Security Enablement - Sean Wright

so thank you for everyone attending the talk this was originally going to be a beer farmers talk but they all had jobs or something so unfortunately couldn't make it so I will be standing in instead of them so just quick bit about myself I do stuff at a company security stuff co-leader of our Scotland chapter we have farmers remember so in a way you are listening to a beer farmers talk just not the one that we were planning I'm really active on Twitter and I just do security stuff so the purpose of this talk is to go over to have not aware of anything else been cordless but I came up with the idea of security enablement

after being look frustrated like that guy finding that going off two teams asking him to fix the same things over and over given a bit of friction and asking for bugs to be fixed not getting security reviews died and so on so forth and it became apparent to me that we have to change things constantly trying to do that the shayateens golden and that is it's just not working so I tried you a more encouraging positive way of doing it so the concept itself security enablement I kind of derive from the squad top model anyone here familiar with squad top okay so squad is a development app concept where teams are broken up into isolated teams that are

self functioning so they all do things from development on systems that the iron testing deployments troubleshooting so you no longer have separate teams for development testing it's a team responsible for service so the idea behind that they own that system they can hopefully get things out quicker this obviously means you get some degrees of us Latian you might have different systems that share common components so you kind of form squads to join up and form things termed as tribes and guilt they kind of work together to form performing a single task it's what if I have a really good resource on this so if you're interested recommend go reading up on there but the big thing around

squads is having the cross team collaboration to achieve the goal so my idea is take that sort of concept and power the security aspect to it well going down this road I think it's important that we have a look at ourselves and see how we are perceived to others because perception often indicates how teams are gonna interact with you how they're gonna react to what you say to them and when taking a step back and seeing what other safe wins and our teams think of Martine well some of that's online there so these are just pictures I found online and security engineers so I'm a security engineer my partner does think tsardom backside all day staring at the

monitor doing nothing and yes I actually normally do shots at the computer but as I said it's important to see what teams think of you and if you take a step back and see what we actually do especially what I used to do in my team was scored a lot tell people what to do what not to do as well as seen as a roadblock no you can't release this because it hasn't had a security scan have you done this have you done that so it's a hindrance to them delivering what they actually trying to get out into production so taking a step I think it's time that we change from being the perception of the policing the

the ones that are constantly watching other teams trying to find faults with them trying to prevent them from doing things basically at times prevent them from doing their jobs and turns it into a concept of where we teach teams let's teach them how to do things let's teach them how to do the basic things so we don't have to keep up with doing the the constants trivial things let's get better interaction with the teams so then when things do go wrong they can hopefully come to us and not be afraid and this is really important because if you take a step back and see where development yeasty la or in fact most processes and companies it was very

monolithic I like to you think of this as an analogy to development when you do a back in the day feature release you had lots of changes all grouped together and put out in one big change quarterly release annual release by might be released and that was great that was a lot easier from a security point of view you could as you know when the release was happening you sure it would take a while to do the security test and review but you could plan for it you could allocate resources to it you knew what was coming whereas if you changed you today releases or something like this they come in all shapes and sizes and they

it's a now just a constant flow there's no notion of hey we're going to do a quarterly release most many companies that are especially that the newer ones that are following modern development methodologies are following the CR C D so for those who don't know CR C D is continuous integration continuous delivery basically developed test passes the test push into production and that means you end up with the releases happening on a continual basis sometimes maybe even a daily base so that means you can no longer plan allocate resources because it's something that's just continuously happening so that's definitely not going to scale well because as we all know security teams don't scale up as a

business growth and we already we are under-resourced as is so this is where this whole concept comes from and before going down this path the very first thing you need to do is make sure you get buy-in from management's this is going to help to make sure that you get the support that you need from the top level that you're going to get the perception that this is something really important think about if the CEO is talking about security it must be really important versus some engineering manager down at the the lower rung not to say that what the same is not important but just the perception coming from the further up the trains better

and also if you're going to start implementing features asking for budgets so on so forth you're going to have a much better time if you get the buy-in from those who actually make those kind of decisions and while doing this make sure you're on the same page so make sure the management understands that what you're trying to achieve why are you trying to achieve it and at the same time that you work with management to understand that you're going to help support the business because the last thing management want to do is have some sort of feature or process that's going to hinder business and negatively impact on the business so once you've got buy-in from management then it can kind

