BSides Scotland 2019: Security Enablement - Sean Wright

thanks thanks event for coming unfortunately Brown Porter I'm not him I know the program was a bit too late to change so I'm fully a name for Brian Porter so unfortunately wasn't able to make it so today I'm going to talk about a term I don't say it invented but kind of thought about whether the last nine months or so so just a quick bit about myself I'm focused many an application security responsible for the technical lead on a security engineering team Carlita of our Scotland along with Rob who's at the back there via farm is member if you can see I fell this morning I'm on Twitter do quite a lot of tweeting and I do security stuff

so I don't know how many of you feel like this when you try to talk security to devs and that at harm's but it can often lead to your frustrating farm the other don't follow your advice or ignore what appears to ignore you not for any practices and so on and so forth and too often carry on trying to do the same thing over and over and over so over the last two months I've try to take a different stance change direction and be a little bit more engaging with our development teams QA teams and so on and so forth so that's kind of where this talk is going security and a woman this kind of we are

derived from for Spotify have a model that is a squad based model I company put this on a couple years ago and the whole motion around swatch is a self-contained unit that is responsible for developing testing and deploying the word that they do so in essence they become a self-contained team that are responsible solely for their system service that they maintain and develop on if you want to read a bit more there is a guard or a blog that's what if I produced that explained dozens more yeah and within the squadron world model you get a concept of squads puts other teams tribes which kind of go a little bit further and then build wood across

many squads and the idea is you get something that my idea was to get a security focused group and concept behind us and what's all purpose of this is to try to get these squads to follow best security practices and get them all focused on security so kind of taking it a step back and seeing how different people use security a fire I try to look these up online and these are kind of the best thing they could find and I fast my mom she thinks I'm some superhero which I'm not the society things we all wear hoodies or balaclavas we'll just choppin or a computer like that but what we really did this work

like anyone else as going a step further security engineers as much as I'd like to think we don't party all the time in fact as I get older don't party anymore [Music] if my partner thinks I sit back and sit on my seat all day looking at a computer screen at somebody yell at the computer as well and when we think about it what do our team members think of and it's usually shouting scolding as well as our robot oh no not those security for you when we get to delivering a new project or a product we often the last piece that need to be engaged and approve the release and we trying to need to try to

change this perception so the purpose of this talk is trying to find ways and tools a method that can help change this perception so as I said we're trying to change from the police's them forces the the people who are preventing things moving forward and change into something a bit more engaging become the teacher guarding helping those who have less of a knowledge gain a better understanding of what it is that we try and accomplish and I will try improve security so what we're looking at that we also need to understand the businesses are changing so go on another day is where you have this big waterful models so I like that the notion of a tanker with the

containers where you can think each container is the individual changes back in the day you used to have Goliath releases which contain many changes and this was okay from a security point of view because you had one major change so you could spend months training plan for it get the resources get the tools together get the relevant ten tests and scans all of that before the release Fanny went out so it was a lot easier to check and get keep things yes there was a a lot of things to check but you knew you up and when that was happening so you could plan for it what's forward in today we have a very fast on dynamic

nature things are changing extremely quicky it come changes coming in different sizes ranging from a relatively big change fair bus so taxi smoke sizes even maybe a murder bar might be a few bug touches and it's no longer possible to use the old ways that we had where he planned a big release to checks at the end of that it's just not going to scale so it's time of change things trying able teams to hopefully take some of that on now before we go down the road of China gets themes on board and implement tools it's really important that you get your management involved and approval for management almost everything else rather speak about you'll find it quite difficult to

implement without that we will form your management and that's increased from the top down getting them involved getting approval from them we'll make sure you don't have things like why wasn't never consulted and I don't agree with this this allows you to debate with management and make sure that you both come up with I understand it I understand what's been trying to be accomplished as well as making sure what you trying to accomplish lands up with Boden's gold so you end up being on the same page so the first step and road to security enablement is awareness so you can't fix something that you're not familiar with this is something that I've seen quite often you get many

