Securing a great Developer Experience - v1.3
•Download as PPTX, PDF•
2 likes•109 views
In the software engineering world, change is the only constant. And in the course of the last decades, the frequency of that change has exploded. What Agile has brought to software teams, DevOps is now bringing to the entire organization. And the results speak for themselves. The DevOps high-performers are killing it. Insane deploy frequencies of features, high reliability of applications, and high productivity of cross-functional teams have amplified the speed at which ideas become a reality. In parallel, Application Security was doing its own thing and to a large part remained oblivious to all the impressive improvements that were happening in software engineering. Because breaking an application doesn’t need any knowledge of how it was created in the first place. This talk will cover anti-patterns that are preventing application security from being adopted by development teams, such as: * Issues Overload * Acronym Overuse * Sales team Wall
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Securing a great Developer Experience - v1.3
Similar to Securing a great Developer Experience - v1.3 (20)
More from Stefan Streichsbier
More from Stefan Streichsbier (11)
Recently uploaded
Recently uploaded (19)
Securing a great Developer Experience - v1.3
- 1. DevSecOps - Securing a great Developer Experience Stefan Streichsbier NUMISEC International Indonesia stefan@numisec.com Version 1.3 05.12.2018
- 2. About me Stefan Streichsbier @s_streichsbier GuardRails.io Move fast, be safe.
- 3. Book and Kindle version now on Amazon!
- 4. What are we going to cover? And also, how security and developer experience are related. How security is keeping up with it How the tech landscape changed What mindset security has to adopt
- 5. Some Statistics As of June 2017, 51% of the world's population has internet access. That’s close to 4,000,000,000 people As of October 2018, there are 31,000,000 developers on Github alone.
- 6. Mark Andreessen Renowned VC Software is eating the world, in all sectors. In the future every company will become a software company “The Wall Street Journal” in 2011
- 7. With change comes complexity
- 8. It used to be so simple Figure 1: Use an FTP Client to Copy the Necessary Files from Your Desktop to the Web Server at the Web Host Provider. Source: https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-getting-started/deploying-web-site-projects/deploying-your-site-using-an-ftp-client-cs Pro Tip: • Add Google Analytics (post November 2005)
- 9. Web masters don’t need to collaborate Build? I’m using PHP, ASP, PERL, etc Test locally, As long as there is no parsing error, we’re all good. Drag and drop files to Filezilla. GoDaddy
- 10. It’s better now, but is it simpler? https://gist.github.com/rasheedamir/7da0145ae1b5d9889e4085ded21d1acb
- 11. https://devopedia.org/devops Web masters don’t need to collaborate Build? I’m using PHP, ASP, PERL, etc Test locally, As long as there is no parsing error, we’re all good. Drag and drop files to Filezilla. GoDaddy
- 14. How does security fit into this?
- 15. AWS Security Primer https://news.ycombinator.com/item?id=14628108 https://cloudonaut.io/aws-security-primer/ I have worked extensively with AWS over the last 4 years, and I can barely wrap my head around the scope of managing security in AWS. We have an entire department dedicated to security in our company, and none of them are remotely close to being experts in AWS security either. I’m starting to get curious if there even is an expert who could set up and maintain a bulletproof AWS account.
- 17. The Evolution of Security Secure SDLCPenetration Testing DevSecOps
- 18. https://devopedia.org/devops Application Vulnerability Correlation & Security Workflows Security tools integrating with Chat Bots Security sections on all major social media platforms Security tools integrating with SCMs Security tools integrating with pipelines Custom security linters, and compiler flags All the security tools, we need a bigger box! Security/Complia nce/Infrastructur e as Code, Secret Management Secure Repositories, golden images, artefact security scanning Cloud Platform security tools RASP, NG WAF, Micro- segmentation
- 19. Automated Security Defense Do you know if you are under attack at this current moment? Can you automatically defend against attacks? Do you know what the attackers are going after?
- 20. Automated Security Testing SAST SCA DAST/IASTCCA CommercialOpenSource 60+
- 21. Where do these tools live? Source: https://twitter.com/djschleen
- 22. The vicious cycle Tools compound the issue. There is too much security debt Developers “comply”
- 23. “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. Bill Gates The second is that automation applied to an inefficient operation will magnify the inefficiency. ”
- 26. What has to change then?
