SlideShare a Scribd company logo

"make secure" securing the development supply chain All Things Open 2019

Download as PPTX, PDF
Wes Widner
Wes Widner

In this presentation I present ways software engineers can incrementally secure the software development supply chain. Slides with speaker notes that include relevant URLs: https://docs.google.com/presentation/d/1atmuG420iuIKRh5LJX-N4SPTD8uuGbX5Htggxa8nMS8/edit?usp=sharing

Software
1 of 32
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. make secure: Securing the development supply chain Wes Widner, Engineering Manager CrowdStrike
Setting the scene “when I was looking at the nightly build releases, it looks likes Libra was built on nightly builds of the Rust programming language. It’s a little interesting because that's not how we usually did releases in the DoD.” Rep. Denver Riggleman (R.-VA) questioning David Marcus from Facebook about the software dependencies in Libre
Developing a security mindset ▪ Developers often have incredible degree of access to critical systems ▪ This naturally makes them targets ▪ This also makes them insider threats ▪ Appropriate paranoia, not unfathomable paranoia ▪ This means we need to scale our distress by the probability and severity of the risk ▪ This helps us scope our efforts and make meaningful progress in improving our security posture
“Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow”
Owning the problem
Isn’t this AppSec’s job? ▪ A good organization will have a dedicated application security team ▪ That doesn't absolve developers of being good citizens instead of terrorists ▪ Castle security is dead, stop expecting someone else to defend your fort ▪ Real layered security depends on every engineer doing their part to secure their organization
McClure claims that first step in the Sony hack was a targeted spear phishing attack that went after a number of system administrators at Sony.
Control the battlefield
Choose your libraries wisely ▪ This involves asking several questions: ▪ Is this library absolutely necessary? ▪ Has another team already chosen a similar library? ▪ How healthy is this library? ▪ Are you willing to care and feed it? ▪ How could it break? ▪ What would it impact? ▪ How would I know? ▪ Proactively vendor everything ▪ Don’t automatically pull from external sources
Choose your libraries carefully
Beware of entangling alliances
Keep your friends close ▪ 3rd party apps make our lives easier. We should recognize that ease comes with a cost ▪ Each new integration comes with added systemic risk ▪ Be mindful of what you’re purchasing with that added risk ▪ Be proactive in securing these integrations
Everything you own has a claim on you. What you own requires care and feeding. Otherwise, it becomes a liability.
Set a good example
Be the change you wish to see ▪ As engineers, we can and should set the example for others to follow ▪ Use password managers, secure enclaves, 2FA, etc. ▪ Don’t hardcode credentials into scripts and certainly don’t check those into source control ▪ Embrace security controls, don’t fight them
Don’t take shortcuts!
Loose lips sink ships!
Use your influence wiseley ▪ We should use our influence over the systems we engineer to make doing the right (eg secure) thing easy ▪ Be the one in the meeting who asks the hard questions about security
Recognize the attack surface ▪ It’s broader than you think ▪ Don’t accept lame answers like “this will never be made public” ▪ This has been the primary source of a number of high- profile breaches ▪ This implicitly assumes a castle mindset ▪ Assume your environment is already breached and design accordingly ▪ Don’t wait for an incident to come up with contingency plans
Be a security bar-raiser ▪ Stand up for ProdSec when they try to level up your security posture ▪ Come up with fun ways to enable and encourage everyone to be more secure ▪ Every little bit you do raises the cost to an attacker
Thanks for coming! Contact me at: ▪ Twitter - @kai5263499 ▪ Email - wes.widner@crowdstrike.com PS We’re hiring engineers! Talk to us at booth #50 in the hallway outside

Recommended

The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015Major Hayden
 
Cybersecurity in 2016
Cybersecurity in 2016Cybersecurity in 2016
Cybersecurity in 2016Ben Finke
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackIvanti
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackIvanti
 
Mastering next gen-siem-usecases-part1
Mastering next gen-siem-usecases-part1Mastering next gen-siem-usecases-part1
Mastering next gen-siem-usecases-part1Priyanka Aash
 