pupils or students coming out of university especially in my time where we're never taught anything around security things like cross our script in sequin jetson those are completely foreign to us so how can you expect development for your development team developers to not implement cross-site scripting in their code or sequin Junction if they don't say anything about it will exists creating some sort of awareness will help them understand that hey maybe this is an issue hey I need to be aware of this when I'm generating the webpage to choosing a new tool framework that way we can get them on the road to Ward's better training but it's just to spark that initial interest but I several

tools that you can help always pop they're really really great tool I'm sure most people don't know what this is I use it in some of the folks that I geared for I recently for a training organization again it's not going into the weeds and starting to provide hey this is how you do cross site scripting or fuel injection it's more along the lines of hey this is what these things are the problem and this is why they're problem so often we see things like cross-site scripting trainer leadbox but not showing what the repercussions are why is across that's pretty important to prevent it in Co subscription can essentially are in the browser show you

some real examples again that will help the engagement it's no longer boring a little the pop I'll show you a little box that pops up similarly there's sans top 25 line along the top ten but 2015 more and then cwe is a really good tool as well so common weakness in numeration these are basically categories that vulnerability scan for ENT again not going into the depth but at least make people aware of them so when I see these types of terminologies come up that can relate to it some are now following on from training and where the tray for your awareness you start going down into more in-depth things so this is where your training starts becoming more

focused and the first thing I want to say avoid the mandatory training I've seen several occasions where we've had managed through training and not even a week later we get asked a question that was in that mandatory training it simply doesn't work finally throw something at certain someone expecting them to take it on board and take everything and it's just not going to work while they're trying to do their job and also remember that perception it's we don't want to be seen as these people porting Android blocks and talking down essentially at people when you try to be engaging so I get them on the same level as out so things that can help with that in terms

of training gamification let's start making things a bit more fun let's make things could happen - there are products out there that have leaderboards you can set up different sort of challenges these things get your security teams engaged with your ordinary developers in QA as well at the same time getting the really important training to them and understanding of what it means to have a cross-site scripting or sequin injection and understand the concepts behind it how they actually used by attackers Brownback's again something that you can do especially if you have a security team just give hope such as this put on different topics it doesn't have to be technical it can be soft skills it's

just the main thing is you starting to engage and share any knowledge and then the last one for me is really important capture the flag something I'm terrible at but the one thing I learned when I do my first one last year is not how bad I am edit but it gets you out of your comfort zone as I've been in my current role for a good number of years and you become very accustomed to you roll it cameras focus in and not be aware of the different thing going on having a CTF can boarding a script gets you outside of your comfort zone and by doing that it's going to allow you to get others

involved and again kind of related to you gamification getting them involved building that theme in coordination day so there's two aspects to CTF one to help your your team learn the current technologies out there the new exploits the new vulnerabilities and then also from the less technically focused way get them involved in some security stuff get them involved difference and act like a hacker so to speak it just makes things more chart and then mundane studying in front of a PowerPoint presentation clicking through and then finally in our main questions as many times as you can to get the right answer just two parts so again coming back to the men mandatory training it's often a deadline

so often something that's placed upon your employees that you have to do this by day tech try to change it to your training to be do it whenever you're free do it when you have some free time allow them to do their day job without having the extra pressure make it easy to get too often you might have to I've seen you have to go through this portal and then go to that portal just make it a few clicks of the body make it easy to understand and sometimes things can get really complicated bring it down to their level if they developers they might understand something some development and I'll argue today just as some other a different tone the night at

your own pace again colors related to the salt hull where if they're hits a problem allow them to get it when they need you and the other thing is relevant in focused you're not going to want a web developer learning about buffer overflows that's not going to help them so make sure that you're training a portal for the job specs that you target see that's going to help them stay on track understand what they need to know to do the job as opposed to wearing a wide variety that's probably not going to help them and keep it current often our seeing some training programs that have not been updated for years and the development fear especially with

technologies things change at an alarming rate I myself had fallen down behind some of the technologies used today when I left University jte puts an inch past version Java for the web that stuck was the end thing now let's consider legacy you've got no J yes JavaScript all these weird things and what boy has come new attack vectors your vulnerabilities these things to look out for so make sure your training is kept up-to-date and the other thing is cost effective don't go throwing money at it just because hey you check the box make sure it's relevant that the money that you're paying is going to get you the results that you need monitor your training make sure that