- 27. Psst, this has happened before … Quality used to face the same challenges that security is facing now.
- 29. Developer Experience, Finally! User ExperienceUsability Developer Experience
- 30. Excellent, let’s do this for security!
- 31. Signals vs Noise Focus on high-impact issues Don’t add to the noise Ensure the issues have high accuracy Security Trivia #213: What is the largest security tool report that has been recorded? 13,000 pages
- 32. Lost in Translation Speak the same language as developers Issues are useless until they are fixed Leverage the right communication channel Security Trivia #937: What is the official CWE title for a SQL Injection? Improper Neutralization of Special Elements used in an SQL Command
- 33. Make it easy Tightly integratedAllow developers to get started in minutes Provide all the needed functionality Security Trivia #23: How many of the 12 leading AST companies - according to the Gartner Magic Quadrant – have clear pricing information on their website? 1
- 34. Automated Security Testing - What is better? Option A Option B
- 35. Ok, cool – Show me!
- 36. How can we get ahead for once? Respect complexity, but provide focus Acknowledge that developers are key Security has to become a commodity
- 37. Questions?
Editor's Notes
- If you are passionate in ditching traditional security and helping companies in Asia getting into the age of DevSecOps then drop me a line. We are always looking for great people. At GuardRails we are working on a very different approach to security, which puts developers first and I’m excited to announce that we have launched last week.
- We gonna briefly discuss how the technology landscape has changed and what the implications are of that. How security is keeping up with the change, or rather how it isn’t. And what mindset shift security as an industry has to adopt to have a sustainable impact. We have a chance to be a part of development for the first time in a meaningful way. Let’s not blow it by adding the same old security toolchain to DevOps.
- Origin of Software and Development, how it is tied to the proliferation of computer systems.
- we are talking early 2000s here.
- This still looks fairly simple, you have git your scm, Jenkins your bukld system, docker as containers, and kubernetes as the orchestration layer. That’s not too bad, is it?
- This is just tools you have to use to get an application from an idea in someones head to code running in production. There are no security tools in that picture.
- Have you looged into AWS/Google cloud platform lately? This is the high level menu overview of the offered services respectively. These pics were taken on Sunday, I bet you if you log in today, there are more services already
- Feels a little bit like this, doesn’t it.
- When googling security complexity to illustrate this problem, I stumbled over this little gem. We understand that it’s already too much to understand modern development workflows and tooling. Understanding the security implications is almost impossible. So what you see on this slide, is a AWS expert sitting down to understand the security areas they have to consider for their AWS account. This gentlemen is by no means a security expert, not even a self proclaimed one. The response he got on hackernews is a real eye opener.
- This is just tools you have to use to get an application from an idea in someones head to code running in production. There are no security tools in that picture.
- It used to be infrastructure, open ports, patch management, Then it was about building security in. And now it’s all about shifting left. We are getting closer to the developers and have more automation and give faster feedback. But I tell you one thing, developers probably liked it better when we only bothered them once at the end of every release, not now when it’s every time they are committing code. But has the quality improved? Or did we just get better at automating the nagging of developers.
- What ever happened to the KISS principle. How many people do you think understand that full end to end flow nowadays? Not specially from a security point of view, but from a general technology and process point of view? And yes besides DevSecOps and the wonderful things that we are trying to achieve and we are trying hard, what is really happening.
- Think Application Performance monitoring for security Understanding how your app is abused and misused helps with prioritization.
- Security Debt is huge Because security wasn’t a part of it and the tooling didn’t make it appealing for the reasons stated earlier. Tools compound the issue, because they just make devs fix the issues they get, without actually taking ownership. They point to the debt and show huge amounts of issues, over and over again. They don’t actually fix any issues, at all. Most of them have been developed For the wrong audience And boy does it show.They are not proactively doing these things, whatever gets put on their desks, they take care of it. Security tools should be made for developers. Yet, most of them are designed for security analysts. And it shows in many areas, such as setup, user experience, and workflow integration.
- This may sound mean, but I think realizing this is an important step in the evolution of our industry. But yeah to continue, with the advance of new technologies and automation the answer was as always more security tools. The most humbling experience was switching from an advisor/consultant to an implementer and being responsible for the Security of a high profile product (large team).
