SlideShare a Scribd company logo

Building an AppSec Program From the Ground Up: An Honest Retrospective

Download as PPTX, PDF
J
jtmelton

An honest retrospective of the last ~2 years building an appsec program from scratch: the good, the bad, and the ugly ... With an eye towards immediate applicability of lessons learned ... And wrapping up with my observations and beliefs about what I would do if I had it to do all over again

Technology
1 of 100
Building an AppSec Program From the Ground Up: An Honest Retrospective John Melton @_jtmelton
slides @_jtmelton
whoami - Past: Dev/Security engineering in defense, finance, technology companies - Current: Leading AppSec at technology company (Oracle NetSuite) - Side: OWASP*, AppSensor, Manna - Opinions are my own, not my employers @_jtmelton
mumble, mumble, mumble … Jim is great Neil is great, Jer is great, Ron is great Thanks to all the organizers and sponsors @_jtmelton
Agenda: An honest retrospective of the last ~2 years building an appsec program from scratch: the good, the bad, and the ugly ...
With an eye towards immediate applicability of lessons learned ...
And wrapping up with my observations and beliefs about what I would do if I had it to do all over again
@_jtmelton
@_jtmelton
@_jtmelton
Gather round y’all, it’s ... @_jtmelton story time
@_jtmelton
Context Matters @_jtmelton
Context Environment 15yr old (acquired) startup Very smart engineers No “security” people CI/CD µServices / DevOps Very culture-protective ~350 people Management 20yr old (acquirer) startup Very smart engineers Full security team Monolith, traditional ops Broad, varied culture ~5,500 people Me The new guy meh “The” security team I’ve done both Need to get stuff done 1 person @_jtmelton
Tasks ToDo List (Aiming for 2yr timeline) ● Learn environment ● Embed into team / culture ● Translate ● Secure everything ● Prep for compliance ● Share / leverage successes upstream Resources ● Tooling ● Training material ● “Policies” @_jtmelton
Day 0
@_jtmelton
Day 1
@_jtmelton
● Be humble @_jtmelton Lessons Learned
Week 1
@_jtmelton
@_jtmelton
@_jtmelton
@_jtmelton
@_jtmelton
@_jtmelton
@_jtmelton
@_jtmelton
@_jtmelton
@_jtmelton
The First Weekend
@_jtmelton
● The business is still running ● They wouldn’t be paying you if all the work was already done ● Take a breath @_jtmelton Lessons Learned
Q1
Proposed deliverables Introductions ● Get to know people ● Get to know tech/processes Update Training ● I’ve written training before ● We have a pretty good base to start from Dependency Analysis ● DependencyCheck is awesome ● I’ve written training before ● We have a pretty good base to start from @_jtmelton
Results Introductions (100%) ● People are great ● Tech is great, Processes are good / maturing Update Training (30%) ● Updated team HR training ● Made a dent in tech training Dependency Analysis ● DependencyCheck is awesome ● I’ve written training before ● We have a pretty good base to start from @_jtmelton
● Find key stakeholders ● Learn existing processes ● Learn the environment / tools @_jtmelton Lessons Learned
Q2
Proposed deliverables Static Analysis ● We already have a tool ● I built one - setting one up should be easy! Dynamic Analysis ● ZAP is awesome ● It’s just a script right? Dependency Analysis ● DependencyCheck is awesome ● Need to get a handle on these 3rd party libs Update Training ● I’ve written training before ● We have a pretty good base to start from @_jtmelton
Results Static Analysis (80%) ● A factory is hard work (especially on * apps) ● Oh yeah, we should vet and explain results Dynamic Analysis (0%) ● ZAP is still awesome ● No time Dependency Analysis (100%) ● DependencyCheck is still awesome ● There’s a lot of low-hanging fruit here Update Training (-10%) ● Way more stakeholders than I thought ● More work to do than initially planned @_jtmelton
● Start to formulate questions you want to answer (metrics) (fail) ● Start an application inventory (hard fail!) ● Tools _may_ not be the right place to start (fail) ● CI/CD is security’s friend ● Get a handle on 3rd party libraries - it’s low hanging (often rotten) fruit @_jtmelton Lessons Learned
Q3
Proposed deliverables Credential Storage ● Need to clean this up ● Like Vault as a base Dynamic Analysis ● Work with QA / Selenium ● Need help from project leader Champions ● Extend relationship with interested folks ● Offer extra training and security info Update SDLC ● The existing SDLC is restrictive ● Need to separate policy from standard @_jtmelton
Results Credential Storage (100%) ● Good planning, coordination ● Vault operationally works in our env Dynamic Analysis (100%) ● ZAP/Selenium/QA automation are powerful ● Project leaders want to help you succeed Champions (50%) ● People are interested in security ● No formal program, small sharing network Update SDLC (20%) ● This is complex, and needs high-level approval ● SDLC touches everything @_jtmelton
● Pick operationally compatible tools for your env (work with eng team for input) ● Leverage open source where possible (also contribute back code, docs, stories, etc.) ● Reach out to people on github, twitter, phone, etc. - they will actually help (fail, see BSIMM) ● Share security knowledge freely (fail) ● Policies matter * @_jtmelton Lessons Learned
Q4
Proposed deliverables Metrics ● Need to measure progress on desired goals ● Should be easy to collect and drive change Threat Modeling ● We should fix arch/design issues too ● Aiming to start simply Track Attack Surface ● Lots of micro-services ● How are they changing? Update SDLC ● Work is now scoped ● Know stakeholders for approval @_jtmelton
Results Metrics (20%) ● There are lots of bad metrics ● Lots of stakeholders with significant input Threat Modeling (100%) ● Starting small was key ● A picture and a list of threats Track Attack Surface (75%) ● Surprisingly simple to support ● Really helpful over time and good signal Update SDLC (100%) ● This was a lot of work ● A solid, clear policy is really helpful @_jtmelton
● Measuring what you are doing is critical. Communicating that information well is a challenge. ● Security talks about the “what’s wrong” all the time, but rarely about proactive controls (fail) ● People like threat modeling (be the attacker) ● Threat modeling gives developers power to communicate and address what keeps them up at night (fail)@_jtmelton Lessons Learned
@_jtmelton
Progress Report ToDo List ● Learn environment - Done ● Embed into team / culture - Done, solid champions core team ● Translate - Mostly done ● Secure everything - Basics are in place, still plenty of room for improvement ● Prep for compliance - A little bit done ● Share / leverage successes upstream - Very little upstreamed @_jtmelton
@_jtmelton
Q5 (Acquired)
Proposed deliverables App Deployment Tool ● Needs a refresh ● Let’s upgrade security at the same time Containers ● Chance to affect greenfield deployment ● Aim for reasonable default security bump Runtime Intelligence ● Get runtime feedback about security ● Empower / delegate developers to monitor Operational Tasks ● Integrate with other teams ● Produce / consume useful data @_jtmelton
Results App Deployment Tool (90%) ● Awesome tooling people are awesome ● Platform defaults matter Containers (75%) ● Set strong, safe defaults for great bump ● Security features not always well-tested Runtime Intelligence (10%) ● Introduced the idea and tools ● Needs a “light bulb” moment Operational Tasks (100%) ● This data is really valuable ● We don’t think about this enough @_jtmelton