it's been actually used there's no point in spending money on your training of no one's going to use it reevaluate this ask get feed that there's already important things because otherwise this is going to be turn money that's something that's not going to help and you know just they might have some pointers that might help you on your way so security champions is kind of like another squad type thing it is well they're not specific to squads it is a actual real thing so if you guys look boss be quite a bit of bad up on this and there's something that I'm quite keen on implementing so security champions are yearly volunteers so they already have a vested

interest in security so there will be a more engaging and I also want to learn more and this is obviously going to be very important if you want to have someone there as a ambassador so to speak with your security but at the same time we're going to act as a middleman between your developers QA and your security team so they'll have the understanding of what it is what products are working on the troubles that they're facing in and getting that those products developed and then at the same time they're gonna understand some of the security issues some of the frustrations from the security teams so that kind of act as that middleman the buffer and hopefully that will start

driving towards a security culture sorry um so a security culture is ultimately the goal that you should be driving force by having a team that focus on security or always kind of thinking insecure under that of demands when they developing things is gonna certainly help drive your security going forward some other things that security champions can up with is reduce the burden on the security martin is really small by having additional hands where we don't even need to go to the business and say look neither hiring people you're gonna get immediate of hopefully approval from managers a map not be as much as a couple of full-time security people but are certainly going to help

reduce the burden especially on some of the more trivial or mundane security things additionally because they're closer to the source especially around developments and releases they might be able to help identify things sooner than later many times I've seen things released and you found out afterwards and I met extremely frustrating not to mention advanced risky but they again being a metal man or woman they might be able to spot this and sooner or raise them up sooner so some of the things to try you can try use to get people are on board with your security champion program it looks good and series I mean security is not going away there's something that's growing it's a challenge that I don't

see will be solved in anytime soon so it's a good thing to put on the CD you can possibly attend or some conferences please that that's just this one few nice if your budget great you might even be able to coax him what Vegas and then related to the last point on the previous slide casting sooner than later it's just going to help the company of the development teams help the security teams structuring things after the fact is always a lot more costly than fixing them sooner so the sooner you can get the the issues found the better that's going to be and the less Carsten so the other thing you need in your Arsenal's

tool and fools help with many things so they come in different flavors so to speak will join Razoo groups the first one being a static analysis tools so think of these tools as your source code analysis tools they scan occurred looking for common vulnerabilities so they'll see things that Karen's hard coded passwords are using weeks after sweet for you encryption those kind of things dynamic analysis scan tools though what I'd like to think is more automated pen tests so there were actually poor service running and detect common vulnerabilities a web service running boards whether at any cross-site scripting vulnerabilities what's your TLS implementation like the next one dependency library monitoring this has becoming a really hot topic

garna the days of development from the ground up you see come up with a new product and there were no emotions of github or even maven was it in its infancy when I left University fast forward to today it's no longer developed in the ground up you just grabbing lobbies all over the page and why have you development now is more about doing the lobbies together I've gone through dependency foal a few times where you run it through the tool and there's a vulnerability great I'll go change the version no it's a dependency of it anythi of it ends so annoying these nine where the risks lie is really important I mean we see in the lots of

Equifax that standby our dependency vulnerability that they just society update so having these tools will help you hopefully fix them if not be able to identify that the different risks and even how he put things like firewalls or wax or something in place and then the last one was assets and vulnerability scan this is a lot higher level more around your appointment so many times we seeing different organizations being completely unaware that hey I've had this thing wide open on the internet even know about the big thing as or the MongoDB s and the other sort of noise sequel databases so I mean you know wide open on the Internet identification and people are not even

aware about them so having these sort of acid scans that are scanning your perimeter and finding what's open and really important because you can't fix what you don't know so many vulnerability scanning kind of related to your dependencies game making sure that your RS packages are kept up-to-date yet you didn't have any open ports that you might not want open going look on shredder color for our DP lorries the Lloyds of Windows with my desktop sessions are them why are you choosing your tools it's important that you spend time and choose the right cool [Music] I've gone down the road of just something grabbing at all because hairy the profound and amazing and it turns

