Timothy De Block - Social Engineering the Development Team for Better Security

as ken can he mention for that introduction um we're gonna talk about these things um we're gonna talk about a caveat uh why this talk security or baby is ugly um social engineer team and then the number one security activity and resources if we have time we'll get um lunch you guys don't want to go to lunch you guys don't want to stand that line right i can get an extra 15 minutes um all right the caveat right engineer uh developers to its support it's very much difficult you get to a certain point so you kind of have to realize that these techniques uh will get you in with the dev team we'll get them thinking more about security but

you have to have leadership support and that's what i've always had is buy in from the management luckily a lot of dev managers at least the good ones want quality code right and in my view secure code is quality code it's already in the documentation on how to do stuff properly they're not doing anything really all that special other than um you know writing good code and you know development managers and leadership want that so especially if you show that uh that will help um and that so that also might require your leadership to actually social engineer depending on what level you're at right getting in with the development team and the development leadership am i

clicker is not working um so why this talk um i think there's this is a problem i talk to a lot of people within the industry is how do i get developers thinking about security you know in a much better way i have successfully been able to do that started premise health in 2016 as the software security engineer uh and what was cool about the role was that i sat with the development team the security and the development team were in two different buildings i sat with the developers and so i really got ingrained with them um but you know and i've always kind of gotten along with people pretty well just naturally but then i read chris had

naggy's social engineering books and i was like holy crap a lot of this stuff is applicable not just to breaking into buildings but just interacting with your fellow person right so that's why this talk but before we get to the social engineering aspects i do have a bit of a rant on the security industry as a whole and kind of some of the things that i see as kind of off-putting when you're working with development teams the first thing is we're not special we are glorified hall monitors that's all you can't run you can't run in the halls you can't do that right and so we kind of have to be a little bit humble

when we approach development and really anybody that's outside of security we can kind of get you know pumped up oh i own this i hacked this you know but we're really just telling that they you know did something um you know wrong and that's what a moniker is so we're not really you know also if your office the office fan the assistant to the regional manager uh instead of the assistant regional manager so um one of my first things that i get on is the security champions the concept is good i think the execution of it is great i don't i've ever talked to a developer champion and asked them what they did i have they say it's very corporate so if

you're going to start throwing that term around that can kind of be off-putting you're pretty much putting hall monitor sash onto someone that actually wants to do a good job from a security perspective and again this might work if it works at your place and it's great you know absolutely go for it but it could be something different right it could be like jedi guru something that a lot of developers are going to kind of speak to or you know in my view they're just a good developer again quality code is secure code so if they're writing quality code they're a good developer and they're already doing the security things as they're writing the code um so

it's again we throw this around a whole lot and i actually had a sales person come up to me and say i didn't even realize i was doing that and it might be off-putting to the developers so before throwing certain terms around and the next one is of particular concern sec devops dev secops devops sec i mean if we can't even get the name right why are we even you know using this term right um and i love uh to me it's just devops right it's it's nothing special again we are nothing special all right we don't need to come in and insert our stuff into their names and by the way i've talked to developers who

think devops is a stupid term just in general right they actually wanted to be called not the devops team but the platform engineering team so they even hate some of these buzzwords as well so it's kind of be mindful of how um how you're coming off to people right and i love that elo punk had this at girkon recently it's pronounced devops the sec is silent and don't development life cycle as you can tell i love me i could not find any memes on the secure software development life cycle against me it's the development life cycle security should just be integrated part of that checks you know i've had conversation with managers it goes to having to support their stuff

they want peer reviews right security thing but what are they doing the seniors are checking junior desk to make sure they're actually doing things properly so that's to me a security check unit test they want to reduce the cost of development as well right because we talked about shifting left as much as possible um and to do that um they've got to have these certain things and that includes security right and security tickets are just bugs to me they should we should not be having work on a low security finding that you know when they've got high business needs to get taken care of address it at some point but that's where you sit down with them

and agree upon like an sla so fine i didn't out that's good i mean a little bit open-minded to this i may have looked on some people's favorite terms you know i'm i'm sorry but um i i to me it's just you know we're nothing special we should be coming to developers or anybody we work with not just developers coming they're a little humble trying to see the help and provide them their support so social engineering the dev team this needs to be an authentic a genuine thing something a lot of other sales books right coming off as authentic instead of manipulative if you manipulate them you find out about it you've just lost right

