SlideShare a Scribd company logo

Software developers as blue team

Download as PPTX, PDF
Omar Leonardo Quimbaya
Omar Leonardo Quimbaya

Software developers are on the front lines of defense as part of the blue team. As developers work with and display user data, they must consider security as an important part of building quality and robust software. However, security is often seen as just another feature competing for developer time. To address this, developers can emulate practices of security specialists, implement secure development best practices like testing for permissions and encryption, and seek security training to help prioritize security as part of the development process.

Software
1 of 14
SOFTWARE DEVELOPERS AS BLUE TEAM OMAR QUIMBAYA TECHNOLOGY EVANGELIST @ DEF-LOGIX HTTP://WWW.DEF-LOGIX.COM FOR CODEUP, AUGUST 4, 2016
INTRODUCTION • Tech Evangelist at Def-Logix • Founder and organizer of the CyberDEF Dojo • Former instructor at Codeup • Community and Events manager at Geekdom • Director of Social Media and Marketing at ParLevel • Geekdom member since March 2013
ABOUT THIS TALK • Inspired by Aaron Poffenberger of Giant Grey • Spoke about this topic at SA BSides 2016 and Austin BSides 2016 • https://github.com/akpoff • http://akpoff.com/ • What is Red Team and Blue Team? • What are black, white, and grey hats? • Developers as blue team • What do I do about it?
RED TEAM • Offense • Emulate real-world adversaries • What would the bad guys do with this? • Goal is to break stuff • Administrative, physical, and logical controls BLUE TEAM • Defense • Design and implement secure infrastructure • Let’s the bad guys get through this! • Goal is to protect assets • Administrative, physical, and logical controls PURPLE TEAM • Communication layer between the two teams
THE HATS • White Hat • Ethical hackers • Black Hat • Malicious hackers • Grey Hat • A little bit of column A, a little bit of column B…
YOU ARE SOFTWARE DEVELOPERS BUT WHO ARE YOU REALLY?
WELCOME TO THE BLUE TEAM • First line of defense • Ask for, work with, transmit, and display data from users and organizations • Convenience vs security • Who watches the watchers? • Quality Assurance • Code review • Best practices • Technical Writers
LIMITATIONS • Customer requirements • Features vs time • Ease of use vs capability (power) • Developer capability vs time for research • Where does security fit in?
SECURITY IS JUST ANOTHER FEATURE VYING FOR DEVELOPER TIME. - Aaron Poffenberger, 2016
WHAT DOES THAT EVEN MEAN? • Poffenberger states that security is not an essential part of the current software development process • If there were no bad actors, security would not be necessary • Quality and robustness are things developers must think about • Security can be seen as a necessary component of quality and robustness • No single technological definition of “secure” • Windows XP and Windows 10, as examples • More security features do not mean that the software is more secure
CURRENT CHALLENGES • Little to no risk assessment • No threat modeling • No security training • No operating systems training • Software development training? Yeah, that’s what you’re doing right now.
WHAT TO DO ABOUT THIS? • Where are security developers? Emulate them. • Open Source • OpenBSD, HardenedBSD, SELinux, RedHat/CentOS • Web-centric businesses • Amazon, Facebook, Google, Paypal, Twitter. Microsoft, Cisco, Oracle • Quality Assurance • Testing usually done in isolation • Ensure correct database permissions • Ensure secure communication • Quality Assurance cont • Utilize HTTPS • Application user roles and permissions • Input validation • Catastrophic failure testing • Find the conditions • Encryption • Logging • Get communication going between infrastructure engineers and software developers
WHERE DO I LEARN MORE? • Understand • CIA: confidentiality, integrity, and availability • Security as a process • Your OS and its services • Secure coding principles (OWASP) • Links • https://www.sans.org/critical-security-controls/ • https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet • http://cwe.mitre.org/top25/ • https://www.exploit-db.com/
Omar Quimbaya Technology Evangelist at Def- Logix oquimbaya@def-logix.com http://www.def-logix.com Twitter: @writtenbyapanda CyberDEF Dojo: https://www.meetup.com/cyberde fdojo

Recommended

DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon
 
DevOps for Managers
DevOps for ManagersDevOps for Managers
DevOps for ManagersAll Things Open
 
Modern Agile - Joshua Kerievsky
Modern Agile - Joshua KerievskyModern Agile - Joshua Kerievsky
Modern Agile - Joshua KerievskyAgileSparks
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOpsIrina Kostina
 
Secured Development
Secured DevelopmentSecured Development
Secured DevelopmentBurhan Khalid
 