out it was a complete waste the fighting was on us not not the teams that we were testing take your time make sure that you research the tool see how others have used the tool see how wild work for them avoid things like marketing have false positives zero false positive is a really popular one with scanning tools great how does it help me if it doesn't it is great that it doesn't find any fault both positives but doesn't actually find anything worth finding if I have a hard-coded password does it find that it doesn't help I rather go through ten false positive and have a report in issues that I have then report nothing so many you get the right tool

for the job darn go for it because flashy and claims to fix the world in that make sure that you use the tool for what it's intended and as I said previously research and there's also a misconception around open-source I'm not saying open-source is bad it's great I'm a firm believer of open source but sometimes open source is not always free free in the sense of yes the software may be free but you still have resources to maintain keep it running set it up to nuts a good example is mud security great product but you have to invest time and tune in to your needs where you could get something like awful soap Wow where they already spent the time

and money and effort so be careful with that and as I said previously don't ask around see what others have done often when I'm looking at the tool or on Twitter and just ask and see what other people's feedback travois getting stuck in the same situation that they are in they might have had some issues that you may have or may not and you can help something else out Automation is really key as I mentioned in the beginning business is changing things are being delivered faster and faster and faster we can no longer spend time doing manual reviews for each release that's just not gonna scale crpd what's the continuous integration continuous delivery it's a notion of how you passes

these tests the boys in production there's no manual deployment anymore so even if you wanted to do manual pen test you probably weren't even Lorenson production so embedding things within your deployment process in the development process will go a long way and it's this whole notion of ship lift she's quite often living in products that sell themselves on them what that means is you're trying to get into the pipeline you'll deployment pipeline as possibly as early as possible the other thing they have important bits in order to solve this is you need less effort so the last thing your developers and QA want to do is spend a whole bunch of time and effort trying to do the right

thing if you make it as simple as possible that essentially got no excuse when to although in perfume opens walls in soon literally as two lines of code to write a security test by any developer QA that says that's too much effort I'd probably have a word with them and it goes for the second point put all the security knowledge behind the tool itself that way again they don't have to have all the experience and knowledge good examples TLS it's really complicated even for the seasoned professionals what protocols should have supports what cipher suites should have support wash them and support them when should I support them and you can quickly see how a developer get really

confused make the tool to make all those decisions and then just have the developer write the test that way they can get the feedback when they need to they can engage you if they need to or the security champion and you got your security bugs in so as I said this is the biggest one for security in my opinion trying to get in as early as possible I don't want to say force yourself in but essentially that's what it is putting yourself in the beginning kind of putting your foot in the door and making sure you stick there and the benefit of that is it doesn't matter how fast the business delivers because you built into that process it should form a

part of that process if it speeds up the test we'll just have to speed up already speed up along the way

another thing that our I came across a company last year was they did not really have a security issue or bug versus gaining insight into your security issues is really important from a risk management point of view understanding what issues you face and how much of a risk that presents you organization security is not always about fixing everything it's about managing risk and your security issues bugs or perhaps the biggest particles so when you ever a you need to have a process for filing them tracking them and priority' so when you have things are pin tests make sure you those varnishes full - into this process issues get track that JIRA there's bugzilla and I don't know what else

there is but have your bank management essentially track your security issues in addition by doing so you're going to be able to help do some sort of reports and analysis on your security issues identify which systems of more point than the others oops teams may need some more help than others maybe maybe teams struggling on one part or and another part so you can then come along and give them guidance give them additional training and the other important thing is it's all available while saying hey we had these tools we have these procedures this new program but unless you start measuring it how do you know if you get in any better so it's really important to have something

to measure that you can feed back to managing his remember all the way in the beginning let's give an from management that online no dark points see some sort of reporting on how progress is being made so a security issue the right way of showing that the other thing is look Chavez don't reinvent the wheel don't try come up with your own unique thing when there's something already said now someone's already done it and when he giving out their free or even sometimes paid for security community is very helpful that's all the one thing I've learned since engaging on the lack of Twitter that people are always willing to help out each other give advice give recommendations tweeting is

