SlideShare a Scribd company logo

Software developers as blue team

•Download as PPTX, PDF•
•
Omar Leonardo Quimbaya
Omar Leonardo Quimbaya

Software developers are on the front lines of defense as part of the blue team. As developers work with and display user data, they must consider security as an important part of building quality and robust software. However, security is often seen as just another feature competing for developer time. To address this, developers can emulate practices of security specialists, implement secure development best practices like testing for permissions and encryption, and seek security training to help prioritize security as part of the development process.

Software
1 of 14
SOFTWARE DEVELOPERS AS BLUE TEAM OMAR QUIMBAYA TECHNOLOGY EVANGELIST @ DEF-LOGIX HTTP://WWW.DEF-LOGIX.COM FOR CODEUP, AUGUST 4, 2016
INTRODUCTION • Tech Evangelist at Def-Logix • Founder and organizer of the CyberDEF Dojo • Former instructor at Codeup • Community and Events manager at Geekdom • Director of Social Media and Marketing at ParLevel • Geekdom member since March 2013
ABOUT THIS TALK • Inspired by Aaron Poffenberger of Giant Grey • Spoke about this topic at SA BSides 2016 and Austin BSides 2016 • https://github.com/akpoff • http://akpoff.com/ • What is Red Team and Blue Team? • What are black, white, and grey hats? • Developers as blue team • What do I do about it?
RED TEAM • Offense • Emulate real-world adversaries • What would the bad guys do with this? • Goal is to break stuff • Administrative, physical, and logical controls BLUE TEAM • Defense • Design and implement secure infrastructure • Let’s the bad guys get through this! • Goal is to protect assets • Administrative, physical, and logical controls PURPLE TEAM • Communication layer between the two teams
THE HATS • White Hat • Ethical hackers • Black Hat • Malicious hackers • Grey Hat • A little bit of column A, a little bit of column B…
YOU ARE SOFTWARE DEVELOPERS BUT WHO ARE YOU REALLY?
WELCOME TO THE BLUE TEAM • First line of defense • Ask for, work with, transmit, and display data from users and organizations • Convenience vs security • Who watches the watchers? • Quality Assurance • Code review • Best practices • Technical Writers
LIMITATIONS • Customer requirements • Features vs time • Ease of use vs capability (power) • Developer capability vs time for research • Where does security fit in?
SECURITY IS JUST ANOTHER FEATURE VYING FOR DEVELOPER TIME. - Aaron Poffenberger, 2016
WHAT DOES THAT EVEN MEAN? • Poffenberger states that security is not an essential part of the current software development process • If there were no bad actors, security would not be necessary • Quality and robustness are things developers must think about • Security can be seen as a necessary component of quality and robustness • No single technological definition of “secure” • Windows XP and Windows 10, as examples • More security features do not mean that the software is more secure
CURRENT CHALLENGES • Little to no risk assessment • No threat modeling • No security training • No operating systems training • Software development training? Yeah, that’s what you’re doing right now.
WHAT TO DO ABOUT THIS? • Where are security developers? Emulate them. • Open Source • OpenBSD, HardenedBSD, SELinux, RedHat/CentOS • Web-centric businesses • Amazon, Facebook, Google, Paypal, Twitter. Microsoft, Cisco, Oracle • Quality Assurance • Testing usually done in isolation • Ensure correct database permissions • Ensure secure communication • Quality Assurance cont • Utilize HTTPS • Application user roles and permissions • Input validation • Catastrophic failure testing • Find the conditions • Encryption • Logging • Get communication going between infrastructure engineers and software developers
WHERE DO I LEARN MORE? • Understand • CIA: confidentiality, integrity, and availability • Security as a process • Your OS and its services • Secure coding principles (OWASP) • Links • https://www.sans.org/critical-security-controls/ • https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet • http://cwe.mitre.org/top25/ • https://www.exploit-db.com/
Omar Quimbaya Technology Evangelist at Def- Logix oquimbaya@def-logix.com http://www.def-logix.com Twitter: @writtenbyapanda CyberDEF Dojo: https://www.meetup.com/cyberde fdojo