Is Your Use of Windows Backup Opening the Door to Hackers?
Is Your Use of Windows Backup Opening the Door to Hackers?Is Your Use of Windows Backup Opening the Door to Hackers?
Is Your Use of Windows Backup Opening the Door to Hackers?marketingunitrends
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information securityMajor Hayden
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themVlad Styran
 

Recommended

The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015Major Hayden
 
Cybersecurity in 2016
Cybersecurity in 2016Cybersecurity in 2016
Cybersecurity in 2016Ben Finke
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackIvanti
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackIvanti
 
Mastering next gen-siem-usecases-part1
Mastering next gen-siem-usecases-part1Mastering next gen-siem-usecases-part1
Mastering next gen-siem-usecases-part1Priyanka Aash
 
Is Your Use of Windows Backup Opening the Door to Hackers?
Is Your Use of Windows Backup Opening the Door to Hackers?Is Your Use of Windows Backup Opening the Door to Hackers?
Is Your Use of Windows Backup Opening the Door to Hackers?marketingunitrends
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information securityMajor Hayden
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themVlad Styran
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
 
Beyond the Hype: Understanding Cloud Security by Bryan D. Payne
Beyond the Hype: Understanding Cloud Security by Bryan D. PayneBeyond the Hype: Understanding Cloud Security by Bryan D. Payne
Beyond the Hype: Understanding Cloud Security by Bryan D. PayneNebula
 
See Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointSee Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointProtectWise
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterNetWize
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongDevSecCon
 
NSS Labs Präsentation isd
NSS Labs Präsentation isdNSS Labs Präsentation isd
NSS Labs Präsentation isdDaniel Busch
 
NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...
NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...
NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...North Texas Chapter of the ISSA
 
E-FILE_Proofpoint_Uberflip_120915_optimized
E-FILE_Proofpoint_Uberflip_120915_optimizedE-FILE_Proofpoint_Uberflip_120915_optimized
E-FILE_Proofpoint_Uberflip_120915_optimizedLynn Feltner
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersTony Perez
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverEC-Council
 
Inside Attacker: An Overview
Inside Attacker: An OverviewInside Attacker: An Overview
Inside Attacker: An OverviewDustin Collins
 
You will be breached
You will be breachedYou will be breached
You will be breachedMike Saunders
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseSilvioPappalardo
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
Colin Domoney -
Colin Domoney - Colin Domoney -
Colin Domoney - DevSecCon
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNorth Texas Chapter of the ISSA
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Cybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician PracticesCybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician PracticesRavi D. Goel, MD
 
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...Orbid
 
The Current State of Cybersecurity
The Current State of CybersecurityThe Current State of Cybersecurity
The Current State of CybersecurityTruShield Security Solutions
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 

More Related Content

What's hot

Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
 
Beyond the Hype: Understanding Cloud Security by Bryan D. Payne
Beyond the Hype: Understanding Cloud Security by Bryan D. PayneBeyond the Hype: Understanding Cloud Security by Bryan D. Payne
Beyond the Hype: Understanding Cloud Security by Bryan D. PayneNebula
 
See Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointSee Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointProtectWise
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterNetWize
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongDevSecCon
 
NSS Labs Präsentation isd
NSS Labs Präsentation isdNSS Labs Präsentation isd
NSS Labs Präsentation isdDaniel Busch
 
NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...
NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...
NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...North Texas Chapter of the ISSA
 
E-FILE_Proofpoint_Uberflip_120915_optimized
E-FILE_Proofpoint_Uberflip_120915_optimizedE-FILE_Proofpoint_Uberflip_120915_optimized
E-FILE_Proofpoint_Uberflip_120915_optimizedLynn Feltner
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersTony Perez
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverEC-Council
 
Inside Attacker: An Overview
Inside Attacker: An OverviewInside Attacker: An Overview
Inside Attacker: An OverviewDustin Collins
 
