Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Work with Developers for Fun and Progress - AppSec California

402 views

Published on

Leif Dreizler's presentation at AppSec California 2019

Published in: Internet
  • Get Paid For Your Opinions! Earn $5-$10 cash on your first survey. ●●● https://bit.ly/2Ruzr8s
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • We called it "operation mind control" - as we discovered a simple mind game that makes a girl become obsessed with you. (Aand it works even if you're not her type or she's already dating someone else) Here's how we figured it out...  http://ishbv.com/unlockher/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Work with Developers for Fun and Progress - AppSec California

  1. 1. Working with Developers for Fun and Progress
  2. 2. About Me ● Red Team at Redspin ● SB OWASP + AppSec California + Bay Area OWASP ● Green Team at Bugcrowd ● Blue Team at Segment
  3. 3. The Slides are Online, I’m Online ● https://www.slideshare.net/leifdreizler/ TODO ● @leifdreizler TODO
  4. 4. Influential Presentations ● Twubhubbook: Like an AppSec Program, but for Startups - Neil Matatall/Brent Johnson (GitHub) ● We Come Bearing Gifts: Enabling Product Security with Culture and Cloud - Astha Singhal/Patrick Thomas (Netflix) ● Starting an AppSec Program: An Honest Retrospective - John Melton (NetSuite) ● Pushing Left, Like a Boss - Tanya Janca (Microsoft) #1 - https://youtu.be/JEE7wXHa1kY #2 - https://youtu.be/L1WaMzN4dhY #3 - https://youtu.be/ETkHISgEh3g #4 - https://youtu.be/8kqtrX6C10c
  5. 5. ● Enable, Don’t Block - “Effective Security teams should measure themselves by what they enable, not by what they block” - Rich Smith ● Security Has to Start with Quality - “Vulnerabilities are bugs. The more bugs in your code, the more vulnerabilities”
 
 Favorite Quotes Source: https://reqtest.com/general/a-bug-goes-skateboarding-on-boehms-curve/
  6. 6. ● Enable, Don’t Block - “Effective Security teams should measure themselves by what they enable, not by what they block” - Rich Smith ● Security Has to Start with Quality - “Vulnerabilities are bugs. The more bugs in your code, the more vulnerabilities” ● Choose People over Tools - “Learn to lean on your tools. But depend on your people to keep you out of trouble” 
 
 Favorite Quotes “Make it easy for engineers to write secure code and you’ll get secure code.”
  7. 7. Outline 1. Building a Team and Program 2. Training 3. Successful Vendor Implementation 4. Engineering Embed Program @leifdreizler
  8. 8. Organizational Buy In ● Whole company needs to care about security ● $ecurity Headcount ● Engineering time Building a Team Jonathan Marcil - Threat Modeling Toolkit (https://youtu.be/KGy_KCRUGd4)
  9. 9. Building a Team ● Host/speak/volunteer/sponsor meetups/conferences Building a Team
  10. 10. Building a Team ● Host/speak/volunteer/sponsor meetups/conferences ● OSS Contributions Coleen Coolidge - How to Build a Security Team and Program (https://youtu.be/b0r5vc_eCoU) Building a Team
  11. 11. Shift Left Tanya Janca, @shehackspurple Source: https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95
  12. 12. Training ● Part 1 - Think Like an Attacker ● Part 2 - Secure Code Review Source: Security Solutions for Hyperconnectivity and the Internet of Things
  13. 13. Reviews Training - Think Like an Attacker Training - Secure Code Review
  14. 14. Think Like an Attacker - Creating Relevant Content ● Bug bounty submissions ● Pentests ● Internal findings Training - Think Like an Attacker -
  15. 15. OWASP Juice Shop Source: https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Training - Think Like an Attacker
  16. 16. Hands-On Training Schedule 1. Vuln category 1 (Slides + Examples) 2. Vuln category 2 3. Interactive Training (Burp Suite + Juice Shop)
 