so you have to come at this from an authentic and genuine standpoint um that worked for me but so let's apply as kind of copy go about stuff you should be looking at these techniques and seeing them you as a person so again being genuine and authentic and sometimes you're going to fail you developers you know people along with right it's gonna happen again that's where the leadership support comes in i actually got along with a guy really great um we found out we like were born 100 miles apart for me um and we were lit national tennessee which crazy um but the reason why he does it is because his leadership is making him do it so

people that you just never get to but you you can still have a good relationship and that's the the probably the big thing right is having an actual relationship with people there's nothing surprising getting along with people being nice rapport building right so so read the social engineering book and you can see a lot of that kind of same stuff can be applicable as long as it's from an authentic and genuine standpoint a virtual conference and someone nailed it they're like just have empathy right so if they get to know them how do you do this you kind of start getting in with their look look for their meetings to have this chicken and egg want to open a bacon and egg

uh rest okay and so the dads see themselves as pig they have skin pooping up eggs you know they're going to see so you try to be the pig right and i never got to that point but they understand i was there with them because i was going to and i wasn't even saying anything right and that's kind of the next thing listen right i didn't say anything i went to their groomings i went to their stand-ups and a lot of times like when they know the security i mean you're still going to have this stigma oh the security is here so you kind of try to be that you know that animal that just kind of hides

in the brush and just observes and kind of gets them more associated and like used to you being there and also just not calling out every little thing right sometimes when smaller things you might have to eat that blue pill right you have to be ciphered and ignorance is bliss especially you ask does it really matter now if there's an actual yeah no we can't do that but a lot of times my first three i spent my first three out of asking the questions so i didn't have to necessarily find stuff they started bringing stuff to me and their stuff um ask questions too developers love talking about their code you know the turn call somebody's baby

ugly right i just did that for security tell developers that they're they're babies but if you get their code and what they're built all this stuff you know they will you know cut asking questions is one of those ways that you can interact but really build a question with someone this that those persons are going to have this too but there's ask questions you want to be a great conversation don't talk ask the question right that's that's what you kind of what you do and actively listen to right actually listen to the developers and what they're you know i try to understand their goals there's challenges you know any and i tell them this too i want to understand this so i

ask a lot of questions um you know the frustrations things like that and and see where you can kind of be an enabler for the development team um reciprocity right so stuff for them is get you i i would walk up to a desk and go okay what what do you need for me you know i just wanted to see if we're gonna go grab a lunch or something but oftentimes i could walk up to a dev team and they would fix it fairly quickly even low stuff we need to put this through the proper process this is a low needs to be done but i got to that point where i got the um

to to uh kind of drop what they're doing and help me out right and it's about giving not receiving so one of the things that i would do is service death tickets i had access to the service desk tickets i would push tickets along or reroute them to the to the right group if they were in the wrong group little things like that say a lot to people so that then when i have a security issue they're going to drop what they're going to help me the other thing i like to do is bring bacon right um who doesn't love bacon so this is 144 pieces of bacon bought it at sam's uh it's 272 packs for about 20 bucks

i was doing secure security training and i brought this and dropped it on the table and i will tell you the look on their faces when they came in was was great is that is that bacon no one ever brought them bacon right it's a little bit harder now with the remote stuff but if you can try to find those opportunities to to you know swag those uh little privacy sliders on the monitors go grab a handful they love that those stuff i was handing out those like like crazy i always grab a handful from a conference bring them back hey tim you got you got one of those privacy cameras yeah there you go

right it's simple things like that that i'm i'm going on my way to do stuff um i also in the training one of my first slides was talking about security wins right so what did they do right well and and it was amazing because and i would hand out swag so i got the company to give me a ton of swag and these were all little things pens notebooks coffee mugs you know nothing super fancy or special and i would call them out and you know what happened the two weeks afterwards they would bring me security stuff for like two weeks after the training of stuff that needed to be addressed right this stuff they're reaching out to me