Recommended

DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon
 
DevOps for Managers
DevOps for ManagersDevOps for Managers
DevOps for Managers
All Things Open
 
Modern Agile - Joshua Kerievsky
Modern Agile - Joshua KerievskyModern Agile - Joshua Kerievsky
Modern Agile - Joshua Kerievsky
AgileSparks
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
Irina Kostina
 
Secured Development
Secured DevelopmentSecured Development
Secured Development
Burhan Khalid
 
Solr pattern
Solr patternSolr pattern
Solr pattern
OpenSource Connections
 
Culteral impediments to DevOps
Culteral impediments to DevOpsCulteral impediments to DevOps
Culteral impediments to DevOps
Clement Pickering
 
Real world dev ops
Real world dev opsReal world dev ops
Real world dev ops
Mohan Krishnan
 

Recommended

DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon
 
DevOps for Managers
DevOps for ManagersDevOps for Managers
DevOps for Managers
All Things Open
 
Modern Agile - Joshua Kerievsky
Modern Agile - Joshua KerievskyModern Agile - Joshua Kerievsky
Modern Agile - Joshua Kerievsky
AgileSparks
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
Irina Kostina
 
Secured Development
Secured DevelopmentSecured Development
Secured Development
Burhan Khalid
 
Solr pattern
Solr patternSolr pattern
Solr pattern
OpenSource Connections
 
Culteral impediments to DevOps
Culteral impediments to DevOpsCulteral impediments to DevOps
Culteral impediments to DevOps
Clement Pickering
 
Real world dev ops
Real world dev opsReal world dev ops
Real world dev ops
Mohan Krishnan
 
Many Ways to Move the Needle on Open Source
Many Ways to Move the Needle on Open SourceMany Ways to Move the Needle on Open Source
Many Ways to Move the Needle on Open Source
All Things Open
 
SlideShare culture
SlideShare cultureSlideShare culture
SlideShare culture
Sylvain Kalache
 
Vine Video App for Real Estate (pt 2)
Vine Video App for Real Estate (pt 2)Vine Video App for Real Estate (pt 2)
Vine Video App for Real Estate (pt 2)
Florida Mobile Fusion
 
AtlasCamp 2013: Confluence Blueprints
AtlasCamp 2013: Confluence Blueprints AtlasCamp 2013: Confluence Blueprints
AtlasCamp 2013: Confluence Blueprints colleenfry
 
Modern Agile - Keynote at Agile2016
Modern Agile - Keynote at Agile2016Modern Agile - Keynote at Agile2016
Modern Agile - Keynote at Agile2016
Joshua Kerievsky
 
Atlassian, the latest and greatest / October 13
Atlassian, the latest and greatest / October 13Atlassian, the latest and greatest / October 13
Atlassian, the latest and greatest / October 13
Sven Peters
 
Make product not war
Make product not warMake product not war
Make product not war
Prayoch Rujira
 
Quality assurance engineer #JobShadowDay #XWiki
Quality assurance engineer #JobShadowDay #XWikiQuality assurance engineer #JobShadowDay #XWiki
Quality assurance engineer #JobShadowDay #XWikiAndreea-Zenovia Popescu
 
Xamarin user group san diego kick-off!
Xamarin user group san diego kick-off!Xamarin user group san diego kick-off!
Xamarin user group san diego kick-off!
Seamgen
 
Continuous Delivery in the World of Enterprise PHP
Continuous Delivery in the World of Enterprise PHPContinuous Delivery in the World of Enterprise PHP
Continuous Delivery in the World of Enterprise PHP
Great Wide Open
 
Agile UX
Agile UXAgile UX
Agile UX
Rob Keefer
 
Community building lessons from Ansible
Community building lessons from AnsibleCommunity building lessons from Ansible
Community building lessons from Ansible
Greg DeKoenigsberg
 
Android Developer Skills, Techniques, and Patterns
Android Developer Skills, Techniques, and PatternsAndroid Developer Skills, Techniques, and Patterns
Android Developer Skills, Techniques, and Patterns
gdgut
 