Solr pattern
Solr patternSolr pattern
Solr patternOpenSource Connections
 
Culteral impediments to DevOps
Culteral impediments to DevOpsCulteral impediments to DevOps
Culteral impediments to DevOpsClement Pickering
 
Real world dev ops
Real world dev opsReal world dev ops
Real world dev opsMohan Krishnan
 

Recommended

DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon
 
DevOps for Managers
DevOps for ManagersDevOps for Managers
DevOps for ManagersAll Things Open
 
Modern Agile - Joshua Kerievsky
Modern Agile - Joshua KerievskyModern Agile - Joshua Kerievsky
Modern Agile - Joshua KerievskyAgileSparks
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOpsIrina Kostina
 
Secured Development
Secured DevelopmentSecured Development
Secured DevelopmentBurhan Khalid
 
Solr pattern
Solr patternSolr pattern
Solr patternOpenSource Connections
 
Culteral impediments to DevOps
Culteral impediments to DevOpsCulteral impediments to DevOps
Culteral impediments to DevOpsClement Pickering
 
Real world dev ops
Real world dev opsReal world dev ops
Real world dev opsMohan Krishnan
 
Many Ways to Move the Needle on Open Source
Many Ways to Move the Needle on Open SourceMany Ways to Move the Needle on Open Source
Many Ways to Move the Needle on Open SourceAll Things Open
 
SlideShare culture
SlideShare cultureSlideShare culture
SlideShare cultureSylvain Kalache
 
Vine Video App for Real Estate (pt 2)
Vine Video App for Real Estate (pt 2)Vine Video App for Real Estate (pt 2)
Vine Video App for Real Estate (pt 2)Florida Mobile Fusion
 
AtlasCamp 2013: Confluence Blueprints
AtlasCamp 2013: Confluence Blueprints AtlasCamp 2013: Confluence Blueprints
AtlasCamp 2013: Confluence Blueprints colleenfry
 
Modern Agile - Keynote at Agile2016
Modern Agile - Keynote at Agile2016Modern Agile - Keynote at Agile2016
Modern Agile - Keynote at Agile2016Joshua Kerievsky
 
Atlassian, the latest and greatest / October 13
Atlassian, the latest and greatest / October 13Atlassian, the latest and greatest / October 13
Atlassian, the latest and greatest / October 13Sven Peters
 
Make product not war
Make product not warMake product not war
Make product not warPrayoch Rujira
 
Quality assurance engineer #JobShadowDay #XWiki
Quality assurance engineer #JobShadowDay #XWikiQuality assurance engineer #JobShadowDay #XWiki
Quality assurance engineer #JobShadowDay #XWikiAndreea-Zenovia Popescu
 
Xamarin user group san diego kick-off!
Xamarin user group san diego kick-off!Xamarin user group san diego kick-off!
Xamarin user group san diego kick-off!Seamgen
 
Continuous Delivery in the World of Enterprise PHP
Continuous Delivery in the World of Enterprise PHPContinuous Delivery in the World of Enterprise PHP
Continuous Delivery in the World of Enterprise PHPGreat Wide Open
 
Agile UX
Agile UXAgile UX
Agile UXRob Keefer
 
Community building lessons from Ansible
Community building lessons from AnsibleCommunity building lessons from Ansible
Community building lessons from AnsibleGreg DeKoenigsberg
 
Android Developer Skills, Techniques, and Patterns
Android Developer Skills, Techniques, and PatternsAndroid Developer Skills, Techniques, and Patterns
Android Developer Skills, Techniques, and Patternsgdgut
 
OWASP Developer Guide Reboot
OWASP Developer Guide RebootOWASP Developer Guide Reboot
OWASP Developer Guide RebootAndrew van der Stock
 
DevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia #4 - You Touch It, You Improve ItDevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia #4 - You Touch It, You Improve ItDevOps Indonesia
 
Overcome the 6 Antipatterns of Agile Adoption
Overcome the 6 Antipatterns of Agile AdoptionOvercome the 6 Antipatterns of Agile Adoption
Overcome the 6 Antipatterns of Agile AdoptionAgile Velocity
 
Treasure Hunt with G
Treasure Hunt with GTreasure Hunt with G
Treasure Hunt with GShamika Dharmasiri
 
Caterpillar by Aravind kumar v
Caterpillar by Aravind kumar vCaterpillar by Aravind kumar v
Caterpillar by Aravind kumar vAravind Kumar
 