a good example like hey I recommend this tool because I find it useful and there's I didn't find that's really useful in that and also giving back sometimes helps as well because you never know someone might be in the same position that you were in and another way to look at is see what different organizations are doing so Netflix are good example that they have whole repository of all the tools that they've developed so I give you some indication of what they do me mention the beginning Spotify they have a squat model Facebook yes or no that's yeah few smirks but there has some fantastic tools in all honesty always query really great tool there see a transparency tool

again great tool and also importantly you don't make the same mistakes you can avoid some frustrations some fun perhaps even financial losses by avoiding the same mistakes that some of the other organizations groups will compliment and some other advice I'd like to give so we all human it's you're often in security we kind of put ourselves on a pedestal and warn you solve everything and be perfected perfect in the descent and I know I'm a perfectionist myself and it sometimes drives me up the wall when I get told no I can't do this all we have to allow this through but sometimes you just have to accept that there are going to be times when you're perhaps going to be

breached and as I mention on our talked earlier with the B opponent companies are more often remembered for how they handled the beach world and the beaches stop and the other important thing is learn from that so when you reach a human be that if you are take a step back form a plan how you're going to respond to that breach and in there include how you going to learn from from that beach but further measures what you're going to put in place think of it as a learning exercise the other thing again really really horrible because I have none is patience remember we are the professionals and security your development of professionals and development the QA

czar professional than testing so it's easy to lose their patience and get angry and frustrated when they don't follow something that people did you take the time to explain it to them did you take the time to explain the repercussions so sometimes you just need to take this step back and just let them give you a thing sometimes I might make mistake but that's when you step back and you help guide them correct them if you got your security champions get them to do it they'll be a lot closer to that person other thing is asking for help and knowing when see and this could be asking for help in terms of security thanks because let's face it we're not

all we don't know anything it's impossible for us to know everything there's many things that I don't know and I'm learning on a day-by-day basis but asking others is the only way and then you get to Venice similarly you have professionals that are well versed on the topic that they are working on so your developers may be how to know a javo experts or Nijs experts and the finger I've found that's become really difficult is keeping track of all these technologies coming up the really difficult thing of my job is I essentially have to be an expert in all technologies use that's just not going to happen so I have to engage with my teams to

make sure I understand that the different concepts and technologies being used so in addition I become the kind of student and I've mentioned this before Twitter so what is a really good way and that forms part of engaging with the community already but having the spoke together engaging with the community get to dance come through some of these tools as I mentioned security champions but there's no reason why your development team or your QA team content it just helps break down those barriers VCG IDT the development team the QA team and you can flats ideas of one another start sharing ideas start learning new things I know some people are spoken to and we we've bounce ideas off each other

and it's already started blossoming into new things are not providing resources for others as well as the relationships at the end of the day we're all human so we still need to interact with one another humans are built on relationships it's all very well talking through a computer or market plane but nothing compares to a face-to-face so there are quite a few slides there on the different tools and methodologies that you do so as a sort of trust sum it up in one side is best possible at the end of the day the security teams your development teams the QA teams regardless of actually in fact what team you're on your day to achieve the same

goal and that way company organization would be at a service a function and product but that's what you're there for doesn't matter your job role the company or organization has to make money and as cheesy as it sounds you all want him at the end of the day so you should be working together to achieve that same goal and hopefully by using some of these tools and methodologies it can help do that in addition trying to leverage security and change the perception form of being a robot to be something that can help engage help help team that I've had several example or instances where I've implemented some security function and it's actually helped improve user experience or help identify

areas that needed better performance or better engagement a really important thing elbow is allowing teams to do the right thing with the least amount of effort if you do this well you'll probably nail that rather my head Lucas teams won't have excuse and often developers and QA wanna do the right thing but going back to the how business is changing its deliver deliver deliver and deliver at any cost so for them the delivery is going to far outweigh the security that they need to do so if you make it really simple it should help them embed security within I don't know a couple of minutes well great there's no excuse not to do it and I kind of