You will be breached
You will be breachedYou will be breached
You will be breachedMike Saunders
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseSilvioPappalardo
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
Colin Domoney -
Colin Domoney - Colin Domoney -
Colin Domoney - DevSecCon
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Cybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician PracticesCybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician PracticesRavi D. Goel, MD
 
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...Orbid
 

What's hot (20)

Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Beyond the Hype: Understanding Cloud Security by Bryan D. Payne
Beyond the Hype: Understanding Cloud Security by Bryan D. PayneBeyond the Hype: Understanding Cloud Security by Bryan D. Payne
Beyond the Hype: Understanding Cloud Security by Bryan D. Payne
 
See Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointSee Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the Endpoint
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a Disaster
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline Wong
 
NSS Labs Präsentation isd
NSS Labs Präsentation isdNSS Labs Präsentation isd
NSS Labs Präsentation isd
 
NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...
NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...
NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...
 
E-FILE_Proofpoint_Uberflip_120915_optimized
E-FILE_Proofpoint_Uberflip_120915_optimizedE-FILE_Proofpoint_Uberflip_120915_optimized
E-FILE_Proofpoint_Uberflip_120915_optimized
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
 
Inside Attacker: An Overview
Inside Attacker: An OverviewInside Attacker: An Overview
Inside Attacker: An Overview
 
You will be breached
You will be breachedYou will be breached
You will be breached
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident Response
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
 
Colin Domoney -
Colin Domoney - Colin Domoney -
Colin Domoney -
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website Owners
 
Cybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician PracticesCybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician Practices
 
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...
 

Similar to "make secure" securing the development supply chain All Things Open 2019

Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsChris Burgess
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Cloud Security - Idealware
Cloud Security - IdealwareCloud Security - Idealware
Cloud Security - IdealwareIdealware
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteChris Burgess
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Bemorisson
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?NTEN
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyVeriato
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online PrivacyKazi Sarwar Hossain
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
Blameless system design - annotated
Blameless system design - annotatedBlameless system design - annotated
Blameless system design - annotatedDouglas Land
 
You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!wmetcalf
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...SeniorStoryteller
 

Similar to "make secure" securing the development supply chain All Things Open 2019 (20)

The Current State of Cybersecurity
The Current State of CybersecurityThe Current State of Cybersecurity
The Current State of Cybersecurity
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security Plugins
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Opi cyber talk for executives
Opi cyber talk for executivesOpi cyber talk for executives
Opi cyber talk for executives
 
Cloud Security - Idealware
Cloud Security - IdealwareCloud Security - Idealware
Cloud Security - Idealware
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Be
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
Blameless system design - annotated
Blameless system design - annotatedBlameless system design - annotated
Blameless system design - annotated
 
You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!You Give Us The Fire We'll Give'em Hell!
You Give Us The Fire We'll Give'em Hell!
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 

More from Wes Widner

DIY Jarvis All Things Open 2019
DIY Jarvis All Things Open 2019DIY Jarvis All Things Open 2019
DIY Jarvis All Things Open 2019Wes Widner
 
Alexa is a snitch - Hacker Halted 2019
Alexa is a snitch - Hacker Halted 2019Alexa is a snitch - Hacker Halted 2019
Alexa is a snitch - Hacker Halted 2019Wes Widner
 
Containing the cloud
Containing the cloudContaining the cloud
Containing the cloudWes Widner
 
The sound of evil
The sound of evilThe sound of evil
The sound of evilWes Widner
 
Homeland security
Homeland securityHomeland security
Homeland securityWes Widner
 
A worm in the apple
A worm in the appleA worm in the apple
A worm in the appleWes Widner
 

More from Wes Widner (6)

DIY Jarvis All Things Open 2019
DIY Jarvis All Things Open 2019DIY Jarvis All Things Open 2019
DIY Jarvis All Things Open 2019
 
Alexa is a snitch - Hacker Halted 2019
Alexa is a snitch - Hacker Halted 2019Alexa is a snitch - Hacker Halted 2019
Alexa is a snitch - Hacker Halted 2019
 
