Meetings/Office Hours — Meet with teams to walk through vulnerabilities — Created office hours for teams to come to us with questions and act as working sessions Problem — Teams looked at the office hours as a chore as opposed to useful
  22. 22. 22Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Security Champions Team Mtgs. / Office Hours Onboarding Slides Security Champions — Cross organizational group to help bring security into all facets — Breakdown silos and disseminate best practices Problem — Keeping the interest of all involved — Teams changed quickly so the champions were needing to change often
  23. 23. 23Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Inventory + Visibility Discovery Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Training — Engineering training: Required on a minimum of yearly basis — Company Training: More in depth onboarding slides Problem — Not hands on enough
  24. 24. 24Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery Individual Team Sign-Off — Decided we don’t know the engineering organization as well as the individual teams — Gave engineers tools to run their own scans and view their own results — Required engineering teams to “sign-off” that scans were clean before deploying Problem — Lost a lot of visibility into the pipeline — If something was released out of cycle, we were not informed
  25. 25. 25Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery
  26. 26. SECTION 04 Our Journey: Phase 2
  27. 27. 27Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Label Goes Here Pentesting 3rd Party Pentest Veracode / Blackduck Discovery Re-Evaluate Definitions and Ownership — Refined definitions of application vs. product vs. microservice — Distinguished between “Risk” and “Bug” — Defined ownership – risk is owned by product team, bug is owned by engineering team Problem — Still lacked cross-team acceptance and buy-in — Changing team perspectives was hard because they were used to operating on old inventory and definitions
  28. 28. 28Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery APPSEC Jira APPSEC Jira — Migrated all tracking to a dedicated Jira project with custom workflows — Centralized “source of truth” for all owners, risks, findings, and engagements — Built in metrics and reporting (e.g. time to close, average risk, assignees, etc.) Problem — Product and Business side don’t check Jira regularly
  29. 29. 29Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides APPSEC Dashboard — Using Uptake Design System, created centralized dashboard that pulled data from Jira and correlated with other tools — Single pane of glass for all security findings and statuses — Custom KPIs and familiar interface Problem — Helped with visibility and accountability, but still lacked clear ownership
  30. 30. 30Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Leadership and Cross-Team Buy-In — Increased visibility and well documented Jira workflows led to leadership buy-in on ownership — Established SLAs on finding remediations using dashboard metrics — Product, Security and Engineering Leadership sent out communication Problem — New paradigm of ownership meant slow to adopt across all engineering teams — New workflows had to be adopted for certain teams
  31. 31. 31Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty 2.0 Bug Bounty Label Goes Here Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Bug Bounty 2.0 — With leadership and cross-team buy in, revisited and re-launched Bug Bounty — Jira integration with Bug Bounty submissions fed directly into dashboard — Same SLAs applied to Bug Bounty findings Problem — Engineering buy-in for remediating findings, but still lacked buy-in for maintaining and updating Bug Bounty environment
  32. 32. 32Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Container Metrics — With microservice ownership definitions, started pulling metrics on all running containers — Using container orchestration as “source of truth” for all applications running in production — Each container is tied to a product and has an owner Problem — Had visibility into what is running, but not direct 1:1 correlation to what is being scanned
  33. 33. 33Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Culture Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Scanning Containers — Reorganized scanning pipeline to correlate directly to container metrics — Standard naming convention let us query scan results for every image and container in production Problem — 100% visibility, but data is “after- the-fact”
  34. 34. 34Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Outreach and Training — AppSec has higher visibility and transparency within the organization — Started running trainings and tech-talks on scanning and penetration testing — Empowering engineering teams to do their own security testing
  35. 35. 35Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics
  36. 36. SECTION 05 Our Journey: Phase 3
  37. 37. 37Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Dashboard 2.0 Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Dashboard 2.0 — The AppSec Dashboard has proved successful — Want to implement more security metrics from other tools — Implement news and security communications/alerts
  38. 38. 38Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Full CI/CD Dashboard 2.0 Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Full CI/CD Integration — Engineering is re-working their CI/CD pipeline — Tightly integrate with all security tools and scanning — Aim for 100% code coverage in CI/CD before container is deployed — Feedback loop from discovered findings into unit tests
  39. 39. 39Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Full CI/CD Dashboard 2.0 Technical Trainings, CTFs, Events Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Security Events — Continue trainings and tech talks — Host internal CTFs to promote security testing — Increase developer involvement in penetration testing and validation testing
  40. 40. SECTION 06 Lessons Learned
  41. 41. 41Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 LESSONS LEARNED Need to keep all four areas “in sync” — We jumped too far ahead in the Discovery lane too soon – had to play catch up with Inventory and Management — Culture cannot lag behind. Buy in and cross-team culture allows quicker progress in the other areas Honest self-assessments of maturity — Having tools in place does not equal maturity — Culture drives maturity Avoid silo-ing Security — Openness and cross-team communication leads to buy-in — Don’t just “chuck findings over the fence” Have clear definitions and ownership — Risk vs Bug — Application vs product vs microservice
  42. 42. 43Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  43. 43. 44Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  44. 44. 45Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  45. 45. 46Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  46. 46. 47Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  47. 47. 48Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  48. 48. Copyright © 2018 by Uptake Technologies Inc. All rights reserved. No parts of this document may be distributed, reproduced, transmitted, or stored electronically without Uptake’s prior written permission. This document contains Uptake's confidential and proprietary information. If a pre-existing contract containing disclosure and use restrictions exists between your company and Uptake, you and your company will use the information in this document subject to the terms of the pre-existing contract. If no such pre-existing contract exists, you and your Company agree to protect the information in this document and agree not to reproduce or disclose the information in any way. Uptake makes no warranties, express or implied, in this document. Uptake shall not be liable for damages of any kind arising out of use of this document. Any discussion of potential features is not a promise of future functionality.

×