of start on the path and the very first thing I'd say is awareness sorry so for me awareness is really something important when I did my university degree I sort of as a developer are there four years of university not once to hear sequel injection cross-site scripting any other common horn abilities I went straight into a job now as a fair to assume that I should have been able to code and prevent cross-site scripting or sequel injection how could I prevent it if I don't even know about it so we have to create awareness around these issues it's not saying that then people will fix them but at least they know it exists they have to be aware of

it and hopefully by making them aware of it and this is where I always prefer using real-world examples so for example across our script team don't just show alert box show you something like a be fog across that scripting inject the beef hook users browsers compromised that Satyam brings the awareness to the user that cross-site scripting is actually something that's really dangerous and you need to be aware of alert box nothing really so and taking that a step further and saying here's some real-world examples where it's actually resulted in an issue or compromise for a company just further drives that message home and then there's some common tools that you can use to help so I always top 10 think

everyone and almost people in the room will know that what that is and it's used in many tools reports and that's it's something that's updated quite regularly but to our phones but every few years and to me that's a really useful tool because it keeps up to date with the current common vulnerabilities that you can find out there so again emphasizing these are the issues you need to watch out for to those developing a systems testing systems deploying new systems science 25 has something similar and then cwe arm is going a little a little bit lower but it helps you classify different vulnerabilities based on their tops so while another really useful tool for awareness

the CTS it adds some sort of fun gamification to awareness and also helps from your security team so I'm horrible at CTS I won't lie but I did my first one last year and I've always been a bit too afraid of doing them because I suspect I was horrible at them and I confirmed that but what it does what the one thing they taught me is you get so fixated in your own little bubble that you work day in day out doing CTS make you aware of a lot wider issues to look out for so I'm pretty much focused on whereabouts I don't do anything matter and network security in that CTF change that so it's

just making a way of the different scopes and getting other people involved in that just going to help from that aspect and then also having simple CTS so again from awareness point of view having some competition and I think of most people would agree development teams QA teams basically I feel like are competitive when I get in a team environment so putting a team against the key team and some fun maybe you my name formal CTF competition is a great way to raise awareness and have some fun while doing it brown bags are another great one that can literally cost nothing to set up a few PowerPoint slides presented over some lunch tom session especially if you've got

some desktop sharing they are web cross tools out there and it's a great way of sharing information with your teams while talking about training the the important thing is don't make it man Rafi I find that as soon as you make mandatory it becomes a checkbox exercise and you got to remember teams are have they priorities under pressure to deliver so what they're going to do are going to finish this I'll leave it to the last minute I got to finish about this date click-click click-click click-click they've not absorbed anything and you've actually solved nothing rather make it easy for them to access it when they want to and make it relevant why should a web developer take some

mandatory training around and I say for instance always always Intel if they're just developing on web applications is there going to help them so make it relevant and also make it self reference so they can come back to it how do you prevent cross-site scripting okay well I'll just go to this page and look it up and make it simple to digest so I'm a really big fan of tables have a so for example security headers have a table these aren't your mandatory security headers which you should always have these are the defaults and then if the ones you have more information links that they control down and get further information at the dev I can see

straight away go to the page okay there's these tables copy them put them in it's taken me five minutes versus falling through rounds of documentation so as I mentioned before security teams are often facing challenges with resourcing so one way to combat that is with security champions security champions will be people that you should have volunteer the last thing you want to do is try and force this on someone because they'll likely be resistant to it get people to volunteer to this because a they'll be interested in security otherwise while they're volunteering and B they'll actually want to make a change so that's really important and they're gonna help because they're gonna act as the middleman

between security team and the development teams and QA teams and the pointman teams so take for example a team we're working on some company portal and a security team there's gonna be a disconnect their security team is going to be focused on purely security related concepts that development team is going to be focus on the webapp side of things there may be new technologies that the security teams not even aware of or there may be issues that the dev team is not even a way of having that middleman they'll kind of bridge that gap a bit and also be aware more aware of what kind of priority lie in that development teams pipelines or what needs to come what new features are