Containing the cloud
Containing the cloudContaining the cloud
Containing the cloud
 
The sound of evil
The sound of evilThe sound of evil
The sound of evil
 
Homeland security
Homeland securityHomeland security
Homeland security
 
A worm in the apple
A worm in the appleA worm in the apple
A worm in the apple
 

Recently uploaded

The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 

Recently uploaded (20)

The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 

"make secure" securing the development supply chain All Things Open 2019

  • 1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. make secure: Securing the development supply chain Wes Widner, Engineering Manager CrowdStrike
  • 2. Setting the scene “when I was looking at the nightly build releases, it looks likes Libra was built on nightly builds of the Rust programming language. It’s a little interesting because that's not how we usually did releases in the DoD.” Rep. Denver Riggleman (R.-VA) questioning David Marcus from Facebook about the software dependencies in Libre
  • 3. Developing a security mindset ▪ Developers often have incredible degree of access to critical systems ▪ This naturally makes them targets ▪ This also makes them insider threats ▪ Appropriate paranoia, not unfathomable paranoia ▪ This means we need to scale our distress by the probability and severity of the risk ▪ This helps us scope our efforts and make meaningful progress in improving our security posture
  • 4.
  • 5. “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow”
  • 6.
  • 7.
  • 8.
  • 10. Isn’t this AppSec’s job? ▪ A good organization will have a dedicated application security team ▪ That doesn't absolve developers of being good citizens instead of terrorists ▪ Castle security is dead, stop expecting someone else to defend your fort ▪ Real layered security depends on every engineer doing their part to secure their organization
  • 11. McClure claims that first step in the Sony hack was a targeted spear phishing attack that went after a number of system administrators at Sony.
  • 13. Choose your libraries wisely ▪ This involves asking several questions: ▪ Is this library absolutely necessary? ▪ Has another team already chosen a similar library? ▪ How healthy is this library? ▪ Are you willing to care and feed it? ▪ How could it break? ▪ What would it impact? ▪ How would I know? ▪ Proactively vendor everything ▪ Don’t automatically pull from external sources
  • 14.
  • 15.
  • 17.
  • 18.
  • 19. Beware of entangling alliances
  • 20. Keep your friends close ▪ 3rd party apps make our lives easier. We should recognize that ease comes with a cost ▪ Each new integration comes with added systemic risk ▪ Be mindful of what you’re purchasing with that added risk ▪ Be proactive in securing these integrations
  • 21.
  • 22. Everything you own has a claim on you. What you own requires care and feeding. Otherwise, it becomes a liability.
  • 23. Set a good example
  • 24. Be the change you wish to see ▪ As engineers, we can and should set the example for others to follow ▪ Use password managers, secure enclaves, 2FA, etc. ▪ Don’t hardcode credentials into scripts and certainly don’t check those into source control ▪ Embrace security controls, don’t fight them
  • 26. Loose lips sink ships!
  • 27. Use your influence wiseley ▪ We should use our influence over the systems we engineer to make doing the right (eg secure) thing easy ▪ Be the one in the meeting who asks the hard questions about security
  • 28. Recognize the attack surface ▪ It’s broader than you think ▪ Don’t accept lame answers like “this will never be made public” ▪ This has been the primary source of a number of high- profile breaches ▪ This implicitly assumes a castle mindset ▪ Assume your environment is already breached and design accordingly ▪ Don’t wait for an incident to come up with contingency plans
  • 29.
  • 30. Be a security bar-raiser ▪ Stand up for ProdSec when they try to level up your security posture ▪ Come up with fun ways to enable and encourage everyone to be more secure ▪ Every little bit you do raises the cost to an attacker
  • 31.
  • 32. Thanks for coming! Contact me at: ▪ Twitter - @kai5263499 ▪ Email - wes.widner@crowdstrike.com PS We’re hiring engineers! Talk to us at booth #50 in the hallway outside