OWASP Developer Guide Reboot
OWASP Developer Guide RebootOWASP Developer Guide Reboot
OWASP Developer Guide Reboot
Andrew van der Stock
 
DevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia #4 - You Touch It, You Improve ItDevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia
 
Overcome the 6 Antipatterns of Agile Adoption
Overcome the 6 Antipatterns of Agile AdoptionOvercome the 6 Antipatterns of Agile Adoption
Overcome the 6 Antipatterns of Agile Adoption
Agile Velocity
 
Treasure Hunt with G
Treasure Hunt with GTreasure Hunt with G
Treasure Hunt with G
Shamika Dharmasiri
 
Caterpillar by Aravind kumar v
Caterpillar by Aravind kumar vCaterpillar by Aravind kumar v
Caterpillar by Aravind kumar v
Aravind Kumar
 
Using LinkedIn
Using LinkedInUsing LinkedIn
Using LinkedIn
Tim Meadows
 
Tips on google search
Tips on google searchTips on google search
Tips on google search
Shamika Dharmasiri
 
Artery clogs
Artery clogsArtery clogs
Artery clogsAndrew Charles
 
Google hacks himesh
Google hacks himeshGoogle hacks himesh
Google hacks himeshShamika Dharmasiri
 

More Related Content

What's hot

Many Ways to Move the Needle on Open Source
Many Ways to Move the Needle on Open SourceMany Ways to Move the Needle on Open Source
Many Ways to Move the Needle on Open Source
All Things Open
 
SlideShare culture
SlideShare cultureSlideShare culture
SlideShare culture
Sylvain Kalache
 
Vine Video App for Real Estate (pt 2)
Vine Video App for Real Estate (pt 2)Vine Video App for Real Estate (pt 2)
Vine Video App for Real Estate (pt 2)
Florida Mobile Fusion
 
AtlasCamp 2013: Confluence Blueprints
AtlasCamp 2013: Confluence Blueprints AtlasCamp 2013: Confluence Blueprints
AtlasCamp 2013: Confluence Blueprints colleenfry
 
Modern Agile - Keynote at Agile2016
Modern Agile - Keynote at Agile2016Modern Agile - Keynote at Agile2016
Modern Agile - Keynote at Agile2016
Joshua Kerievsky
 
Atlassian, the latest and greatest / October 13
Atlassian, the latest and greatest / October 13Atlassian, the latest and greatest / October 13
Atlassian, the latest and greatest / October 13
Sven Peters
 
Make product not war
Make product not warMake product not war
Make product not war
Prayoch Rujira
 
Quality assurance engineer #JobShadowDay #XWiki
Quality assurance engineer #JobShadowDay #XWikiQuality assurance engineer #JobShadowDay #XWiki
Quality assurance engineer #JobShadowDay #XWikiAndreea-Zenovia Popescu
 
Xamarin user group san diego kick-off!
Xamarin user group san diego kick-off!Xamarin user group san diego kick-off!
Xamarin user group san diego kick-off!
Seamgen
 
Continuous Delivery in the World of Enterprise PHP
Continuous Delivery in the World of Enterprise PHPContinuous Delivery in the World of Enterprise PHP
Continuous Delivery in the World of Enterprise PHP
Great Wide Open
 
Agile UX
Agile UXAgile UX
Agile UX
Rob Keefer
 
Community building lessons from Ansible
Community building lessons from AnsibleCommunity building lessons from Ansible
Community building lessons from Ansible
Greg DeKoenigsberg
 
Android Developer Skills, Techniques, and Patterns
Android Developer Skills, Techniques, and PatternsAndroid Developer Skills, Techniques, and Patterns
Android Developer Skills, Techniques, and Patterns
gdgut
 
OWASP Developer Guide Reboot
OWASP Developer Guide RebootOWASP Developer Guide Reboot
OWASP Developer Guide Reboot
Andrew van der Stock
 
DevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia #4 - You Touch It, You Improve ItDevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia
 
Overcome the 6 Antipatterns of Agile Adoption
Overcome the 6 Antipatterns of Agile AdoptionOvercome the 6 Antipatterns of Agile Adoption
Overcome the 6 Antipatterns of Agile Adoption
Agile Velocity
 