● Vault useful in many contexts, operational ability is important* ● Reminder: availability is part of CIA triad - it is a security issue ● We need more runtime intel in our applications (fail) ● AppSec <--> OpSec is an area ripe for exploration and exploitation (fail) ● Went to BSIMM (world changing moment) (fail) @_jtmelton Lessons Learned
@_jtmelton * http://blog.bronto.com/engineering/tooling-microservices-for-scale-and- access/ http://blog.bronto.com/engineering/microservices-deployment-security- flexibility/
Q6
Proposed deliverables Core Security Libraries ● Stop squashing individual bugs ● Need consistent mechanisms for devs Source Code Attestation ● Verify steps from commit -> ops ● Auditability Training Refresh ● Function-specific training ● Continue simplification CI Upgrade ● Tooling upgrade & apis ● Versioned CI configuration @_jtmelton
Results Core Security Library (50%) ● Built/extended core systems ● Partial custom rules to match Src Code Attestation (100%) ● Requires integration work ● Audit log is powerful Training Refresh (25%) ● Customization benefits from modularity CI Upgrade (75%) ● Config versioning is powerful ● Declarative CI is powerful @_jtmelton
● ** Killing bug classes is the useful engineering work (Fail) ● (git/web) Hooks are great integration points (Fail) @_jtmelton Lessons Learned
Q7
Proposed deliverables Tool Additions ● Need broader coverage ● Tool vendors always behind Immutable Infra ● Joint effort with eng ● Increase stability & security Compliance ● Has to happen ● Supports business Fast/Slow Checks ● Faster feedback on high confidence issues ● Block certain classes of issues @_jtmelton
Results Tool Additions (100%) ● Lots of tools available these days ● Single purpose tools are nice Immutable Infra (80%) ● Big eng win ● Big security win Compliance (100%) ● Sanity check ● Low bar Fast/Slow Checks (100%) ● Further left ● Lots of low-hanging fruit here @_jtmelton
● Completely fixing and forever preventing an issue (even a small one) is a win - combine these to get momentum ● Create minimum assertions and raise the bar ● Config mgmt / Infra mgmt are powerful ● The faster devs see the issue relative to coding it, the faster (and better!) the fix (Fail) @_jtmelton Lessons Learned
Q8
Proposed deliverables Refresh SDLC ● Maturity step ● Chance to move left / increase visibility App Portfolio ● Do a better job collecting metadata / metrics ● Single, consistent view Compliance ● More, more, more Fast/Slow Checks ● Faster feedback on high confidence issues ● Block certain classes of issues @_jtmelton
Proposed deliverables Refresh SDLC (100%) ● Tailor to different stakeholders ● Talk about privacy alongside security App Portfolio (20%) ● Complex area ● Missing tool support Compliance (100%) ● More, more, more Fast/Slow Checks ● Faster feedback on high confidence issues ● Block certain classes of issues @_jtmelton
● Privacy is something everybody cares about (Fail) ● App Portfolio is ripe for a solution, many people are struggling in that area ● Hard to secure what you don’t know about @_jtmelton Lessons Learned
Progress Report ToDo List ● Learn environment - Done ● Embed into team / culture - Done, solid champions core team ● Translate - Done ● Secure everything – We’re further, but always room for improvement ● Prep for compliance – Oh boy … did we ever ● Share / leverage successes upstream – Good progress @_jtmelton
@_jtmelton
@_jtmelton
TODOs - People ● Work with the best people you can ● Do small, focused, context- sensitive training ● Connect with tribal knowledge owners ● Build a real champions program ● Say “no” rarely ● Know your place and stay humble - security is not the only business concern ● Connect with others doing your job in security at cons, social media, etc. Ask them questions. ● Talk about security in regular life (e.g. https://securityplanner.org/) ● Talk about security often (chat, email, presentations, etc.) ● Talk about privacy ● Talk issues at the highest level possible - exec buy-in is critical @_jtmelton
TODOs - Process ● Have office hours, chatops, email list - be available ● Never start with “no”. Default to “how can we get to yes”? ● Use the champions program ● Actively build relationships with other teams ● Collect useful data to improve and build a data-driven process ● Live and breathe threat modeling ● Inject into the standard SDLC (not as a blocker though) ● Reqs > Arch > Design > Code ● Use consistent terminology (words matter) ● Develop method for ranking apps ● Develop method for ranking vulns ● Meet customers where they are (chat, email, wiki, bugtracker, etc.)@_jtmelton
TODOs - Technology ● Don’t have tech envy ● Isolate security services (e.g. encryption as a service) ● Exploit CI (fast/slow lanes) ● Squash bug classes, not bugs (bug of the month/quarter, top “1”) ● Support / amplify good tech from devs (containers, cloud, etc.) ● Build a solid app inventory ● Focus on and invest in self- service ● Spend time on the “big” things (cloud, 2/MFA, IAM, Authn/z, crypto) ● Limit crypto primitives (e.g. nacl) ● Support primary tech stacks well ● Work with dev and ops to get runtime info, and create a feedback loop ● Build self-defending apps (appsensor) @_jtmelton
Some Homework ● “Starting Up Security” by Ryan McGeehan (https://medium.com/starting-up- security) ● “Preventing Security Bugs Through Software Design” by Christoph Kern (https://www.youtu.be/ccfEu-Jj0as) ● Measuring End-to-End Security Engineering by Garrett Held (https://www.youtu.be/MLmQ4uSi4EU) ● “Software Security Metrics” (https://youtu.be/50vOxExpAOU) and “Effective AppSec Metrics (https://youtu.be/dY8IuQ8rUd4), by Caroline Wong ● Starting a Metrics Program by Marcus Ranum (https://youtu.be/yW7kSVwucSk) ● Enabling Product Security with Culture and Cloud by Astha Singhal and Patrick Thomas (https://youtu.be/L1WaMzN4dhY) @_jtmelton
@_jtmelton Summary
This I Believe @_jtmelton
This I Believe You can’t do appsec effectively and not understand code. You should be able to read & write it. Same with design & architecture. @_jtmelton
This I Believe Security teams don’t scale effectively, even with significant automation efforts. Build a champions program, and move to self-service. @_jtmelton
This I Believe We need more focus on detection and response, not just prevention. @_jtmelton
This I Believe Certain solutions (executive support/buy-in, 2FA, CI/CD automation, threat modeling) move the needle _much_ farther - focus on those. @_jtmelton
This I Believe You cannot protect what you don’t know about - build an app inventory. @_jtmelton
@_jtmelton
@_jtmelton
@_jtmelton
Open Source ● We don’t all have huge teams ● Most/all of us use open source docs, software ● Many of us build useful things ● Some of us can contribute at work ● Many of us can contribute at home ● You benefit the community ● You grow ● You build awareness of issues ● You help drive solutions ● You benefit personally and professionally @_jtmelton
Introducing … @_jtmelton
Manna @_jtmelton
@_jtmelton
@_jtmelton
@_jtmelton
This I Believe We all have something useful to contribute to the community. @_jtmelton
This I Believe @_jtmelton ● Docs - https://medium.com/starting-up-security ● Talks - https://www.youtube.com/watch?v=ccfEu-Jj0as ● Scripts - https://github.com/jgamblin/AWSScripts ● Code - https://github.com/jeremylong/DependencyCheck ● Organization - https://github.com/sbilly/awesome-security and https://github.com/paragonie/awesome-appsec ● Work - https://github.com/nccgroup/Scout2 and https://www.nccgroup.trust/us/our-research/understanding-and-hardening- linux-containers/
This I Believe @_jtmelton
● https://github.com/manna- security ● Open Source (Apache 2) ● Alpha release (only 1 rule) ● Please contribute! @_jtmelton Manna Simple static analysis & automatic remediation
@_jtmelton
@_jtmelton Questions ?