and again this is where this story applies to me you kind of think creative resources to get developer stuff or get them on your side um language right um you can do a lot of reading with bob and if you ever know if you're at a conference and you feel like you're really engaged with someone watch their body language and see if it's mirrored you and then what you do is you shift your body language and see if they shift right it's when you see it happen and i've been called someone and was talking to someone about this technique and they would and then i shifted like almost immediately after and they shifted to and they were like oh whoa whoa whoa

that's really freaky it's really it's really freaky when you see it happen but body language is important i will say how you dress if you're coming into a dev group that's got you know hoodies and t-shirts and other stuff and you're wearing like a suit or you know a collared shirt like a button-up collar shirt or you know tucked in and everything you're going to stick out to them right so you kind of you kind of want to blend in a little bit again don't go to the actually dressing because that fit what personality best i would still wear a collared shirt but i'd wear like the one untucked jeans you know some some i got

some adidas shoes on here and then i'd roll up the sleeves right so so that was that was what i am comfortable with that's what i consider business casual you know i'm i'm former military so i do have some of that you know looking looking professional when you go into work um but you know there are opportunities for that i actually do like wearing hats i was wearing them early part all remote and i stopped um but like when i go like a dev like if i'm in a dead meet or something i might throw it back on because there are other people wearing hats right so you kind of want to connect with people with kind of how

you dress um and again remote work has kind of changed a lot of this stuff so it's a lot harder to see body language on a camera right and we'll talk about some of the remote work the stuff that you can do um be vulnerable right be transparent don't hide anything from them right give give them you know i i was transparent i'm always transparent with them i'm like we should not have bottlenecks or roadblocks for deploying code right that doesn't mean we're not going to put in some speed bumps here and there right so i i was very upfront transparent i told them my whole plan right it was three months sit with them you know the next

six at six months we should probably start looking at some tooling some testing putting that in place you know i gave the whole pant the whole plan and if you and if you have you know you should have a plan before you start working with the dev team you should be able to share that with them and where you want to go now part of the three months is me trying to understand where security best fits in because i do not want to go in and start disrupting how they're developing code because that's going to piss them off that means that i want to work with you right um i also admitting right if i'm wrong

about it i admit i'm i'm wrong i've actually been a better security person because they would question some stuff and we'd have sometimes i would win the case other times i would be like okay yeah maybe maybe you don't need to worry about that um and again be authentic with all this stuff not manipulative if you're manipulative you're gonna lose them pretty pretty quickly but in general just kind of be truthful and honest and they're gonna that's gonna resonate with them true being honest with someone about something that maybe you shouldn't tell them i mean there are certain lines within security and stuff but sometimes being truthful with them they know they're sharing something maybe you shouldn't be sharing

with them or they haven't had in the past had a bad experience with security people so if you're more open to them um they're going to be like holy like i can actually trust this person the working from home challenge right this this makes building relationships a lot harder if you've heard of the allen curve there's the whole like and this is a study done in the 70s the the more distance the less communication you have um and it it can it can really hurt like it's really tough to keep those relationships going i was fortunate my current some of my current devs i was in the office with them so they know me i

had that established relationship but i've been trying to work on building with you know remote people i've got people out in san diego got people in san antonio it's really hard i try to go there like i would travel there to try and you know connect with them and catch up and you know have a couple meetings go out and have some have some adult beverages but you really have to look for a lot of opportunities to connect if i'm in a meeting just like a general meeting with a developer i might like reach out on like an iam and just send them a message hey man how's it going right and this is where

you can look for opportunities to connect on your other interest i'm a big baseball fan so i have a cleveland indians fan at work i mean go back and forth about like baseball stuff it could be woodworking it could be you know whatever your interests are trying to identify um some of that stuff and you pick up that stuff just even sitting in the meetings right and trying to understand who these people are and what some of their interests are um i i do set up local events like happy hour for us to connect i think even now like a lot a lot of my company's going remote um we're going to do some sort of

hybrid workforce thing so it so for me those local events become even more relevant especially if you're in the same city with them right you can you can try to take i'm up here that's that's some reciprocity right there you know and it always going to these meetings online the stand-ups other stuff very very important i have a 30-minute catch-up meeting with uh our director of development that's been there since 2016. that's one of those if you can't get in with the director of development or manager the scrum masters are really great because they know everything that's going on hey what are you trying to do what do you because and they have their own frustration