What's hot (16)

Many Ways to Move the Needle on Open Source
Many Ways to Move the Needle on Open SourceMany Ways to Move the Needle on Open Source
Many Ways to Move the Needle on Open Source
 
SlideShare culture
SlideShare cultureSlideShare culture
SlideShare culture
 
Vine Video App for Real Estate (pt 2)
Vine Video App for Real Estate (pt 2)Vine Video App for Real Estate (pt 2)
Vine Video App for Real Estate (pt 2)
 
AtlasCamp 2013: Confluence Blueprints
AtlasCamp 2013: Confluence Blueprints AtlasCamp 2013: Confluence Blueprints
AtlasCamp 2013: Confluence Blueprints
 
Modern Agile - Keynote at Agile2016
Modern Agile - Keynote at Agile2016Modern Agile - Keynote at Agile2016
Modern Agile - Keynote at Agile2016
 
Atlassian, the latest and greatest / October 13
Atlassian, the latest and greatest / October 13Atlassian, the latest and greatest / October 13
Atlassian, the latest and greatest / October 13
 
Make product not war
Make product not warMake product not war
Make product not war
 
Quality assurance engineer #JobShadowDay #XWiki
Quality assurance engineer #JobShadowDay #XWikiQuality assurance engineer #JobShadowDay #XWiki
Quality assurance engineer #JobShadowDay #XWiki
 
Xamarin user group san diego kick-off!
Xamarin user group san diego kick-off!Xamarin user group san diego kick-off!
Xamarin user group san diego kick-off!
 
Continuous Delivery in the World of Enterprise PHP
Continuous Delivery in the World of Enterprise PHPContinuous Delivery in the World of Enterprise PHP
Continuous Delivery in the World of Enterprise PHP
 
Agile UX
Agile UXAgile UX
Agile UX
 
Community building lessons from Ansible
Community building lessons from AnsibleCommunity building lessons from Ansible
Community building lessons from Ansible
 
Android Developer Skills, Techniques, and Patterns
Android Developer Skills, Techniques, and PatternsAndroid Developer Skills, Techniques, and Patterns
Android Developer Skills, Techniques, and Patterns
 
OWASP Developer Guide Reboot
OWASP Developer Guide RebootOWASP Developer Guide Reboot
OWASP Developer Guide Reboot
 
DevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia #4 - You Touch It, You Improve ItDevOps Indonesia #4 - You Touch It, You Improve It
DevOps Indonesia #4 - You Touch It, You Improve It
 
Overcome the 6 Antipatterns of Agile Adoption
Overcome the 6 Antipatterns of Agile AdoptionOvercome the 6 Antipatterns of Agile Adoption
Overcome the 6 Antipatterns of Agile Adoption
 

Viewers also liked

Treasure Hunt with G
Treasure Hunt with GTreasure Hunt with G
Treasure Hunt with G
Shamika Dharmasiri
 
Caterpillar by Aravind kumar v
Caterpillar by Aravind kumar vCaterpillar by Aravind kumar v
Caterpillar by Aravind kumar v
Aravind Kumar
 
Using LinkedIn
Using LinkedInUsing LinkedIn
Using LinkedIn
Tim Meadows
 
Tips on google search
Tips on google searchTips on google search
Tips on google search
Shamika Dharmasiri
 
Seo
SeoSeo
Seo
Shamika Dharmasiri
 
Misson narcotics game
Misson narcotics gameMisson narcotics game
Misson narcotics game
Shamika Dharmasiri
 
APP : EAT O FIT: A MARKETING OUTLINE
APP : EAT O FIT: A MARKETING OUTLINE APP : EAT O FIT: A MARKETING OUTLINE
APP : EAT O FIT: A MARKETING OUTLINE
Aravind Kumar
 
Stocks
StocksStocks
Stocks
the Financial Pipeline
 
Bay Area Legislative Update 2016
Bay Area Legislative Update 2016Bay Area Legislative Update 2016
Bay Area Legislative Update 2016
Best Best and Krieger LLP
 
Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...
Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...
Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...Shivam Pandey
 