Recommended

AiTi Education Software Testing Session 01 b
AiTi Education Software Testing Session 01 bAiTi Education Software Testing Session 01 b
AiTi Education Software Testing Session 01 b
AiTi Education
 
Management Issues in Test Automation
Management Issues in Test AutomationManagement Issues in Test Automation
Management Issues in Test Automation
TechWell
 
MeManagement Issues in Test Automation
MeManagement Issues in Test AutomationMeManagement Issues in Test Automation
MeManagement Issues in Test Automation
TechWell
 
Management Issues in Test Automation
Management Issues in Test AutomationManagement Issues in Test Automation
Management Issues in Test Automation
TechWell
 
Software Testing
Software TestingSoftware Testing
Software Testing
MusTufa Nullwala
 
Managing Successful Test Automation
Managing Successful Test AutomationManaging Successful Test Automation
Managing Successful Test Automation
TechWell
 
Acceptance testing for rome
Acceptance testing for romeAcceptance testing for rome
Acceptance testing for rome
GitaAdryana
 
Niels Malotaux - Help We Have a QA Problem!
Niels Malotaux - Help We Have a QA Problem!Niels Malotaux - Help We Have a QA Problem!
Niels Malotaux - Help We Have a QA Problem!
TEST Huddle
 

Recommended

AiTi Education Software Testing Session 01 b
AiTi Education Software Testing Session 01 bAiTi Education Software Testing Session 01 b
AiTi Education Software Testing Session 01 b
AiTi Education
 
Management Issues in Test Automation
Management Issues in Test AutomationManagement Issues in Test Automation
Management Issues in Test Automation
TechWell
 
MeManagement Issues in Test Automation
MeManagement Issues in Test AutomationMeManagement Issues in Test Automation
MeManagement Issues in Test Automation
TechWell
 
Management Issues in Test Automation
Management Issues in Test AutomationManagement Issues in Test Automation
Management Issues in Test Automation
TechWell
 
Software Testing
Software TestingSoftware Testing
Software Testing
MusTufa Nullwala
 
Managing Successful Test Automation
Managing Successful Test AutomationManaging Successful Test Automation
Managing Successful Test Automation
TechWell
 
Acceptance testing for rome
Acceptance testing for romeAcceptance testing for rome
Acceptance testing for rome
GitaAdryana
 
Niels Malotaux - Help We Have a QA Problem!
Niels Malotaux - Help We Have a QA Problem!Niels Malotaux - Help We Have a QA Problem!
Niels Malotaux - Help We Have a QA Problem!
TEST Huddle
 
Develop a Defect Prevention Strategy—or Else!
Develop a Defect Prevention Strategy—or Else!Develop a Defect Prevention Strategy—or Else!
Develop a Defect Prevention Strategy—or Else!
TechWell
 
How to make Automation an asset for Organization
How to make Automation an asset for OrganizationHow to make Automation an asset for Organization
How to make Automation an asset for Organization
anuvip
 
Derk jan de Grood - ET, Best of Both Worlds
Derk jan de Grood - ET, Best of Both WorldsDerk jan de Grood - ET, Best of Both Worlds
Derk jan de Grood - ET, Best of Both Worlds
TEST Huddle
 
