This document discusses building a culture of secure programming within an organization. It notes that culture can account for 20-30% of differences in corporate performance. It discusses challenges of modern software development like polyglot environments and faster development cycles. It argues security must understand developer technologies and processes. It promotes solutions like security champions who work with developers, security training, automation, and early involvement to align security and development pressures. The goal is open communication, security as enablers rather than blockers, and nurturing a proactive security culture.

1. © 2019 Synopsys, Inc.1
Building a Culture of Secure Programming
in Your Organization
Amanvir Sangha
Synopsys Software Integrity Group—2019

2. © 2019 Synopsys, Inc.2
Introduction
Software security engineer consultant, Synopsys
• Static analysis, code review
• Training
• Penetration testing
Experience:
Software Security Engineer (FinTech)
• Bug bounty/vulnerability disclosure programs
• Building AppSec from the ground up
Software Engineer (FinTech)
• Building life insurance software
• Focus on quality and high assurance: TDD, BDD
Startup (Security)
• Building a SaaS platform for vulnerability scanning
amanvir@synopsys.com
@_amanvir

3. © 2019 Synopsys, Inc.4
Agenda
• Why culture?
• Modern software engineering
- Challenges in modern software engineering
- Dealing with constant change
• Solutions to new challenges
• Allowing security to be an enabler
- Maintaining velocity
• Nurturing a culture of proactive security
- Automation
- Tooling
- Environment

4. © 2019 Synopsys, Inc.6
Why focus on culture?
Culture “can account for 20-30%
of the differential in corporate
performance when compared
with ‘culturally unremarkable’
competitors.” 1
1
https://hbr.org/2013/05/six-components-of-culture
Technologies change, but people stay the same.

5. © 2019 Synopsys, Inc.7
Rise of polyglot environments
polyglot
/ˈpɒlɪɡlɒt/ adjective
1. knowing or using
several languages.

6. © 2019 Synopsys, Inc.8
“If a company chooses to write its software
in a comparatively esoteric language,
they'll be able to hire better programmers, because
they'll attract only those who cared enough to learn it.”
—Paul Graham, The Python Paradox, 2004

7. © 2019 Synopsys, Inc.9
Why polyglot?
• Polyglot developers allow companies to build software faster
• It’s a competitive advantage: if you don’t do it, you don’t survive
• But it brings new challenges:
– How do we deal with this complexity?
– How do we keep up?

8. © 2019 Synopsys, Inc.11
Polyglot environments
Now
• Microservices!
• Deploying to the cloud
• Several stacks
• Agile/DevOps: Daily, if not
hourly deployment, constant
code changes
• How does security keep up?
In the past
• Monolithic applications
• Typically one or two stacks
• Waterfall methodology
• Infrequent deployments
• Security can “keep up”

9. © 2019 Synopsys, Inc.13
Observation: teams in 2019
Operations
• DevOps: AWS, Kubernetes,
Terraform, Ansible
• Everything written as code
Quality
• Automated: TDD, BDD, automated
testing in CI/CD pipelines
• Everything written as code
Security Development
• Multiple languages, multiple platforms,
multiple architectures
• Everything written as code
• Tools and process oriented
• Not moving as fast
• Working silo

10. © 2019 Synopsys, Inc.14
Polyglot environments = new challenges
• Environment are now much more complex
• Faster rate of change
Key questions
Does your security team understand the technologies the developer teams are using?
Are they familiar with the languages use? Can they code in them?
Are they moving at the same pace as the development teams?

11. © 2019 Synopsys, Inc.15
Security vs. developers' skill sets
Security
Architecture Risk Analysis, Threat
Modeling, Penetration Testing, Static
Security Analysis
Burp Suite, nmap, Metasploit
Maybe can write scripts
Developers
Test Driven Development, Behaviour
Driven-Design, User Experience, User
Interface
Code Editors, Compilers, Browsers
Write code daily, can build production
applications and deploy them

12. © 2019 Synopsys, Inc.16
Internal security vs. developer pressures
Risk Reduction
Are there
security bugs?
Is it resilient?
Security Static
Analysis
Coverage
Remediating
Code
Feature Velocity
Are there
functional bugs?
Is it scalable?
Code Release
Deadlines
Unit Testing
Coverage
Refactoring
Code

13. © 2019 Synopsys, Inc.17
Align parallel pressures
Risk Reduction
Are there
security bugs?
Is it resilient?
Security Static
Analysis
Coverage
Remediating
Code
Feature Velocity
Are there
functional bugs?
Is it scalable?
Code Release
Deadlines
Unit Testing
Coverage
Refactoring
Code
Culture:
Communication

14. © 2019 Synopsys, Inc.18
Align parallel pressures
Risk Reduction
Are there
security bugs?
Is it resilient?
Security Static
Analysis
Coverage
Remediating
Code
Feature Velocity
Are there
functional bugs?
Is it scalable?
Code Release
Deadlines
Unit Testing
Coverage
Refactoring
Code
Culture:
Communication
Culture: Security
Training

