appsec is dead. long live devsecops!
TRANSCRIPT
Hi, I’m Matias.
Matias Madou, Ph.D.Co-founder and CTO
Matias is the CTO and co-founder of Secure Code Warrior. Matias holds a Ph.D.in computer engineering from Ghent University, where he studied applicationsecurity through program obfuscation, working primarily on static analysissolutions. With his Ph.D., he moved to the U.S. to join Fortify Software(acquired by HP) and stayed seven years to build out his career. Starting as anintern, he became the research architect for all the runtime solutions spanningFortify and ArcSight products. During his time at Fortify, he thought it was fartoo easy to find security problems in code if you never teach the developer howto write secure code in the first place. With this in mind he started SenseiSecurity; a company that eventually merged with Secure Code Warrior. Whenhe is not at his desk as part of Team Awesome, he enjoys being on stagepresenting at conferences including BSIMM, RSA Conference, BlackHat andDefCon.
Today’s Agenda
• The (ongoing) impossibility of writing secure code
• The software security person today
• Creating secure code today:– Culture
– Automation
– Measurement
– Sharing
• Conclusion• Q&A
Evolution of bugs, from past to present
The (ongoing) impossibility of writing secure code
Failures in code cost money.Ariane 5 Rocket
• $7 billion
• 10 years of work
Technical:
• Velocity: 64-bit float
• Convert to 16-bit int
• Overflow
• Error handling suppressed (performance)
SQLi for Christmas… in 2008.
Is software security still a problem?
“If we have data, let's look at the data. If all we have our opinions, let's go with mine.”
~ Jim Barksdale, former CEO of Netscape
● 1 in 3 newly scanned applications had SQLi over the past 5 years~ Cisco
● 111BN lines of code are written by developers every year~ CSO Online
● It is 30x more expensive to fix vulnerable committed code, than to secure it in the IDE from the beginning.
● Average global cost of a data breach in 2020: $3.86 million
Today’s AppSec approach
Why is this not resolved yet?
1) Fix known security issues
2) Do not introduce new issues 700+ categories of problems!
Ton of overhead!
Scale of AppSec team?
Security knows about issues in code
Never ending story…
1 In 100 devs
AppSec, DevSec, SWSec...you name it
The software security person today
The brain anatomy AppSec: What they do
Finding common vulnerabilities over and over
Losing sleep over the cybersecurity skills shortage
Trying to build the right team while navigating impending digital doom
Dealing with the tough security questions: a.k.a. Doing the job they were originally hired to do
Trying to avoid burnout, missed deadlines, and feature focused developers
Mo’ money mo’ problems
Money
Proble
ms
CodeVulne
rabilities
The security person HAS to understand code!
Move from:
● Tasked with finding - not fixing - vulnerabilities● “Breakers”, not “builders”
To:
● Understanding code!
… and we need to get serious about closing the cybersecurity skills gap with the (awesome) resources in front of us.
Software Development Lifecycle
Creating secure code today
Methodologies come and go, but where is security?
DevOps
Each stage has improved processes, collaboration and continuous deployment… but security remains back-of-mind.
Software Security in the new world
• Well, what it is not:
Work smarter, not harder and faster!
Evolution of waterfall to Agile/DevOps,How should software security adapt and follow this trend?
What are the pillars of DevOps success?
CA(L)MS:1. Culture2. Automation3. (Lean)4. Measurement5. Sharing
Put the Sec in there, please?
1) Culture: Everybody + Proactive instead of reactive
1) Culture fit for developers
Provide developers with solutions to write secure code that appeal to developers.
Developer should see the benefit:
● Highly sought-after● A cut above average developers● More lucrative job opportunities● Instrumental in the battle
against cyberattacks and data breaches
Mindset for developers: Aware that the only good code is secure code.
1) Culture: example on cultural fit
Vs.
2) Automation
Automated security testing:
• Take the tools that work for your tech stack and company culture
• Don’t slow down the build. Coffee test. • Include all security tests < 5min
• Parallelize the rest
• Don’t block the build or release. You have to be really sure. Exception: Security credentials, for example.
• Integrated ChatOps. Integrate in the developers world
• Use stand-alone containers for all tests. No dependencies
4) Measurement
Measuring is hard! Find ways to help.
● Security should be an enabler instead of a blocker.
● “Let me help you get that in production!”
● Support speed of delivery● Support time to market goals
5) Sharing: Break The Cycle of Recurring Vulnerabilities
LOCATE
Security Expert tests and finds vulnerabilities
RECURRENCE
Bug reappears
IDENTIFY
Results loaded into Bug tracking system
SHARE
Knowledge disappears into ‘black
hole’
FIX
Developer finds wayto fix the problem
Cycle of Recurring
Vulnerabilities
+125RECURRINGVULNERABILITIES
Source: NIST
5) Sharing: Share your knowledge wiselyFixedIdentified
Developer
AppSecxAST SecurityChampion
Unidentified
SecurityReportxAST
Share Knowledge
Build and retain valuable knowledge! Introduce a common language between AppSec and developers increases collaboration and efficiency.
Instantly fix in developers workflow
John DoeSoftware Engineer, DevNet
John has been a developer for over 15 years. He has a strong passion for understanding the needs of the Scrum Alliance community and developing new programs that drive learning, engagement and growth.
Make developers security
superheroes
Developers are your DevSecOps heroes.
● Let developers get hands-on and learn by doing
● When security training is engaging and delivered in the languages and frameworks that are actually used, it is a powerful learning experience
● Give developers the time to train
● Empower them to level up as a developer, while leaving behind boring assessments and tick-the-box training.
Engaging and Competitive platform to upskill developers
5,000+ unique training exercises offered in 40 coding languages and frameworks
Matias Madou, Ph.D.
CTO and Co-Founder
Secure Code Warrior
+32 495 25 49 78
@mmadou
www.linkedin.com/in/matiasmadou/