'Houston We Have A Problem' by Rien van Vugt & Maurice Siteur
'Houston We Have A Problem' by Rien van Vugt & Maurice Siteur'Houston We Have A Problem' by Rien van Vugt & Maurice Siteur
'Houston We Have A Problem' by Rien van Vugt & Maurice Siteur
TEST Huddle
 
Methodology: IT test
Methodology: IT testMethodology: IT test
Methodology: IT test
Jean-François Nguyen
 
Agile Development For Rte Systems
Agile Development For Rte SystemsAgile Development For Rte Systems
Agile Development For Rte Systems
Bruce Douglass
 
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Cory Scott
 
Christian Bk Hansen - Agile on Huge Banking Mainframe Legacy Systems - EuroST...
Christian Bk Hansen - Agile on Huge Banking Mainframe Legacy Systems - EuroST...Christian Bk Hansen - Agile on Huge Banking Mainframe Legacy Systems - EuroST...
Christian Bk Hansen - Agile on Huge Banking Mainframe Legacy Systems - EuroST...
TEST Huddle
 
Metrics for Mofel-Based Systems Development
Metrics for Mofel-Based Systems DevelopmentMetrics for Mofel-Based Systems Development
Metrics for Mofel-Based Systems Development
Bruce Douglass
 
AiTi Education Software Testing Session 01 a
AiTi Education Software Testing Session 01 aAiTi Education Software Testing Session 01 a
AiTi Education Software Testing Session 01 a
AiTi Education
 
Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...
Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...
Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...
TEST Huddle
 
Michael Bolton - Two Futures of Software Testing
Michael Bolton - Two Futures of Software TestingMichael Bolton - Two Futures of Software Testing
Michael Bolton - Two Futures of Software Testing
TEST Huddle
 
Darius Silingas - From Model Driven Testing to Test Driven Modelling
Darius Silingas - From Model Driven Testing to Test Driven ModellingDarius Silingas - From Model Driven Testing to Test Driven Modelling
Darius Silingas - From Model Driven Testing to Test Driven Modelling
TEST Huddle
 
Defect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarDefect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft Webinar
XBOSoft
 
'Acceptance Testing' by Erik Boelen
'Acceptance Testing' by Erik Boelen'Acceptance Testing' by Erik Boelen
'Acceptance Testing' by Erik Boelen
TEST Huddle
 
Machine Learning in Software Engineering
Machine Learning in Software EngineeringMachine Learning in Software Engineering
Machine Learning in Software Engineering
Alaa Hamouda
 
Root Cause Analysis Presentation
Root Cause Analysis PresentationRoot Cause Analysis Presentation
Root Cause Analysis Presentation
E&H Pacheco Consultoria e Assessoria Empresarial Ltda
 
Henrik Andersson - Exploratory Testing Champions - EuroSTAR 2010
Henrik Andersson - Exploratory Testing Champions - EuroSTAR 2010Henrik Andersson - Exploratory Testing Champions - EuroSTAR 2010
Henrik Andersson - Exploratory Testing Champions - EuroSTAR 2010
TEST Huddle
 
Fredrik Rydberg - Can Exploratory Testing Save Lives - EuroSTAR 2010
Fredrik Rydberg - Can Exploratory Testing Save Lives - EuroSTAR 2010Fredrik Rydberg - Can Exploratory Testing Save Lives - EuroSTAR 2010
Fredrik Rydberg - Can Exploratory Testing Save Lives - EuroSTAR 2010
TEST Huddle
 
Risk management lec. 06
Risk management lec. 06Risk management lec. 06
Risk management lec. 06
Noor Ul Hudda Memon
 
The Journey to DevOps
The Journey to DevOpsThe Journey to DevOps
The Journey to DevOps
Perfecto by Perforce
 
Pusheando en master, que es gerundio
Pusheando en master, que es gerundioPusheando en master, que es gerundio
Pusheando en master, que es gerundio
Isidro José López Martínez
 

More Related Content

What's hot

Develop a Defect Prevention Strategy—or Else!
Develop a Defect Prevention Strategy—or Else!Develop a Defect Prevention Strategy—or Else!
Develop a Defect Prevention Strategy—or Else!
TechWell
 
'Houston We Have A Problem' by Rien van Vugt & Maurice Siteur
'Houston We Have A Problem' by Rien van Vugt & Maurice Siteur'Houston We Have A Problem' by Rien van Vugt & Maurice Siteur
'Houston We Have A Problem' by Rien van Vugt & Maurice Siteur
TEST Huddle
 
'Acceptance Testing' by Erik Boelen
'Acceptance Testing' by Erik Boelen'Acceptance Testing' by Erik Boelen
'Acceptance Testing' by Erik Boelen
TEST Huddle
 
Machine Learning in Software Engineering
Machine Learning in Software EngineeringMachine Learning in Software Engineering
Machine Learning in Software Engineering
Alaa Hamouda
 

What's hot (20)

Develop a Defect Prevention Strategy—or Else!
Develop a Defect Prevention Strategy—or Else!Develop a Defect Prevention Strategy—or Else!
Develop a Defect Prevention Strategy—or Else!
 
How to make Automation an asset for Organization
How to make Automation an asset for OrganizationHow to make Automation an asset for Organization
How to make Automation an asset for Organization
 
Derk jan de Grood - ET, Best of Both Worlds
Derk jan de Grood - ET, Best of Both WorldsDerk jan de Grood - ET, Best of Both Worlds
Derk jan de Grood - ET, Best of Both Worlds
 
'Houston We Have A Problem' by Rien van Vugt & Maurice Siteur
'Houston We Have A Problem' by Rien van Vugt & Maurice Siteur'Houston We Have A Problem' by Rien van Vugt & Maurice Siteur
'Houston We Have A Problem' by Rien van Vugt & Maurice Siteur
 
Methodology: IT test
Methodology: IT testMethodology: IT test
Methodology: IT test
 
Agile Development For Rte Systems
Agile Development For Rte SystemsAgile Development For Rte Systems
Agile Development For Rte Systems
 
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
 
Christian Bk Hansen - Agile on Huge Banking Mainframe Legacy Systems - EuroST...
Christian Bk Hansen - Agile on Huge Banking Mainframe Legacy Systems - EuroST...Christian Bk Hansen - Agile on Huge Banking Mainframe Legacy Systems - EuroST...
Christian Bk Hansen - Agile on Huge Banking Mainframe Legacy Systems - EuroST...
 