being developed and that can help plan as well as say hey this should get a security review or and then your penthouse or whatever so you get better visibility into what the teams are doing as well and as I said security teams are under-resourced so it helps reduce the burden these security champions can take on some of the more trivial top security things so if you have a scanner maybe they can take ownership of scanning in their weather means that now that dev team can scan their web app when they want to and it reduces the burden on your team having to do that and as I said it will help identify issues you know so you know the whole shift left

well having that the source means that they can potentially want to be always that could potentially help identify issues sooner and one way to try get people actively encouraged is some of the points on yeah so it's going to look good in their CV Security's not going away security is only growing in problems so anything that you can include in the CV basin Security's a plus you can solve ten in conferences maybe depending on the company and budgets and they're going to possibly affect some fine things sooner so from that team point of view it means less issues to fix less possible blockage for releases so it's a win-win for both teams so on top of

[Music] security champions you have the tools now tools are going to be really important as I mentioned before things that can happen in a lot faster and one way to do that is reduce the burden on yourselves the manual work that you have to do especially for the more trivial things so static analysis tools that will scan the source code there's many options out there I'm not going to met in mention names but feel free to ask me afterwards or look online but those are going to look at the actual source code itself and find common vulnerabilities in the source code so that could be things like hard code passwords weak encryption algorithms or even finally in the kind

of logic of the source code at some points so for example a method or function that takes in a parameter and the seasons not escaping that request the parameters of the request the next one there's dynamic analysis tools so these are kind of think of your more pentesting tap tools or sorry automate the pen testing in the sense so these are going to be typically your web apps scanners that are going to try attempt to do common probes against your system so testing things for like example cross-site scripting sequel injection finding information about the web app so what cipher Suites the web app supports I knew of those weak again things like this will take you hours to do these

tools well let's really take you minutes some some of them will take hours but some of them will just take minutes the next one is a really big one in my opinion and we're starting to see a rise of this is libraries in dependency management especially around injecting potential malicious code into those libraries it has happened and the way I look at it if I'm attacker why should I go through the hard work of trying to break through the front door the back door when I can get through but out by the front door with her library as well as libraries are horrendous in terms of maintaining I've done it the pendency hell this library

depends on this library that depends on that library they didn't update the library has a vulnerability it doesn't get updated so from a managing point of view you need to know what risk you have when you have libraries so there are tools out there that do a great job OS this pendency track is probably the only tool I'm going to mention because it's free it does a fantastic job will tell you what libraries are you using and what all those are actually have known vulnerabilities and if you don't believe me ask Equifax how this impacted them kind of related to the next one so a certain vulnerability scanning again asset management is something that I

don't think a single company does really well time and time again we seen open MongoDB es open elastics databases and that's because you have poor asset management with for scanning around those assets and detecting them as well as the vulnerabilities so vulnerabilities in terms of always label packages software that kind of thing so quickly going over tools when you when you select a tool ask ask around ask the community you don't have to do double the work if someone's already gone through the process of trying to vet tools get the input them and also find the issues that they find was some tool that you're looking at that might not work for you or whatever and also a big one

open-source now don't get me wrong I'm a big fan of open source but there's often a misconception open source is always free yes the product might be free you might invest a significant portion and resources and trying to maintain it keep it up to date like for example Apache the the graph for Apache alright it's gorgeous but trying to maintain that yourself is difficult you're gonna have a lot of time and resources there's an maintaining that much much security thank you their companies are there each she can give a monthly fee and get their products and their maintainer for you whether that will be beneficial for you I don't know but that's that's one thing

that you need to consider and as we grow more and more in terms of delivering faster and faster automation is going to be key devices are exploiting the number of systems that we have in exploiting do not have things like elastic systems where VM spin up and spin down trying to keep track of that from a manual process it's not going to work so you're gonna need some more automation than to that and where you can embed it in the SDLC process see our CD is kind of enforces us so it's going to be a click of a button or when I click the button how do I make sure what's going out is going to