Using LinkedIn
Using LinkedInUsing LinkedIn
Using LinkedInTim Meadows
 
Tips on google search
Tips on google searchTips on google search
Tips on google searchShamika Dharmasiri
 
Artery clogs
Artery clogsArtery clogs
Artery clogsAndrew Charles
 
Google hacks himesh
Google hacks himeshGoogle hacks himesh
Google hacks himeshShamika Dharmasiri
 

More Related Content

What's hot

Many Ways to Move the Needle on Open Source
Many Ways to Move the Needle on Open SourceMany Ways to Move the Needle on Open Source
Many Ways to Move the Needle on Open SourceAll Things Open
 
Vine Video App for Real Estate (pt 2)
Vine Video App for Real Estate (pt 2)Vine Video App for Real Estate (pt 2)
Vine Video App for Real Estate (pt 2)Florida Mobile Fusion
 
AtlasCamp 2013: Confluence Blueprints
AtlasCamp 2013: Confluence Blueprints AtlasCamp 2013: Confluence Blueprints
AtlasCamp 2013: Confluence Blueprints colleenfry
 
Modern Agile - Keynote at Agile2016
Modern Agile - Keynote at Agile2016Modern Agile - Keynote at Agile2016
Modern Agile - Keynote at Agile2016Joshua Kerievsky
 
Atlassian, the latest and greatest / October 13
Atlassian, the latest and greatest / October 13Atlassian, the latest and greatest / October 13
Atlassian, the latest and greatest / October 13Sven Peters
 
Quality assurance engineer #JobShadowDay #XWiki
Quality assurance engineer #JobShadowDay #XWikiQuality assurance engineer #JobShadowDay #XWiki
Quality assurance engineer #JobShadowDay #XWikiAndreea-Zenovia Popescu
 
Xamarin user group san diego kick-off!
Xamarin user group san diego kick-off!Xamarin user group san diego kick-off!
Xamarin user group san diego kick-off!Seamgen
 
Continuous Delivery in the World of Enterprise PHP
Continuous Delivery in the World of Enterprise PHPContinuous Delivery in the World of Enterprise PHP
Continuous Delivery in the World of Enterprise PHPGreat Wide Open
 
Community building lessons from Ansible
Community building lessons from AnsibleCommunity building lessons from Ansible
Community building lessons from AnsibleGreg DeKoenigsberg
 
Android Developer Skills, Techniques, and Patterns
Android Developer Skills, Techniques, and PatternsAndroid Developer Skills, Techniques, and Patterns
Android Developer Skills, Techniques, and Patternsgdgut
 
DevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia #4 - You Touch It, You Improve ItDevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia #4 - You Touch It, You Improve ItDevOps Indonesia
 
Overcome the 6 Antipatterns of Agile Adoption
Overcome the 6 Antipatterns of Agile AdoptionOvercome the 6 Antipatterns of Agile Adoption
Overcome the 6 Antipatterns of Agile AdoptionAgile Velocity
 

What's hot (16)

Many Ways to Move the Needle on Open Source
Many Ways to Move the Needle on Open SourceMany Ways to Move the Needle on Open Source
Many Ways to Move the Needle on Open Source
 
SlideShare culture
SlideShare cultureSlideShare culture
SlideShare culture
 
Vine Video App for Real Estate (pt 2)
Vine Video App for Real Estate (pt 2)Vine Video App for Real Estate (pt 2)
Vine Video App for Real Estate (pt 2)
 
AtlasCamp 2013: Confluence Blueprints
AtlasCamp 2013: Confluence Blueprints AtlasCamp 2013: Confluence Blueprints
AtlasCamp 2013: Confluence Blueprints
 
Modern Agile - Keynote at Agile2016
Modern Agile - Keynote at Agile2016Modern Agile - Keynote at Agile2016
Modern Agile - Keynote at Agile2016
 
Atlassian, the latest and greatest / October 13
Atlassian, the latest and greatest / October 13Atlassian, the latest and greatest / October 13
Atlassian, the latest and greatest / October 13
 
Make product not war
Make product not warMake product not war
Make product not war
 
Quality assurance engineer #JobShadowDay #XWiki
Quality assurance engineer #JobShadowDay #XWikiQuality assurance engineer #JobShadowDay #XWiki
Quality assurance engineer #JobShadowDay #XWiki
 
Xamarin user group san diego kick-off!
Xamarin user group san diego kick-off!Xamarin user group san diego kick-off!
Xamarin user group san diego kick-off!
 