Metrics for Mofel-Based Systems Development
Metrics for Mofel-Based Systems DevelopmentMetrics for Mofel-Based Systems Development
Metrics for Mofel-Based Systems Development
 
AiTi Education Software Testing Session 01 a
AiTi Education Software Testing Session 01 aAiTi Education Software Testing Session 01 a
AiTi Education Software Testing Session 01 a
 
Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...
Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...
Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...
 
Michael Bolton - Two Futures of Software Testing
Michael Bolton - Two Futures of Software TestingMichael Bolton - Two Futures of Software Testing
Michael Bolton - Two Futures of Software Testing
 
Darius Silingas - From Model Driven Testing to Test Driven Modelling
Darius Silingas - From Model Driven Testing to Test Driven ModellingDarius Silingas - From Model Driven Testing to Test Driven Modelling
Darius Silingas - From Model Driven Testing to Test Driven Modelling
 
Defect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarDefect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft Webinar
 
'Acceptance Testing' by Erik Boelen
'Acceptance Testing' by Erik Boelen'Acceptance Testing' by Erik Boelen
'Acceptance Testing' by Erik Boelen
 
Machine Learning in Software Engineering
Machine Learning in Software EngineeringMachine Learning in Software Engineering
Machine Learning in Software Engineering
 
Root Cause Analysis Presentation
Root Cause Analysis PresentationRoot Cause Analysis Presentation
Root Cause Analysis Presentation
 
Henrik Andersson - Exploratory Testing Champions - EuroSTAR 2010
Henrik Andersson - Exploratory Testing Champions - EuroSTAR 2010Henrik Andersson - Exploratory Testing Champions - EuroSTAR 2010
Henrik Andersson - Exploratory Testing Champions - EuroSTAR 2010
 
Fredrik Rydberg - Can Exploratory Testing Save Lives - EuroSTAR 2010
Fredrik Rydberg - Can Exploratory Testing Save Lives - EuroSTAR 2010Fredrik Rydberg - Can Exploratory Testing Save Lives - EuroSTAR 2010
Fredrik Rydberg - Can Exploratory Testing Save Lives - EuroSTAR 2010
 
Risk management lec. 06
Risk management lec. 06Risk management lec. 06
Risk management lec. 06
 

Similar to Building an AppSec Program From the Ground Up: An Honest Retrospective

Pusheando en master, que es gerundio
Pusheando en master, que es gerundioPusheando en master, que es gerundio
Pusheando en master, que es gerundio
Isidro José López Martínez
 
Rajmohan_CV _Updated
Rajmohan_CV _UpdatedRajmohan_CV _Updated
Rajmohan_CV _Updated
Rajmohan A
 
DevOps Tactical Adoption Theory: Continuous Testing
DevOps Tactical Adoption Theory: Continuous TestingDevOps Tactical Adoption Theory: Continuous Testing
DevOps Tactical Adoption Theory: Continuous Testing
Berk Dülger
 
AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...
AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...
AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...
AppDynamics
 
Atmosphere 2016 - Berk Dulger - DevOps Tactical Adoption Theory
Atmosphere 2016 - Berk Dulger - DevOps Tactical Adoption TheoryAtmosphere 2016 - Berk Dulger - DevOps Tactical Adoption Theory
Atmosphere 2016 - Berk Dulger - DevOps Tactical Adoption Theory
PROIDEA
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot Environments
DevOps.com
 
DO5T17S_T5 Thur 430 GilesE_BR_20151114_012422
DO5T17S_T5 Thur 430 GilesE_BR_20151114_012422DO5T17S_T5 Thur 430 GilesE_BR_20151114_012422
DO5T17S_T5 Thur 430 GilesE_BR_20151114_012422
Erik Giles
 

Similar to Building an AppSec Program From the Ground Up: An Honest Retrospective (20)

The Journey to DevOps
The Journey to DevOpsThe Journey to DevOps
The Journey to DevOps
 
Pusheando en master, que es gerundio
Pusheando en master, que es gerundioPusheando en master, que es gerundio
Pusheando en master, que es gerundio
 
My DevOps Experiences and Lessons learnt as a Program Manager
My DevOps Experiences and Lessons learnt as a Program ManagerMy DevOps Experiences and Lessons learnt as a Program Manager
My DevOps Experiences and Lessons learnt as a Program Manager
 
Rajmohan_CV _Updated
Rajmohan_CV _UpdatedRajmohan_CV _Updated
Rajmohan_CV _Updated
 
Agile Development of High Performance Applications
Agile Development of High Performance ApplicationsAgile Development of High Performance Applications
Agile Development of High Performance Applications
 
DevOps Tactical Adoption Theory: Continuous Testing
DevOps Tactical Adoption Theory: Continuous TestingDevOps Tactical Adoption Theory: Continuous Testing
DevOps Tactical Adoption Theory: Continuous Testing
 
AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...
AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...
AppSphere 15 - Preparing for System Failure: How Pearson used AppDynamics to ...
 