development that they're trying to put certain processes in place so you look for opportunities on where you can help them and they kind of know everything um pay attention to your box i don't know if anybody's seen that demo where they have uh the guy does the different um different looking around the person with the multiple cups that's constantly drinking that's actually mean by the the guy the bottom left corner is a guy how you're presenting that little box is is very important media media arts grad um if you've ever seen a movie where there were like faces have shaded that's intentional to make or the person's really dark so make sure you have like good lighting i'm not

always perfect about it either i often just sit outside and you have those things that you can light up if you can get one of those but i see you and not working like it really drives me enough for working nowadays but like not working and actually paying attention to what they're saying um so uh with that in mind i think i'm doing pretty good time one of my favorites is uh office office space and there's a really good scene i think you guys all know this where peter's meeting the bob's and it's a great example of how some of these techniques can work because we're talking about a very quick you know introduction and you know

getting to know people so there's a lot of the same techniques i've talked about in here that apply to uh this scene first people that haven't seen office space um there's the bobs who are coming in to pretty much re-org they're essentially coming in to fire people uh and so peter's one of the people being interviewed at this point he's at a don't really care anymore um so and he starts by coming in going hi bob there's another technique i haven't talked about is is using people's names use people's names as communication people like seeing their name they love hearing their name if you have an opportunity you know use uh use people's names um you can see here they're both kind of

um walk through the typical day these are all intentional too this is this is a scene that's meant to make you feel good and laugh a little bit um you can see bob leaning forward too leaning forward is an indication that you're interested in somebody and that you're actively listening and you see peter's sitting there straight up and by the way this is not developers or security on either side it's the rating people that interact how that like they built fairly quickly um so and also showing your hands is a good thing i know it's hard with zoom but people who have their hands like if i stood here like this you guys would you'd have this

eerie feeling of not trusting me um so having your hand show is really good um and he goes into you know about being 15 minutes late and using the door so he's actually being very open and transparent about you know what he does at work um and instead bob's getting on him they go space out what do you mean space out um and he says after lunch after lunch two he kind of get you know he spaces out in a given week he probably does 15 minutes of real actual work so again being open and transparent and the bobs are going tell us more right tell us more about this so they're trying to understand the goals and

challenges um and then you can see like prior to this he relaxes let me tell you about tps reports right and so they cut away in the back to this scene where they're talking you can see the bobs are still engaged they're leaning forward peter's you know relaxed um and he's being very copen uh very open about this right um he's like so he's you mean you don't care so again um and he says if the company ships more unit he doesn't get a dime so again he's being very open and candid about his position so peter relaxes again and you can see this is where the body match body language matches the other bob leans back matching peter

leaning back right so he's really engaged in this conversation um and then here is you know he leans forward again he goes what if right gives you some sort of stock option would you be open to this um and peter goes i don't know i guess right he's still being candid right he's still being open he's being a person um and then he says you know real nice talking to both you guys so um and then they do the handshake which is another form of interaction that i know have gone away with covet um hopefully he's coming back carry hands on the title by the way the con going to a conference prepared me for the pandemic right hand sanitizer in

the pocket anytime i shape someone shake someone's hand rub a little on there don't touch my face you know all this usual stuff um but but then the bob's go no pleasure's all set on this table thank you so thank you so appreciation that's another one that i i'm kind of blowing through here is saying thank you a lot every communication say thank you and this doesn't have to be just developers but say thank you there's so many times i you know it feels good for people to feel like they've done something for you right and then peter says good luck with your firings i hope they go really well and this is another form

of matching thumbling thumbs up in the other and you can see there bob he's even at like eye level like you see i'm interacting yeah thumbs up right um and then of course the scene ends with everything not to do which is lumber um so and he walks up here he says so peter what's happening listen so he does he asks a question but he doesn't really care right listen he's looking down he's not making eye contact and what does peter do just walks right by him right so um that's a great demo of kind of some of these techniques i've talked about and how you can interact um the number one activity i did that really

