Software developers are on the front lines of defense as part of the blue team. As developers work with and display user data, they must consider security as an important part of building quality and robust software. However, security is often seen as just another feature competing for developer time. To address this, developers can emulate practices of security specialists, implement secure development best practices like testing for permissions and encryption, and seek security training to help prioritize security as part of the development process.
Architecture decision records - How not to get lost in the past
Software developers as blue team
1. SOFTWARE DEVELOPERS AS
BLUE TEAM
OMAR QUIMBAYA
TECHNOLOGY EVANGELIST @ DEF-LOGIX
HTTP://WWW.DEF-LOGIX.COM
FOR CODEUP, AUGUST 4, 2016
2. INTRODUCTION
• Tech Evangelist at Def-Logix
• Founder and organizer of the CyberDEF
Dojo
• Former instructor at Codeup
• Community and Events manager at
Geekdom
• Director of Social Media and Marketing at
ParLevel
• Geekdom member since March 2013
3. ABOUT THIS TALK
• Inspired by Aaron Poffenberger of Giant Grey
• Spoke about this topic at SA BSides 2016 and Austin BSides 2016
• https://github.com/akpoff
• http://akpoff.com/
• What is Red Team and Blue Team?
• What are black, white, and grey hats?
• Developers as blue team
• What do I do about it?
4. RED TEAM
• Offense
• Emulate real-world
adversaries
• What would the bad guys do
with this?
• Goal is to break stuff
• Administrative, physical, and
logical controls
BLUE TEAM
• Defense
• Design and implement secure
infrastructure
• Let’s the bad guys get through
this!
• Goal is to protect assets
• Administrative, physical, and
logical controls
PURPLE TEAM
• Communication layer
between the two teams
5. THE HATS
• White Hat
• Ethical hackers
• Black Hat
• Malicious hackers
• Grey Hat
• A little bit of column A, a little
bit of column B…
7. WELCOME TO THE BLUE TEAM
• First line of defense
• Ask for, work with, transmit, and display data from users and
organizations
• Convenience vs security
• Who watches the watchers?
• Quality Assurance
• Code review
• Best practices
• Technical Writers
8. LIMITATIONS
• Customer requirements
• Features vs time
• Ease of use vs capability (power)
• Developer capability vs time for research
• Where does security fit in?
9. SECURITY IS JUST ANOTHER
FEATURE VYING FOR
DEVELOPER TIME.
- Aaron Poffenberger,
2016
10. WHAT DOES THAT EVEN MEAN?
• Poffenberger states that security is not an essential part of the
current software development process
• If there were no bad actors, security would not be necessary
• Quality and robustness are things developers must think about
• Security can be seen as a necessary component of quality and
robustness
• No single technological definition of “secure”
• Windows XP and Windows 10, as examples
• More security features do not mean that the software is more secure
11. CURRENT CHALLENGES
• Little to no risk assessment
• No threat modeling
• No security training
• No operating systems training
• Software development training? Yeah, that’s what you’re doing
right now.
12. WHAT TO DO ABOUT THIS?
• Where are security developers? Emulate
them.
• Open Source
• OpenBSD, HardenedBSD, SELinux,
RedHat/CentOS
• Web-centric businesses
• Amazon, Facebook, Google, Paypal,
Twitter. Microsoft, Cisco, Oracle
• Quality Assurance
• Testing usually done in isolation
• Ensure correct database permissions
• Ensure secure communication
• Quality Assurance cont
• Utilize HTTPS
• Application user roles and permissions
• Input validation
• Catastrophic failure testing
• Find the conditions
• Encryption
• Logging
• Get communication going between
infrastructure engineers and software
developers
13. WHERE DO I LEARN MORE?
• Understand
• CIA: confidentiality, integrity, and availability
• Security as a process
• Your OS and its services
• Secure coding principles (OWASP)
• Links
• https://www.sans.org/critical-security-controls/
• https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
• http://cwe.mitre.org/top25/
• https://www.exploit-db.com/