Continuous Delivery in the World of Enterprise PHP
Continuous Delivery in the World of Enterprise PHPContinuous Delivery in the World of Enterprise PHP
Continuous Delivery in the World of Enterprise PHP
 
Agile UX
Agile UXAgile UX
Agile UX
 
Community building lessons from Ansible
Community building lessons from AnsibleCommunity building lessons from Ansible
Community building lessons from Ansible
 
Android Developer Skills, Techniques, and Patterns
Android Developer Skills, Techniques, and PatternsAndroid Developer Skills, Techniques, and Patterns
Android Developer Skills, Techniques, and Patterns
 
OWASP Developer Guide Reboot
OWASP Developer Guide RebootOWASP Developer Guide Reboot
OWASP Developer Guide Reboot
 
DevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia #4 - You Touch It, You Improve ItDevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia #4 - You Touch It, You Improve It
 
Overcome the 6 Antipatterns of Agile Adoption
Overcome the 6 Antipatterns of Agile AdoptionOvercome the 6 Antipatterns of Agile Adoption
Overcome the 6 Antipatterns of Agile Adoption
 

Viewers also liked

Caterpillar by Aravind kumar v
Caterpillar by Aravind kumar vCaterpillar by Aravind kumar v
Caterpillar by Aravind kumar vAravind Kumar
 
APP : EAT O FIT: A MARKETING OUTLINE
APP : EAT O FIT: A MARKETING OUTLINE APP : EAT O FIT: A MARKETING OUTLINE
APP : EAT O FIT: A MARKETING OUTLINEAravind Kumar
 
Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...
Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...
Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...Shivam Pandey
 
Heaven bites & Sweet sips
Heaven bites & Sweet sipsHeaven bites & Sweet sips
Heaven bites & Sweet sipsShiela Prudente
 
การเตรียมตัวเป็นพ่อแม่ที่ดี
การเตรียมตัวเป็นพ่อแม่ที่ดีการเตรียมตัวเป็นพ่อแม่ที่ดี
การเตรียมตัวเป็นพ่อแม่ที่ดีpronpom panatte
 
การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)
การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)
การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)pronpom panatte
 

Viewers also liked (15)

Treasure Hunt with G
Treasure Hunt with GTreasure Hunt with G
Treasure Hunt with G
 
Caterpillar by Aravind kumar v
Caterpillar by Aravind kumar vCaterpillar by Aravind kumar v
Caterpillar by Aravind kumar v
 
Using LinkedIn
Using LinkedInUsing LinkedIn
Using LinkedIn
 
Tips on google search
Tips on google searchTips on google search
Tips on google search
 
Artery clogs
Artery clogsArtery clogs
Artery clogs
 
Google hacks himesh
Google hacks himeshGoogle hacks himesh
Google hacks himesh
 
Seo
SeoSeo
Seo
 
Misson narcotics game
Misson narcotics gameMisson narcotics game
Misson narcotics game
 
APP : EAT O FIT: A MARKETING OUTLINE
APP : EAT O FIT: A MARKETING OUTLINE APP : EAT O FIT: A MARKETING OUTLINE
APP : EAT O FIT: A MARKETING OUTLINE
 
Stocks
StocksStocks
Stocks
 
Bay Area Legislative Update 2016
Bay Area Legislative Update 2016Bay Area Legislative Update 2016
Bay Area Legislative Update 2016
 
Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...
Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...
Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...
 
Heaven bites & Sweet sips
Heaven bites & Sweet sipsHeaven bites & Sweet sips
Heaven bites & Sweet sips
 
การเตรียมตัวเป็นพ่อแม่ที่ดี
การเตรียมตัวเป็นพ่อแม่ที่ดีการเตรียมตัวเป็นพ่อแม่ที่ดี
การเตรียมตัวเป็นพ่อแม่ที่ดี
 
การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)
การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)
การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)
 

Similar to Software developers as blue team

The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsShannon Lietz
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsMagno Logan
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfSteven Carlson
 
Holistic Product Development
Holistic Product DevelopmentHolistic Product Development
Holistic Product DevelopmentGary Pedretti
 
Agile Success Story -Tester & Developer Working Together for Higher Quality M...
Agile Success Story -Tester & Developer Working Together for Higher Quality M...Agile Success Story -Tester & Developer Working Together for Higher Quality M...
Agile Success Story -Tester & Developer Working Together for Higher Quality M...XBOSoft
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.nooralmousa
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPSimon Bennetts
 
Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017Peter Rawsthorne
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 
Open source software
Open source softwareOpen source software
Open source softwarejaimeacurry
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 