drive to the second point of training as a security culture a cretinous culture of hey let's do the right thing and you get ton of fun upon when you by your peers that's really important now probably security people by your peers then you start getting better results because hey Fred you didn't do that correctly you might want to check that by checking on a pride review did you do checks for malicious characters and I didn't well let it go often do that it's not me as a security professional or John security team hiding them it's Jane on the development team so it's breaking down those barriers and hopefully that can help so of any questions yes okay so the

question was do you have any suggestions for metrics that can report that to management on oh yeah just to repeat it yeah do you have any suggestions for metrics ones that you've seen there than successful yourself in particular yeah so coming back to the security process the security issue important that's why I was hesitant about putting that in but I thought it's actually important because it deals kind of with that it might not be the sole metric you're allowed but it paints you a really good picture so if you start prioritizing what we use as the CB SS for suppose you don't like a common vulnerability sub scoring system it's basically a industry standard way of partying rates basically

takes into account things that says is this network exploitable how hard is that to exploit and what is the repercussions do so many expenses so you'll see a little triangle and then I comes out with a school so we use that to then write to 14 our bugs right in writing from that kind of critical all the way down and then trying to take council worries and see hey how many criticals have we had was my versus how many releases never had this much okay great the ratio is looking good or it's getting worse right well which teams the new criticals come in and you can start forming a better picture and understanding where you'll risk slab

which teams our path and the Performing and additional help another area that you can use those n tests so pensive for often mandatory special third party contest for some companies compliance reasons and you can it's it's difficult though but you can use previous Panthers reports and try scale to see how are you doing especially if you do manual ones but if you have a whole bunch of new reduces perhaps but the reason why I say it's difficult I left you get the same time tester than that you might get varying results specially if you got a really useful penthouse company and a not-so-good one does that answer your question yeah thanks as I guess when you start the

talk he talked about movement towards self-contained teams in the agile well how how do you ensure accountability for security within those self-contained teams especially given a lot of I guess the bits that you're suggesting were quite voluntary or elective when it comes to sort of security champions guidance things like that Griffin so within the squad model and again not all companies are adopting this I think it is new things but within a squad model teams are accountable for themselves and so you have national squad each squad has its own squad leader and that's what neither pulses up to a kind of broader manager that's responsible for service ones so ultimately a lot of the security issues would falter all the

way up to that manager and that manager would we held accountable subscribe that as soon as that manager has a bit of pressure parts of them quickly that's all this would say I don't want to be seen in this bad lot so you better fix this and having that that again come of coming back to the other parts of the issue thing having some sort of SLA around your certain priorities with both varieties can help draw both the accountability as was the measurement and my criticals need to be fixed in six weeks otherwise you have exception process an exception doesn't look too good so that again can help drive some of their content um hi you seem to be against

mandatory training and for gamification and other methods and but how do you scale that for very large global companies and also how do you track engagement because there's some people who will be naturally interested and others you're gonna have to drag them kicking and screaming to get them engaged and if it's voluntary that just may not happen again good question so [Music] you thread it correct that I'm trying to get everyone engaged I'm not going to happen I mean people have to financials and I think for me and I'm sure many others I'm alone I'm always find like how can you not be interested in security well it's much like how I'm not interested in

performing this is just some people just simply nothing being existed it kind of comes back to my point of security culture but hopefully trying to create this culture hey we need to focus and security because bad things happen in AD 20 but another way as I hear people say hey security is not my job so I don't need to worry about it well when we get breached Angelis customers and you have redundancies all my issues years ago so yeah it's perhaps very much your responsibility as a say Cheesie not security is everyone's responsibility so every keep our building that national security culture where that kind of saying you might lose your job kind of thing obviously saved like that but that

fulfilled all that security culture where others they think that way or that is not nothing sir hey because of jobs back up kind of thing and again changing away from those mandatory training upping through them I've even had to do security once that's complete so you have all gamification thing it makes things more classy and especially the competitive nature a lot of there's QA another very competitive especially not the team this one that can have to be battle another thing if you have budget dangle some prizes security champions of the week or month for them in other questions thank you [Applause]