be secure I can't expect every time I click the button someone to validate that can you need some places to do that and in my opinion this is the biggest one for security automate at least the the more trivial things as much as possible quick one security issues make sure you have a process for triage in security issues as well as prioritizing them some companies I've seen have no process and by this I mean you need to separate your typical bugs from your actually real sorry from your security bugs the demand they can use the same tool but make sure you have a process of being able to identify the risk that each security bug poses and be able to

triage that it's also going to help in terms of tracking which teens might need help so hey this team has created 10 blocker bugs in the last month but whereas no other team has well that teams obviously a problem not to point fingers but to identifiable there's a team need extra training Gardens is there something else missing

so it kind of touches on the choice of tools look to your others I encouraged using things like Twitter I used I started Twitter about two years ago in that time I've learned a huge amount more than I've learnt and probably all my years and security outside of Twitter and you network with people you can bounce ideas of people you can get advice supports all that's really important and also at the top there it also avoid you repeating some of the same mistakes that were made before avoid duplicate efforts there must have resources that they can share with you open source open source documentation or might even know some tools that might help that you might I don't know will

develop up from the ground out and the other important one is avoid the same mistakes so in security you always want to try to avoid mistakes because that's not a security issues so if you can avoid those great and then some other just quicker bus accept failures we all human except that you're not going to solve every security bug will get every security bug personally I find this really hard I'm a perfectionist I'll see a security bug I want it resolved now but I need to realize that we're not going to solve them all so that's why you prior to us make sure you fix the ones that are going to represent the most risk and at the end of the security

is about managing risk you're not going to eliminate it you just try to reduce it as much as possible and that kind of leads down to the be patient part so sometimes marquita bug fixed as soon as you went work with the team target effects as soon as possible but be patient help them as I said ask for help and engage with the community so some up at the end of the day we all when we work for companies we're all trying to see achieve the same goal as a development team or QA team finance team HR team doesn't matter work team we work there to help the companies or services or products to make a profit or provide

services if your nonprofit organization or help but the point is you're trying to work to achieve the same thing at the end of the day and that makes you all part of the same team so should work together and there are ways to change the perception of securities a roadblock something of a hindrance and can actually help I've done some things in the past that actually improved the process that the way people went about things and that helped security as well as the process and that's a huge one is it gonna get people more engaged and their change slowly changes their perception and at the end of the day sorry that also one way to get people to

help the security engage in security more is making least effort as possible requires little knowledge as possible I provide the knowledge but also least effort saving if something can require one line as opposed to them spending hours on the internet great that's going to be a huge one so for example I've developed a TLS library for developers to use for systems they don't have to have any knowledge of what South Suites a week and why or even which ones to support that they are one line and in their code and they know the grades it's going to be really hard for them to argue against that it's going to be easy for them to implement

and everyone wins and that kind of builds on truffle security culture where teams start thinking of security has been their problem as well or getting them and their peers to call out those who aren't doing security as opposed to you and that drive that security culture so questions so you certainly have a disclosure program some means of allowing people to disclose a vulnerability or funny so yeah and then make it transparent so work with your dev teams give in regular updates to that person who found it and give it I know a lot of people expecting money and gifts on that but but simple thank you

so at the end of the day seesaw is going to be responsible for the security it's in their best interest that security is improves where possible so trying to get there by and from from that is going to help them in the long run right so if getting the seesaw on board getting the seaso to work with the engineering or development manager or head formed none of these pads that will help hopefully drive it so yep at the back so good question um there is a SVS it's not quite a security development thing it's more yeah it's more testing framework but you could kind of leverage that to help aid in security development I'm not

aware of anything outside of the Microsoft the other problem is things are changing so fast so what might be there one day can change three four years down the line so it's difficult and every company changes their perceptions Lackey so it goes speak to a company hate what's agile to you you might get two different answers from different companies any other questions

so there are times where companies cannot change because of legacy reasons and whatever but certainly they could probably try to adapt more modern methodologies and concepts try to take use case like comes to the point where I say take real-world examples that's always a great way to trust all something because it's not hey this could happen or this may happen he has an example this is where they gain extra money because there were two twice as productive or something as that

production how you engage things whatever is not operate the same yeah obviously exploitable but how do you gain okay I will talk to you afterwards because again they're the wrap-up but thank you everyone