Rsqrd AI: From R&D to ROI of AI
Rsqrd AI: From R&D to ROI of AIRsqrd AI: From R&D to ROI of AI
Rsqrd AI: From R&D to ROI of AI
 
Atmosphere 2016 - Berk Dulger - DevOps Tactical Adoption Theory
Atmosphere 2016 - Berk Dulger - DevOps Tactical Adoption TheoryAtmosphere 2016 - Berk Dulger - DevOps Tactical Adoption Theory
Atmosphere 2016 - Berk Dulger - DevOps Tactical Adoption Theory
 
GMO'less Software Development Practices
GMO'less Software Development PracticesGMO'less Software Development Practices
GMO'less Software Development Practices
 
Refactorisation de code : comment l’intégrer à sa roadmap Produit ?
Refactorisation de code : comment l’intégrer à sa roadmap Produit ?Refactorisation de code : comment l’intégrer à sa roadmap Produit ?
Refactorisation de code : comment l’intégrer à sa roadmap Produit ?
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot Environments
 
JF Burguet - ERP Experiences
JF Burguet - ERP ExperiencesJF Burguet - ERP Experiences
JF Burguet - ERP Experiences
 
Tools and practices to use in a Continuous Delivery pipeline
Tools and practices to use in a Continuous Delivery pipelineTools and practices to use in a Continuous Delivery pipeline
Tools and practices to use in a Continuous Delivery pipeline
 
DO5T17S_T5 Thur 430 GilesE_BR_20151114_012422
DO5T17S_T5 Thur 430 GilesE_BR_20151114_012422DO5T17S_T5 Thur 430 GilesE_BR_20151114_012422
DO5T17S_T5 Thur 430 GilesE_BR_20151114_012422
 
Outsourcing With Agile
Outsourcing With AgileOutsourcing With Agile
Outsourcing With Agile
 
Maintenance, Machine Learning and the IIoT - Brad Nicholas Keynote Xcelerate17
Maintenance, Machine Learning and the IIoT - Brad Nicholas Keynote Xcelerate17Maintenance, Machine Learning and the IIoT - Brad Nicholas Keynote Xcelerate17
Maintenance, Machine Learning and the IIoT - Brad Nicholas Keynote Xcelerate17
 
Test i agile projekter af Gitte Ottosen, Sogeti
Test i agile projekter af Gitte Ottosen, SogetiTest i agile projekter af Gitte Ottosen, Sogeti
Test i agile projekter af Gitte Ottosen, Sogeti
 
Monitoring Far Beyond the Operating System - WeOp 2014
Monitoring Far Beyond the Operating System - WeOp 2014Monitoring Far Beyond the Operating System - WeOp 2014
Monitoring Far Beyond the Operating System - WeOp 2014
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?
 

More from jtmelton

Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
jtmelton
 
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
jtmelton
 

More from jtmelton (8)

Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Fall
 
Towards Securing Micro-Services
Towards Securing Micro-ServicesTowards Securing Micro-Services
Towards Securing Micro-Services
 
AppSensor CodeMash 2017
AppSensor CodeMash 2017AppSensor CodeMash 2017
AppSensor CodeMash 2017
 
Building Self-Defending Applications With OWASP AppSensor JavaOne 2016
Building Self-Defending Applications With OWASP AppSensor JavaOne 2016Building Self-Defending Applications With OWASP AppSensor JavaOne 2016
Building Self-Defending Applications With OWASP AppSensor JavaOne 2016
 
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
 
AppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and ResponseAppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and Response
 

Recently uploaded

Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 

Recently uploaded (20)