15. © 2019 Synopsys, Inc.19
Align parallel pressures
Risk Reduction
Are there
security bugs?
Is it resilient?
Security Static
Analysis
Coverage
Remediating
Code
Feature Velocity
Are there
functional bugs?
Is it scalable?
Code Release
Deadlines
Unit Testing
Coverage
Refactoring
Code
Culture:
Communication
Culture: Security
Training
Culture: Security
Testing

16. © 2019 Synopsys, Inc.20
Align parallel pressures
Risk Reduction
Are there
security bugs?
Is it resilient?
Security Static
Analysis
Coverage
Remediating
Code
Feature Velocity
Are there
functional bugs?
Is it scalable?
Code Release
Deadlines
Unit Testing
Coverage
Refactoring
Code
Culture:
Communication
Culture: Security
Training
Culture: Security
Testing
Culture:
Automation

17. © 2019 Synopsys, Inc.21
Align parallel pressures
Risk Reduction
Are there
security bugs?
Is it resilient?
Security Static
Analysis
Coverage
Remediating
Code
Feature Velocity
Are there
functional bugs?
Is it scalable?
Code Release
Deadlines
Unit Testing
Coverage
Refactoring
Code
Culture:
Communication
Culture: Security
Training
Culture: Security
Testing
Culture: Pair
Programming,
User Stories
Culture:
Automation

18. © 2019 Synopsys, Inc.22
So what does a Good Culturetm look like?
• Open Communication, Interacting with the development teams
– Security Champions
• Security Training
– CTFs, Conferences
• Testing
– Continuous Testing
– Via automation, tools, CI/CD pipelines
– Manual Review
– For the high priority issues
• Automation
– Code analysis, pipelines, chatops
• General Culture
– Pair programming, sharing knowledge, security-centric user stories, transparency

19. © 2019 Synopsys, Inc.23
Automation increases velocity and
decreases bureaucracy, allowing
companies to move faster.

20. © 2019 Synopsys, Inc.24
Individuals and interactions over processes and tools
• Assumption: We will do a penetration test and find issues with the application
• Reality: How do we deal with the results? Are the developer aware of how to fix these
findings? How do we prevent these mistakes from happening again in the future? Are we
seeing the same vulnerabilities again year over year?
“Make it easy to
do the right thing”
Automation
Make your stack
secure by default

21. © 2019 Synopsys, Inc.25
If you’re not speaking the language
of development,
and you’re not using tools and processes
that align with the developers’ world,
you’re not doing software security.
—Nick Murison, Head of Software Security Services, Nordics, Synopsys

22. © 2019 Synopsys, Inc.26
Security champions
• Primarily located in areas outside SSG
(e.g. technology/development teams)
• Do not directly report to SSG but are key
players in evangelizing security activities
and culture
• Primary responsibilities:
– Assist in triage for the engineering team
they belong to
– Involved in security decisions with their
engineering team
– Developing code and writing tests relevant
to security
– Involved in automation in pipelines

23. © 2019 Synopsys, Inc.27
Communication and engagement
• Early involvement in SDLC leads to lower costs and less security bugs
– But! Communication and engagement are necessary for this.
Key questions:
– Are you aware of new products being built in your organization?
– Are you aware of new features that are being implemented?
– Are you involved when user stories are written?
– Are you involved at the design stage for architecture?
• How do we communicate and engage?
– Security Champions!

24. © 2019 Synopsys, Inc.28
Find your security champions
Security DevelopersSweet spot:
the developers who can do
application security, e.g. pair
program with teams, implement
security user stories

25. © 2019 Synopsys, Inc.31
Nurture your security champions
Should we do
another CTF next year? • Sparking curiosity in security
– If you are not involving your development teams in security,
you will not be able to do this
• Stay involved with them
– Via slack or messaging applications
– Weekly meetings
• Case Study: DropBox “Trustober”
– 30 events centred around security and training
– CTFs for developers
– Training for staff in security
https://blogs.dropbox.com/tech/2018/06/securit
y-culture-the-dropbox-way/
100%
YES

26. © 2019 Synopsys, Inc.32
Nurture your culture
• Security is everyone’s responsibility, collaboration is key
– Get every team involved: Operations, Network, Quality, Business and Development
• Get involved early
• Proactive not reactive
• Don’t work in silo, share what you work on
• Internal evangelism via security champions
• Be empathetic when working with security issues and development teams
– This is especially true with working on remediating issues or disclosing vulnerabilities

27. © 2019 Synopsys, Inc.33
Strategy &
Planning
Maturity Action Plan (MAP)
Building Security in Maturity
Model (BSIMM)
Dynamic
Application
Security Testing
Managed
Services
Static
Application
Security Testing
Penetration
Testing
Mobile
Application
Security Testing
Professional
Services
Industry
Solutions
Architecture
and Design
Security
Training
DevSecOps
Integration
Cloud
Security
Synopsys Software Security and Quality
Portfolio
Integrated
Tools
Seeker & Defensics
Dynamic Analysis
Coverity
Static Analysis
Black Duck
Software Composition
Analysis
=Available on the Polaris platform

28. © 2019 Synopsys, Inc.34
Build Secure, High-Quality Software Faster

29. Thank You

30. © 2019 Synopsys, Inc.36