Heaven bites & Sweet sips
Heaven bites & Sweet sipsHeaven bites & Sweet sips
Heaven bites & Sweet sipsShiela Prudente
 
การเตรียมตัวเป็นพ่อแม่ที่ดี
การเตรียมตัวเป็นพ่อแม่ที่ดีการเตรียมตัวเป็นพ่อแม่ที่ดี
การเตรียมตัวเป็นพ่อแม่ที่ดีpronpom panatte
 
การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)
การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)
การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)pronpom panatte
 

Viewers also liked (15)

Treasure Hunt with G
Treasure Hunt with GTreasure Hunt with G
Treasure Hunt with G
 
Caterpillar by Aravind kumar v
Caterpillar by Aravind kumar vCaterpillar by Aravind kumar v
Caterpillar by Aravind kumar v
 
Using LinkedIn
Using LinkedInUsing LinkedIn
Using LinkedIn
 
Tips on google search
Tips on google searchTips on google search
Tips on google search
 
Artery clogs
Artery clogsArtery clogs
Artery clogs
 
Google hacks himesh
Google hacks himeshGoogle hacks himesh
Google hacks himesh
 
Seo
SeoSeo
Seo
 
Misson narcotics game
Misson narcotics gameMisson narcotics game
Misson narcotics game
 
APP : EAT O FIT: A MARKETING OUTLINE
APP : EAT O FIT: A MARKETING OUTLINE APP : EAT O FIT: A MARKETING OUTLINE
APP : EAT O FIT: A MARKETING OUTLINE
 
Stocks
StocksStocks
Stocks
 
Bay Area Legislative Update 2016
Bay Area Legislative Update 2016Bay Area Legislative Update 2016
Bay Area Legislative Update 2016
 
Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...
Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...
Database (Oracle) and Java Professional with more than 2 Years 8 Months of Ex...
 
Heaven bites & Sweet sips
Heaven bites & Sweet sipsHeaven bites & Sweet sips
Heaven bites & Sweet sips
 
การเตรียมตัวเป็นพ่อแม่ที่ดี
การเตรียมตัวเป็นพ่อแม่ที่ดีการเตรียมตัวเป็นพ่อแม่ที่ดี
การเตรียมตัวเป็นพ่อแม่ที่ดี
 
การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)
การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)
การเตรียมตัวเป็นพ่อแม่ที่ดี(ต่อ)
 

Similar to Software developers as blue team

The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
Shannon Lietz
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
Magno Logan
 
Lean Software Development
Lean Software DevelopmentLean Software Development
Lean Software Development
Vashira Ravipanich
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdf
Steven Carlson
 
Holistic Product Development
Holistic Product DevelopmentHolistic Product Development
Holistic Product Development
Gary Pedretti
 
Agile Success Story -Tester & Developer Working Together for Higher Quality M...
Agile Success Story -Tester & Developer Working Together for Higher Quality M...Agile Success Story -Tester & Developer Working Together for Higher Quality M...
Agile Success Story -Tester & Developer Working Together for Higher Quality M...
XBOSoft
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
Jeremy Brown
 
Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.nooralmousa
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applications
Magno Logan
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017
Peter Rawsthorne
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
snyff
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
The True Cost of Open Source
The True Cost of Open SourceThe True Cost of Open Source
The True Cost of Open Source
Patrick Steele-Idem
 
Open source software
Open source softwareOpen source software
Open source software
jaimeacurry
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
Adrian Sanabria
 

Similar to Software developers as blue team (20)

The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
 
Lean Software Development
Lean Software DevelopmentLean Software Development
Lean Software Development
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdf
 
Holistic Product Development
Holistic Product DevelopmentHolistic Product Development
Holistic Product Development
 
Agile Success Story -Tester & Developer Working Together for Higher Quality M...
Agile Success Story -Tester & Developer Working Together for Higher Quality M...Agile Success Story -Tester & Developer Working Together for Higher Quality M...
Agile Success Story -Tester & Developer Working Together for Higher Quality M...
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.Mr. Burhan Khalid - secure dev.
Mr. Burhan Khalid - secure dev.
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applications
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017Security and Software Engineering BSides St. John's 2017
Security and Software Engineering BSides St. John's 2017
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
The True Cost of Open Source
The True Cost of Open SourceThe True Cost of Open Source
The True Cost of Open Source
 