 Repeat! Source: https://www.dreamstime.com/royalty-free-stock-photography-computer-hacker-hands-image8278907 https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ Training - Think Like an Attacker
  17. 17. Hands-on Training Training - Think Like an Attacker
  18. 18. Security 1337erboard
  19. 19. Secure Code Review ● XSS ● Broken Access Control ● Secrets management ● Error handling ● SSRF + DNS Rebinding ● …and more! Influenced by OWASP Secure Coding Cheat Sheet Source: Your Personal Password Vault: A Password Journal and Logbook Training - Secure Code Review
  20. 20. Absolute AppSec #42 https://github.com/segmentio/netsec https://github.com/segmentio/netc
  21. 21. Leif’s Hawaiian Shirt Store I’ve paid David to build a new Hawaiian shirt store with React. Is there anything wrong with it? server.jsApp.js Training - Secure Code Review
  22. 22. Leif’s Hawaiian Shirt Store Training - Secure Code Review
  23. 23. App.js Training - Secure Code Review
  24. 24. server.js Training - Secure Code Review
  25. 25. AppSec Training ● Meet new eng hires ● Common vuln types ● “Security Judgment” ● Think about PRs in new ways ● Have fun! Training - Secure Code Review
  26. 26. Training - Secure Code Review Training - Think Like an Attacker
  27. 27. Vendor Adoption Source: https://www.itbusinessedge.com/slideshows/nine-questions-to-ask-when-selecting-a-security-vendor.html Partner with Engineering during the evaluation process
  28. 28. Example - Snyk ● Security eval - tested on various repos ● Partnered with App team ● Presented at Eng all hands ● Security submitted PRs to core repos ● Wrote Integration with Directory Vendor Adoption Snyk is a tool to help companies manage vulnerabilities in their dependencies.
  29. 29. Directory Integration Vendor Adoption
  30. 30. Vendor Adoption
  31. 31. Bug Bounty Pay for anything that gives value Source: https://www.ixxiyourworld.com/en/products/ixxi-images/boba-fett-film-poster/ https://bugcrowd.com/segment? preview=7d6237547ee4ad71a249877be1858ffe
  32. 32. Source: https://articles.microservices.com/an-alternative-way-of-visualizing-microservice-architecture-837cbee575c1 Bug Report → Jira ● Description ● Easy to follow repro steps ● Severity ● Remediation Criteria ● Suggested Remediation
  33. 33. Security ➡ Engineering Embed Program ● Software design docs ● Get appropriate buy-in ● Work with Design ● Write good test cases ● Follow deployment procedures Follow the Normal Process Engineering Embed
  34. 34. Full Stack (Security) Engineering ● Meet developers, designers, product managers ● Deeper understanding of engineer process ● Learn more about the code base you’re protecting ● Diversify your skillset Walk a mile in the developer’s code Engineering Embed
  35. 35. Engineering Embed
  36. 36. Password Strength Meter 0 1 2 3 4 5 Analytics PM Full-stack Design Marketing Copy Engineering Embed
  37. 37. Password Strength Meter Engineering Embed
  38. 38. Engineering Embed
  39. 39. Security ➡ Engineering Embed Program ● Great way to meet people ● Shows you can build useful features/tools ● Sec learns eng process/tooling/constraints ● Bring back knowledge to the security team Engineering Embed
  40. 40. Security ➡ Engineering Embed Program ● Great way to meet people ● Shows you can build useful features/tools ● Sec learns eng process/tooling/constraints ● Bring back knowledge to the security team Engineering Embed
  41. 41. Developer Friendly SAST #33 Salus https://youtu.be/TGBTrshyE9Y
  42. 42. In Case of Emergency ● Compliance requirements (GDPR, ISO27001, etc.) ● Recent Pentests (shown to customers) ● Customer security questionnaires ● My peers at companies x, y, an z do thing
  43. 43. Key Takeaways • Get Involved! • Build Your Dream Team
  44. 44. Key Takeaways • Get Involved! • Build Your Dream Team @leifdreizler • Vulnerabilities are Just Bugs • Security is Everyone’s Job • “Security Judgment” • Successfully Partner Cross-functionally • Reduce Operational Work • Save your No’s
  45. 45. Key Takeaways • Get Involved! • Build Your Dream Team (this includes developers!) @leifdreizler • Vulnerabilities are Just Bugs • Security is Everyone’s Job • “Security Judgment” • Successfully Partner Cross-functionally • Reduce Operational Work • Save your No’s
  46. 46. Closing Thoughts
  47. 47. TODO @leifdreizler

×