- That’s great, right? But is it really working well? And I don’t even mean as an organization, I mean as in reaching 28 Million developers on github. And even this is quite exclusive to certain organizations around the world. None of this is really available to the majority of the 28M devs on Github. And guess what, you are using the code of that majority in your production env.
- It’s the same audience. It’ hasn’t solved it fully yet, but quality is becoming more and more a first class citizen and the only reason it managed to do that Is because of developer experience.
- Another good example of a quality tool that has done a tremendous job is codecov. It made unit test coverage sexy, and that’s no easy feat :)
- Let’s explore the term developer experience. Usability can be modeled as the question “Can the user accomplish their goal?” whilst user experience can be phrased as “Did the user have as delightful an experience as possible?” Usability is concerned with the “effectiveness, efficiency and satisfaction with which specified users achieve specified goals in particular environments Bring up the apple example, Apple is priding themselves with the high level of usability they have created for their devices. Using the iphone is supposed to be so simple and nice, and effective (your mileage may vary, but let’s just take this as an example, and not start an android vs ios war). User Experience on the other hand starts already in the apple store, when you look a the device that you fancy, when you open the box for the first time (there are thousands of hours of people unboxing their gadgets on youtube) and how much joy it brings you in your daily life. DX describes the experience developers have when they use your product, be it client libraries, SDKs, frameworks, open source code, tools, API, technology or service.
- Ok, I’m excited, I love this stuff. So let’s dive right into it, what are the three things that will help us secure a great Developer Experience.
- Nowadays, there are too many distractions that are fighting for our attention. That’s by design, product designers know how to addict us in the race to dominate the attention economy. Security tools only add to these distractions. They find everything that could be a possible issue. Most of the tools running against your codebase produce thousands of results. Security is already intimidating enough. Let’s not make it worse by flooding developers with lots of security issues. Security tools have to report issues that have a high impact if left unfixed. Less is more. Don’t give them 1000s of user input is printed in command. Maybe focus on only dependencies With a csvss score of 7 or higher. Ignore dev dependencies. Don’t value the devs time, lots of issues, vague descriptions and solutions (sad devs) Value the devs time -> relevant results -> actionable feedback (happy devs)
- Security experts have developed a very specific and unique language over the years. (XSS, CSRF, SAST) But if you haven’t spent a good part of your career in application security, these terms are confusing. Don’t try to sounds important Especially traditional security tools produce hundreds of pages of PDF reports. Have you ever been on the receiving end of one of those reports? Or even worse, the one responsible for fixing those issues? Imagine looking at hundreds of security issues with lots of cryptic details. Details about how attackers can abuse your app full of references that don’t make sense. But the key sections on how to fix the issues are thin. There is rarely any actionable, framework-specific content — if there is anything at all. Let us use plain, easy language and give useful instructions on how to fix issues.
- Get started in minutes. Doesn’t matter if they are curious and want to try it out. Or if they want to deploy it for dozens of their apps. That means no scheduling of demos with sales reps. That means clear pricing on the website. If spacex can do it, so can you. (This includes clear pricing ) Typical Security Tools are clearly targeting enterprise sales, typically as part of the CISO organisation. If developers can’t easily take security software for a spin, then that’s a red flag already. No developer is going to click on that book a demo button. Workflow integration (understand your audience) Out of workflow (IDE plugins are not enforceable and manageable, plus too many IDEs out there) I don’t just mean make it part of the CI/CD pipelines, I’m not talking about IDE plugins. I’m talking about right there where the review happens in the PR comments. If you are doing it right, then no developer is ever going to look at your dashboards. All in one, Don’t make them look For tool a for this, tool b for that If it’s already hard to wrap your head around SASt, dAST iast, rasp, ngwaf, secret management and all of these things. Then nobody is going to have time for that.
- Ok, so we recognize that developers are key Therefore as the main audience for application/devops security tools should be developers, ensuring a great Developer Experience is and absolute must. These security tools must be designed for DX from day 1. Developer experience requires security to be a first class citizen that ideally is not differentiable from the other work tasks. There will always be complexity, our job is to provide focus. Also, most of the development is not happening in enterprises, security has to become a commodity, otherwise it’s going to be a battle that we can’t ever win. The goal should be that a bootstrapped startup, can and wants to use security tools from the beginning. If we can get closer to solving this, then we will be able to get developers to drive security themselves and ensure that the digital economy becomes a safer place for everyone.