When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 

Building an AppSec Program From the Ground Up: An Honest Retrospective

  • 1. Building an AppSec Program From the Ground Up: An Honest Retrospective John Melton @_jtmelton
  • 3. whoami - Past: Dev/Security engineering in defense, finance, technology companies - Current: Leading AppSec at technology company (Oracle NetSuite) - Side: OWASP*, AppSensor, Manna - Opinions are my own, not my employers @_jtmelton
  • 4. mumble, mumble, mumble … Jim is great Neil is great, Jer is great, Ron is great Thanks to all the organizers and sponsors @_jtmelton
  • 5. Agenda: An honest retrospective of the last ~2 years building an appsec program from scratch: the good, the bad, and the ugly ...
  • 6. With an eye towards immediate applicability of lessons learned ...
  • 7. And wrapping up with my observations and beliefs about what I would do if I had it to do all over again
  • 11. Gather round y’all, it’s ... @_jtmelton story time
  • 14. Context Environment 15yr old (acquired) startup Very smart engineers No “security” people CI/CD µServices / DevOps Very culture-protective ~350 people Management 20yr old (acquirer) startup Very smart engineers Full security team Monolith, traditional ops Broad, varied culture ~5,500 people Me The new guy meh “The” security team I’ve done both Need to get stuff done 1 person @_jtmelton
  • 15. Tasks ToDo List (Aiming for 2yr timeline) ● Learn environment ● Embed into team / culture ● Translate ● Secure everything ● Prep for compliance ● Share / leverage successes upstream Resources ● Tooling ● Training material ● “Policies” @_jtmelton
  • 16. Day 0
  • 18. Day 1
  • 34. ● The business is still running ● They wouldn’t be paying you if all the work was already done ● Take a breath @_jtmelton Lessons Learned
  • 35. Q1
  • 36. Proposed deliverables Introductions ● Get to know people ● Get to know tech/processes Update Training ● I’ve written training before ● We have a pretty good base to start from Dependency Analysis ● DependencyCheck is awesome ● I’ve written training before ● We have a pretty good base to start from @_jtmelton
  • 37. Results Introductions (100%) ● People are great ● Tech is great, Processes are good / maturing Update Training (30%) ● Updated team HR training ● Made a dent in tech training Dependency Analysis ● DependencyCheck is awesome ● I’ve written training before ● We have a pretty good base to start from @_jtmelton
  • 38. ● Find key stakeholders ● Learn existing processes ● Learn the environment / tools @_jtmelton Lessons Learned
  • 39. Q2
  • 40. Proposed deliverables Static Analysis ● We already have a tool ● I built one - setting one up should be easy! Dynamic Analysis ● ZAP is awesome ● It’s just a script right? Dependency Analysis ● DependencyCheck is awesome ● Need to get a handle on these 3rd party libs Update Training ● I’ve written training before ● We have a pretty good base to start from @_jtmelton
  • 41. Results Static Analysis (80%) ● A factory is hard work (especially on * apps) ● Oh yeah, we should vet and explain results Dynamic Analysis (0%) ● ZAP is still awesome ● No time Dependency Analysis (100%) ● DependencyCheck is still awesome ● There’s a lot of low-hanging fruit here Update Training (-10%) ● Way more stakeholders than I thought ● More work to do than initially planned @_jtmelton
  • 42. ● Start to formulate questions you want to answer (metrics) (fail) ● Start an application inventory (hard fail!) ● Tools _may_ not be the right place to start (fail) ● CI/CD is security’s friend ● Get a handle on 3rd party libraries - it’s low hanging (often rotten) fruit @_jtmelton Lessons Learned
  • 43. Q3
  • 44. Proposed deliverables Credential Storage ● Need to clean this up ● Like Vault as a base Dynamic Analysis ● Work with QA / Selenium ● Need help from project leader Champions ● Extend relationship with interested folks ● Offer extra training and security info Update SDLC ● The existing SDLC is restrictive ● Need to separate policy from standard @_jtmelton
  • 45. Results Credential Storage (100%) ● Good planning, coordination ● Vault operationally works in our env Dynamic Analysis (100%) ● ZAP/Selenium/QA automation are powerful ● Project leaders want to help you succeed Champions (50%) ● People are interested in security ● No formal program, small sharing network Update SDLC (20%) ● This is complex, and needs high-level approval ● SDLC touches everything @_jtmelton
  • 46. ● Pick operationally compatible tools for your env (work with eng team for input) ● Leverage open source where possible (also contribute back code, docs, stories, etc.) ● Reach out to people on github, twitter, phone, etc. - they will actually help (fail, see BSIMM) ● Share security knowledge freely (fail) ● Policies matter * @_jtmelton Lessons Learned
  • 47. Q4
  • 48. Proposed deliverables Metrics ● Need to measure progress on desired goals ● Should be easy to collect and drive change Threat Modeling ● We should fix arch/design issues too ● Aiming to start simply Track Attack Surface ● Lots of micro-services ● How are they changing? Update SDLC ● Work is now scoped ● Know stakeholders for approval @_jtmelton
  • 49. Results Metrics (20%) ● There are lots of bad metrics ● Lots of stakeholders with significant input Threat Modeling (100%) ● Starting small was key ● A picture and a list of threats Track Attack Surface (75%) ● Surprisingly simple to support ● Really helpful over time and good signal Update SDLC (100%) ● This was a lot of work ● A solid, clear policy is really helpful @_jtmelton
  • 50. ● Measuring what you are doing is critical. Communicating that information well is a challenge. ● Security talks about the “what’s wrong” all the time, but rarely about proactive controls (fail) ● People like threat modeling (be the attacker) ● Threat modeling gives developers power to communicate and address what keeps them up at night (fail)@_jtmelton Lessons Learned
  • 52. Progress Report ToDo List ● Learn environment - Done ● Embed into team / culture - Done, solid champions core team ● Translate - Mostly done ● Secure everything - Basics are in place, still plenty of room for improvement ● Prep for compliance - A little bit done ● Share / leverage successes upstream - Very little upstreamed @_jtmelton
  • 55. Proposed deliverables App Deployment Tool ● Needs a refresh ● Let’s upgrade security at the same time Containers ● Chance to affect greenfield deployment ● Aim for reasonable default security bump Runtime Intelligence ● Get runtime feedback about security ● Empower / delegate developers to monitor Operational Tasks ● Integrate with other teams ● Produce / consume useful data @_jtmelton
  • 56. Results App Deployment Tool (90%) ● Awesome tooling people are awesome ● Platform defaults matter Containers (75%) ● Set strong, safe defaults for great bump ● Security features not always well-tested Runtime Intelligence (10%) ● Introduced the idea and tools ● Needs a “light bulb” moment Operational Tasks (100%) ● This data is really valuable ● We don’t think about this enough @_jtmelton
  • 57. ● Vault useful in many contexts, operational ability is important* ● Reminder: availability is part of CIA triad - it is a security issue ● We need more runtime intel in our applications (fail) ● AppSec <--> OpSec is an area ripe for exploration and exploitation (fail) ● Went to BSIMM (world changing moment) (fail) @_jtmelton Lessons Learned
  • 59. Q6
  • 60. Proposed deliverables Core Security Libraries ● Stop squashing individual bugs ● Need consistent mechanisms for devs Source Code Attestation ● Verify steps from commit -> ops ● Auditability Training Refresh ● Function-specific training ● Continue simplification CI Upgrade ● Tooling upgrade & apis ● Versioned CI configuration @_jtmelton