Similar to Software developers as blue team (20)

The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
 
Lean Software Development
Lean Software DevelopmentLean Software Development
Lean Software Development
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdf
 
Holistic Product Development
Holistic Product DevelopmentHolistic Product Development
Holistic Product Development
 
Agile Success Story -Tester & Developer Working Together for Higher Quality M...
Agile Success Story -Tester & Developer Working Together for Higher Quality M...Agile Success Story -Tester & Developer Working Together for Higher Quality M...
Agile Success Story -Tester & Developer Working Together for Higher Quality M...
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applications
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
The True Cost of Open Source
The True Cost of Open SourceThe True Cost of Open Source
The True Cost of Open Source
 
Open source software
Open source softwareOpen source software
Open source software
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 

Recently uploaded

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 

Recently uploaded (20)

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 

Software developers as blue team

  • 1. SOFTWARE DEVELOPERS AS BLUE TEAM OMAR QUIMBAYA TECHNOLOGY EVANGELIST @ DEF-LOGIX HTTP://WWW.DEF-LOGIX.COM FOR CODEUP, AUGUST 4, 2016
  • 2. INTRODUCTION • Tech Evangelist at Def-Logix • Founder and organizer of the CyberDEF Dojo • Former instructor at Codeup • Community and Events manager at Geekdom • Director of Social Media and Marketing at ParLevel • Geekdom member since March 2013
  • 3. ABOUT THIS TALK • Inspired by Aaron Poffenberger of Giant Grey • Spoke about this topic at SA BSides 2016 and Austin BSides 2016 • https://github.com/akpoff • http://akpoff.com/ • What is Red Team and Blue Team? • What are black, white, and grey hats? • Developers as blue team • What do I do about it?
  • 4. RED TEAM • Offense • Emulate real-world adversaries • What would the bad guys do with this? • Goal is to break stuff • Administrative, physical, and logical controls BLUE TEAM • Defense • Design and implement secure infrastructure • Let’s the bad guys get through this! • Goal is to protect assets • Administrative, physical, and logical controls PURPLE TEAM • Communication layer between the two teams
  • 5. THE HATS • White Hat • Ethical hackers • Black Hat • Malicious hackers • Grey Hat • A little bit of column A, a little bit of column B…
  • 7. WELCOME TO THE BLUE TEAM • First line of defense • Ask for, work with, transmit, and display data from users and organizations • Convenience vs security • Who watches the watchers? • Quality Assurance • Code review • Best practices • Technical Writers
  • 8. LIMITATIONS • Customer requirements • Features vs time • Ease of use vs capability (power) • Developer capability vs time for research • Where does security fit in?
  • 9. SECURITY IS JUST ANOTHER FEATURE VYING FOR DEVELOPER TIME. - Aaron Poffenberger, 2016
  • 10. WHAT DOES THAT EVEN MEAN? • Poffenberger states that security is not an essential part of the current software development process • If there were no bad actors, security would not be necessary • Quality and robustness are things developers must think about • Security can be seen as a necessary component of quality and robustness • No single technological definition of “secure” • Windows XP and Windows 10, as examples • More security features do not mean that the software is more secure
  • 11. CURRENT CHALLENGES • Little to no risk assessment • No threat modeling • No security training • No operating systems training • Software development training? Yeah, that’s what you’re doing right now.
  • 12. WHAT TO DO ABOUT THIS? • Where are security developers? Emulate them. • Open Source • OpenBSD, HardenedBSD, SELinux, RedHat/CentOS • Web-centric businesses • Amazon, Facebook, Google, Paypal, Twitter. Microsoft, Cisco, Oracle • Quality Assurance • Testing usually done in isolation • Ensure correct database permissions • Ensure secure communication • Quality Assurance cont • Utilize HTTPS • Application user roles and permissions • Input validation • Catastrophic failure testing • Find the conditions • Encryption • Logging • Get communication going between infrastructure engineers and software developers
  • 13. WHERE DO I LEARN MORE? • Understand • CIA: confidentiality, integrity, and availability • Security as a process • Your OS and its services • Secure coding principles (OWASP) • Links • https://www.sans.org/critical-security-controls/ • https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet • http://cwe.mitre.org/top25/ • https://www.exploit-db.com/
  • 14. Omar Quimbaya Technology Evangelist at Def- Logix oquimbaya@def-logix.com http://www.def-logix.com Twitter: @writtenbyapanda CyberDEF Dojo: https://www.meetup.com/cyberde fdojo