Developer Security Based on 15 Years Experience

AI Generated Summary

This talk shares insights from 15 years of experience working with developers and security, focusing on bridging the gap between these two communities and making security more accessible to developers.

Key Topics Discussed

The Problem:

• Developers and security professionals don’t see eye to eye most of the time
• Security is a cost center - “Ain’t nobody got time for security”
• Security professionals talk as if security flaws are everywhere
• Similar to DevOps problem: “It works at my end, I don’t care if it works at your end”
• Security consultant problem: Like Superman saying “I saved your world” but when citizens ask “Can you help clean up the mess?” → “Not my job, not my cup of tea, that’s your problem”
• Security consultants show the problem but don’t help figure out how to fix it

Data Breach Reality (2011-2021):

• Large number of attacks focused around web applications
• Basic web application attacks, social engineering, system intrusion
• All around softwares - grim picture that something is going wrong in security

The Solution - DevSecOps Approach:

• Key insight from Black Hat USA 2019 presentation: “Automation alone is not going to solve the problems”
• Need to:
  • Encourage security mindset especially outside security team
  • Have common goals for greater good
  • Build allies in the environment
  • Focus on collaboration and inclusive culture, not blame game
• Open source projects: OpenSSF, ATT&CK, Sigma, Defend - all focusing on collaboration
• Action: Raise hands, say “we need to collaborate together”, work towards uniform solutions in public

Developer Perspective - The Core Message:

• Security professionals consider security as art, not science
  • Art = can’t teach someone else, expression, only you know how to do it, someone else does it differently
  • Science = written, documented, proper approach
• Problem: Security industry doesn’t want to move away from art side to science side
• Developer community should: Commoditize security, convert it into science

How to Commoditize Security:

• Developers have already done something similar: Infrastructure was considered an art
• DevOps example: Developers took over operations, automated it, made it replicatable, made it science
• DevSecOps term: Came up because security wants their share
• Take: Term should not have existed, but it’s here, people are using it
• What DevOps needs to do: “Eat security art, make it security science”
  • Automatable
  • Documentable
  • Testable
  • Repeatable
• Reality: Not 100% achievable (nothing is), but high 90s - why not?

Veteran Infosec Professionals’ Advice to Developers:

• Question asked: “What’s the one thing you’d like to tell web app developers?”
• Common theme from veterans (who have spent lot of time with developers):
  1. “You are responsible for security of your apps”
  2. “Listen to developer needs carefully and address them from security point of view”
  3. “Developers are highly intelligent and genius - trust them to do good once you provide them the information”
  4. “Don’t let security on your stuff”
  5. “The infosec community who encourages myth that security is complex discipline that needs dedicated security specialists do nothing do anything security related - this isn’t nonsense”

Key Points:

• Developers are best judge: Of how code gets changed
• Security team can help: But they can’t take ownership - they don’t have what it takes to take ownership of your code
• Pick tools that work for you: And automate security stuff
• Automation: Should not be going back and forth with security team for miniscule tasks, minor things - most of it can be automated

Important Insights:

• This is not saying “security should be developer’s responsibility” or “developers are right set of people who can own security”
• This is what large number of people are saying who have spent lot of time in the industry
• Security professionals need to move from art to science
• Developers need to commoditize security like they did with infrastructure (DevOps)
• Collaboration and inclusive culture, not blame game
• Automation can handle most security tasks - don’t need constant back-and-forth

Actionable Takeaways:

1. Developers: You are responsible for security of your apps
2. Security professionals: Listen to developer needs, address them from security point of view
3. Trust developers: They are highly intelligent - trust them to do good once you provide information
4. Commoditize security: Make it automatable, documentable, testable, repeatable
5. Pick tools that work for you: Automate security stuff
6. Don’t let security on your stuff: Don’t rely on security team for everything
7. Focus on collaboration: Not blame game
8. Build allies: In the environment
9. Common goals: For greater good
10. Encourage security mindset: Especially outside security team

Important Projects Mentioned:

• OpenSSF - Open Source Security Foundation
• ATT&CK - MITRE ATT&CK framework
• Sigma - Generic signature format for SIEM systems
• Defend - Security defense projects

Personal Background:

• Developer and maintainer of moderately successful WordPress plugin: WP File Manager
• Still used by many (though development stopped, asked plugin not be available for download)
• Many infosec professionals have used it to get hold of system once inside WordPress environment