  • 61. Results Core Security Library (50%) ● Built/extended core systems ● Partial custom rules to match Src Code Attestation (100%) ● Requires integration work ● Audit log is powerful Training Refresh (25%) ● Customization benefits from modularity CI Upgrade (75%) ● Config versioning is powerful ● Declarative CI is powerful @_jtmelton
  • 62. ● ** Killing bug classes is the useful engineering work (Fail) ● (git/web) Hooks are great integration points (Fail) @_jtmelton Lessons Learned
  • 63. Q7
  • 64. Proposed deliverables Tool Additions ● Need broader coverage ● Tool vendors always behind Immutable Infra ● Joint effort with eng ● Increase stability & security Compliance ● Has to happen ● Supports business Fast/Slow Checks ● Faster feedback on high confidence issues ● Block certain classes of issues @_jtmelton
  • 65. Results Tool Additions (100%) ● Lots of tools available these days ● Single purpose tools are nice Immutable Infra (80%) ● Big eng win ● Big security win Compliance (100%) ● Sanity check ● Low bar Fast/Slow Checks (100%) ● Further left ● Lots of low-hanging fruit here @_jtmelton
  • 66. ● Completely fixing and forever preventing an issue (even a small one) is a win - combine these to get momentum ● Create minimum assertions and raise the bar ● Config mgmt / Infra mgmt are powerful ● The faster devs see the issue relative to coding it, the faster (and better!) the fix (Fail) @_jtmelton Lessons Learned
  • 67. Q8
  • 68. Proposed deliverables Refresh SDLC ● Maturity step ● Chance to move left / increase visibility App Portfolio ● Do a better job collecting metadata / metrics ● Single, consistent view Compliance ● More, more, more Fast/Slow Checks ● Faster feedback on high confidence issues ● Block certain classes of issues @_jtmelton
  • 69. Proposed deliverables Refresh SDLC (100%) ● Tailor to different stakeholders ● Talk about privacy alongside security App Portfolio (20%) ● Complex area ● Missing tool support Compliance (100%) ● More, more, more Fast/Slow Checks ● Faster feedback on high confidence issues ● Block certain classes of issues @_jtmelton
  • 70. ● Privacy is something everybody cares about (Fail) ● App Portfolio is ripe for a solution, many people are struggling in that area ● Hard to secure what you don’t know about @_jtmelton Lessons Learned
  • 71. Progress Report ToDo List ● Learn environment - Done ● Embed into team / culture - Done, solid champions core team ● Translate - Done ● Secure everything – We’re further, but always room for improvement ● Prep for compliance – Oh boy … did we ever ● Share / leverage successes upstream – Good progress @_jtmelton
  • 74. TODOs - People ● Work with the best people you can ● Do small, focused, context- sensitive training ● Connect with tribal knowledge owners ● Build a real champions program ● Say “no” rarely ● Know your place and stay humble - security is not the only business concern ● Connect with others doing your job in security at cons, social media, etc. Ask them questions. ● Talk about security in regular life (e.g. https://securityplanner.org/) ● Talk about security often (chat, email, presentations, etc.) ● Talk about privacy ● Talk issues at the highest level possible - exec buy-in is critical @_jtmelton
  • 75. TODOs - Process ● Have office hours, chatops, email list - be available ● Never start with “no”. Default to “how can we get to yes”? ● Use the champions program ● Actively build relationships with other teams ● Collect useful data to improve and build a data-driven process ● Live and breathe threat modeling ● Inject into the standard SDLC (not as a blocker though) ● Reqs > Arch > Design > Code ● Use consistent terminology (words matter) ● Develop method for ranking apps ● Develop method for ranking vulns ● Meet customers where they are (chat, email, wiki, bugtracker, etc.)@_jtmelton
  • 76. TODOs - Technology ● Don’t have tech envy ● Isolate security services (e.g. encryption as a service) ● Exploit CI (fast/slow lanes) ● Squash bug classes, not bugs (bug of the month/quarter, top “1”) ● Support / amplify good tech from devs (containers, cloud, etc.) ● Build a solid app inventory ● Focus on and invest in self- service ● Spend time on the “big” things (cloud, 2/MFA, IAM, Authn/z, crypto) ● Limit crypto primitives (e.g. nacl) ● Support primary tech stacks well ● Work with dev and ops to get runtime info, and create a feedback loop ● Build self-defending apps (appsensor) @_jtmelton
  • 77. Some Homework ● “Starting Up Security” by Ryan McGeehan (https://medium.com/starting-up- security) ● “Preventing Security Bugs Through Software Design” by Christoph Kern (https://www.youtu.be/ccfEu-Jj0as) ● Measuring End-to-End Security Engineering by Garrett Held (https://www.youtu.be/MLmQ4uSi4EU) ● “Software Security Metrics” (https://youtu.be/50vOxExpAOU) and “Effective AppSec Metrics (https://youtu.be/dY8IuQ8rUd4), by Caroline Wong ● Starting a Metrics Program by Marcus Ranum (https://youtu.be/yW7kSVwucSk) ● Enabling Product Security with Culture and Cloud by Astha Singhal and Patrick Thomas (https://youtu.be/L1WaMzN4dhY) @_jtmelton
  • 80. This I Believe You can’t do appsec effectively and not understand code. You should be able to read & write it. Same with design & architecture. @_jtmelton
  • 81. This I Believe Security teams don’t scale effectively, even with significant automation efforts. Build a champions program, and move to self-service. @_jtmelton
  • 82. This I Believe We need more focus on detection and response, not just prevention. @_jtmelton
  • 83. This I Believe Certain solutions (executive support/buy-in, 2FA, CI/CD automation, threat modeling) move the needle _much_ farther - focus on those. @_jtmelton
  • 84. This I Believe You cannot protect what you don’t know about - build an app inventory. @_jtmelton
  • 88. Open Source ● We don’t all have huge teams ● Most/all of us use open source docs, software ● Many of us build useful things ● Some of us can contribute at work ● Many of us can contribute at home ● You benefit the community ● You grow ● You build awareness of issues ● You help drive solutions ● You benefit personally and professionally @_jtmelton
  • 94. This I Believe We all have something useful to contribute to the community. @_jtmelton
  • 95. This I Believe @_jtmelton ● Docs - https://medium.com/starting-up-security ● Talks - https://www.youtube.com/watch?v=ccfEu-Jj0as ● Scripts - https://github.com/jgamblin/AWSScripts ● Code - https://github.com/jeremylong/DependencyCheck ● Organization - https://github.com/sbilly/awesome-security and https://github.com/paragonie/awesome-appsec ● Work - https://github.com/nccgroup/Scout2 and https://www.nccgroup.trust/us/our-research/understanding-and-hardening- linux-containers/
  • 97. ● https://github.com/manna- security ● Open Source (Apache 2) ● Alpha release (only 1 rule) ● Please contribute! @_jtmelton Manna Simple static analysis & automatic remediation
  • 99.

Editor's Notes

  1. Should have started all these things earlier
  2. Should have started all these things earlier
  3. Learned a little about the QA tools, and found a champion who wanted to work on this - used their expertise to build out some of the zap integrations (also bugged Simon)
  4. Simon spoke to me on the phone for an hour getting us setup Sometimes policies don’t matter, but as an org grows, there needs to be consistency Sharing knowledge more openly helped us get more people talking about security, and resources in the teams thinking about it (delegated)
  5. Need to give proactive patterns that are helpful (always use prepared statements, don’t concatenate strings in a loop, do centralized access control, etc.) Missed covering threat modeling earlier - gives them more control
  6. Containers - Nomad docker support story
  7. All delay failures
  8. All delay failures
  9. All delay failures
  10. All delay failures
  11. All delay failures