Open source software
Open source softwareOpen source software
Open source software
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 

Recently uploaded

Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni GarcĂ­a
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
Roshan Dwivedi
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
Google
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 

Recently uploaded (20)

Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 

Software developers as blue team

  • 1. SOFTWARE DEVELOPERS AS BLUE TEAM OMAR QUIMBAYA TECHNOLOGY EVANGELIST @ DEF-LOGIX HTTP://WWW.DEF-LOGIX.COM FOR CODEUP, AUGUST 4, 2016
  • 2. INTRODUCTION • Tech Evangelist at Def-Logix • Founder and organizer of the CyberDEF Dojo • Former instructor at Codeup • Community and Events manager at Geekdom • Director of Social Media and Marketing at ParLevel • Geekdom member since March 2013
  • 3. ABOUT THIS TALK • Inspired by Aaron Poffenberger of Giant Grey • Spoke about this topic at SA BSides 2016 and Austin BSides 2016 • https://github.com/akpoff • http://akpoff.com/ • What is Red Team and Blue Team? • What are black, white, and grey hats? • Developers as blue team • What do I do about it?
  • 4. RED TEAM • Offense • Emulate real-world adversaries • What would the bad guys do with this? • Goal is to break stuff • Administrative, physical, and logical controls BLUE TEAM • Defense • Design and implement secure infrastructure • Let’s the bad guys get through this! • Goal is to protect assets • Administrative, physical, and logical controls PURPLE TEAM • Communication layer between the two teams
  • 5. THE HATS • White Hat • Ethical hackers • Black Hat • Malicious hackers • Grey Hat • A little bit of column A, a little bit of column B…
  • 7. WELCOME TO THE BLUE TEAM • First line of defense • Ask for, work with, transmit, and display data from users and organizations • Convenience vs security • Who watches the watchers? • Quality Assurance • Code review • Best practices • Technical Writers
  • 8. LIMITATIONS • Customer requirements • Features vs time • Ease of use vs capability (power) • Developer capability vs time for research • Where does security fit in?
  • 9. SECURITY IS JUST ANOTHER FEATURE VYING FOR DEVELOPER TIME. - Aaron Poffenberger, 2016
  • 10. WHAT DOES THAT EVEN MEAN? • Poffenberger states that security is not an essential part of the current software development process • If there were no bad actors, security would not be necessary • Quality and robustness are things developers must think about • Security can be seen as a necessary component of quality and robustness • No single technological definition of “secure” • Windows XP and Windows 10, as examples • More security features do not mean that the software is more secure
  • 11. CURRENT CHALLENGES • Little to no risk assessment • No threat modeling • No security training • No operating systems training • Software development training? Yeah, that’s what you’re doing right now.
  • 12. WHAT TO DO ABOUT THIS? • Where are security developers? Emulate them. • Open Source • OpenBSD, HardenedBSD, SELinux, RedHat/CentOS • Web-centric businesses • Amazon, Facebook, Google, Paypal, Twitter. Microsoft, Cisco, Oracle • Quality Assurance • Testing usually done in isolation • Ensure correct database permissions • Ensure secure communication • Quality Assurance cont • Utilize HTTPS • Application user roles and permissions • Input validation • Catastrophic failure testing • Find the conditions • Encryption • Logging • Get communication going between infrastructure engineers and software developers
  • 13. WHERE DO I LEARN MORE? • Understand • CIA: confidentiality, integrity, and availability • Security as a process • Your OS and its services • Secure coding principles (OWASP) • Links • https://www.sans.org/critical-security-controls/ • https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet • http://cwe.mitre.org/top25/ • https://www.exploit-db.com/
  • 14. Omar Quimbaya Technology Evangelist at Def- Logix oquimbaya@def-logix.com http://www.def-logix.com Twitter: @writtenbyapanda CyberDEF Dojo: https://www.meetup.com/cyberde fdojo