helped with uh kind of this this uh getting shifting left and getting developers to write better code is threat modeling um i it's this is adam show us textbook i read the first chapter and actually at the end of his first chapter he says just go start threat modeling because you can get into some a lot more cons but it's ultimately diagramming a workflow and talking through attack panners with them and i think it's uh that's not dreaded stride is what i use is and i keep it simple right um and so you know this is one and this was probably one of the last things i implemented because i started with testing anything new going out you know

we're going to test we're going to put some automation in and then once we started talking about design i said anytime you have a design idea we need to go through a threat well i also re re-changed it from threat model to data flow discussion right so i'm thinking about and it's a small thing right it's not maybe a threat modeling may have been a good thing but a data flow discussion to me sounds a lot more like it's beneficial to them and we did find out when we were doing threat modeling that um they were they weren't always on the same page even in that design session where they feel like they had a solution right oh i

thought we were going to build it here no we're going to build it here like that's a big big thing right that's a difference um so that that and that shows value to managers too is that we're getting everybody on the same page right um and that's not even a security thing so so even there it was it was just a good meeting to have but then we walked through attack techniques um and this is where their mindset switched right so you have to kind of be quiet and let them try to speak up and come up with their own stuff which is really hard for us security people again that's where a silent room someone's going to speak

up if i you know i don't think if i stop talking here but if you're in a room and you just stop talking like someone's gonna at some point say something right people don't like awkward silences um but and if they have problem you can throw them a very simple example what i did was what if i give you a million dollars for access and have you write this code or or install this thing on your machine or install it into you know something with them they're like wait you can't oh so at that point it really flipped their mindset to understand that they needed to think outside the box and from there started with really creative attack

solutions because they know the code right they also know the solutions to that as well right and certain you know and you can go as far as like mission impossible style stuff because we're probably starting to see some of that stuff with solarwinds and there are a couple cases recently where someone bribed like an employee to install something on their machine so those are absolutely things but it really switched their mindset and so now as they're writing the code they're going oh wait you know you've kind of flipped that attacker mindset on them so when they're writing the code they're actually thinking about this kind of stuff uh resources phoenix project if you haven't read it

and you're working with development team go read it they've probably read it it's a very good book security is not in a good light in that book um i think it kind of comes out in the end but it's a great book to kind of understand like process and and how they want to you know do development and code and things like this devops type stuff um and then again you know i've talked i've already talked about chris head and aggie social engineering books um when friends and how to win friends and influence people these are sales books right these are things that sales people but this is really great for building relationships um one of the things i like to say is

there's three types of power in an organization right there is role power there is um uh technical power right so what you know and then there's relationship anybody that's been successful knows that they got there because of the relationships they have built within an organization and with even within the community i think um stefan on the previous talk talked about networking right that's powerful for a job search so and it's true just about every aspect of life seven habits of highly effective people and then more recently ego is the enemy um ryan holiday has got some really good books on like stoicism and things like that obstacles the way so you can find creative solutions to stuff is another

great book with that i've got two minutes for questions um if there are any and i think i have to i have something to give away for the first person that get asked the question sir

um

uh so the question was for a team that's out there like are you talking about like you've never worked with them before you know that's where you have to have again that's where you have to have some of the leadership buy-in um on stuff it's very hard we all suck at it um you know i use bottom line up front as far as i'm gonna start talking about email techniques because i haven't been in that situation um and again my dev group two was like 50 people so i have again i have a different experience so you have to kind of figure out where some of this stuff can fit in with your stuff keep it short bottom

a lot of people write their email point on the bottom move that to the top and then a sentence or two that's people will ask for context of stuff and that's what i found a great way to interact and get people to actually respond if you write two paragraphs of stuff i even look at it and i go no i'm not gonna save this for later right so kind of being crisp and clean if you're talking about sending an email to somebody um but you know it's like it's getting leadership and the probably reach out to like the director of development or something that's where you got to start or a scrum master or something to kind of hey you

know and it's really hard been pushed out of work groups leadership at the top had made a business call and stuff and i just have to accept that sometimes right um so that might be where you know your leadership or or you kind of start trying to build that relationship and ask questions again i start with a question too bottom line up front i