Tom Ruff - Agilely Compliant yet Insecure

sponsors listed on the back your program we really do appreciate uh their helping to make this event a success we appreciate all you being here today uh and so ladies and gentlemen without further Ado please join me in welcoming Mr Tom R wow big crowd big crowd uh last Talk of the day kind of expected it um hope everybody's had a wonderful day I certainly have I've caught a few talks got a few buttons out front um had some good lunch so it's been a good day um as we jump into this talk a little bit about me U my first fora into computer programming was similar to Doug um I actually mowed a few yards and

bought a commodor Vic 20 at age 13 started riding uh basic pokes and Peeps and for loops and go-tos I had lots of go-tos back then um I would hope I'm pass that at this point but uh after I graduated from college I did some work as a system administrator and then I moved on into true software development writing in knrc uh which you might want to remember that for later um then into Java and then I did some 8086 assembly 6502 assembly and some 370 assembly um the thing I'm probably the most proud of in this picture is the uh bottom corner that's me playing beach volleyball with my two children who are currently both

in high school and both uh participating in the uh Air Force cyber defense competition this year and they were both in it last year my daughter being a senior will be a team captain this year which is awesome and our high school is putting together four teams um you know I do work from home for for firey if I haven't mentioned that before U when my boss is looking for me and I'm just happen to be away from the keyboard my dog there takes care of my keyboard for me and you know punch it once in a while so so quick agenda state of software what why agile um don't fall into the Trap that we're

talking about um then we'll look at some ways to fix it I'll throw a conclusion out there I'll ask you guys for questions and then I've got a couple of really nice giveaways to do at the end so you guys are here so you obviously understand the scope of software software is everywhere dozens and dozens of operating systems hundreds of programming languages um thousands of professional software developers some are really good and some are not um hundreds of thousands of applications billions Millions even billions of lines of code um games who likes to play games all right um um in Your Entertainment we all have Netflix we all have uh well I have a too some people have

too some are still people are still that far behind um you do your taxes online you pay your taxes online it's in healthc care everywhere you've got software controlling um heart monitors and things like that in the energy sector you have applications that go out and see how much electricity you've been using and pull it back so you don't have the guys running around checking the meters on the 23rd of the month anymore uh which is a job that my father actually did for a while um it's in transportation we've all seen the videos from Defcon where people hacking into cars and turning off the ABS system while they're moving it's just everywhere and along with that

everywhere there's problems you can see that uh this number came from the nation these numbers came from the national vulnerability database the number of reported uh problems with software that were you know let's just vulnerabilities so it's gone up although I'm happy to say that in 2015 it did go down a little bit but still the the number went down but the costs went up um ponon Institute reported that the cost of cyber crime was up almost 20% in 2015 um the federal government has also passed legislation holding companies liable for not protecting their electronic records um under the Obamacare if you're not taking care of your records and you get hacked $10,000 per record for every person's Records

who get compromised um and then there's also civil liability there was a talk a couple of doors down earlier where they mentioned that uh one large retailer had multiple lawsuits because of breach they had a couple years ago so um just the fact that you have to defend yourself in court and you have to defend yourself on the network makes it twice as expensive um I think we can all agree compliance does not equal security PCI Compliant does not mean that you're secured means your attack surface is smaller but it doesn't mean that you're secure um federal agencies I work for the dod for six years you know you have diap ditscap fed ramp fisma all those

are just check boxes if all you're doing is doing checking the check boxes you're not doing it right so any developers in the room one may I ask what

language and have you worked in an Agile development environment before gotta I had that on the first slide um so for those of you who who who haven't who might not be super familiar with it I'll do a really quick run through um agel actually began in the 80s when I was still in high school um at that time you had waterfall and you had uh from the development side of it from the process side of it you know somebody would come up with an idea somebody would storyboard it at they'd hand off the idea it would get storyboarded out they'd hand it off to the developers who would get it done then it would go to the testers and the

testers would check it and then you'd have a loop there where it would go back and forth a few times um and then eventually sometime five years later you'd actually get something out the door that people were using um as agile has been born back then um you don't really pass it from Team to team anymore it's organic so as soon as I get a little piece of code ready I hand it off to the tester and it all goes through and at the pretty much the same time the uh the idea is by keeping a team together and keep it focused which I'll talk about more in a minute um you can do things faster and more efficiently

but we'll argue them more efficiently in a few minutes um several agile methodologies grew in software development Community there was extreme programming scrum adaptive software development Crystal featur D driven development uh pragmatic programming and lots more um in 2001 uh groups from different agile programming disciplines came together and came up with the agile Manifesto um maybe you could uh give us a little bit of that it's been a long time um but the idea was to um develop software in a way that meets U your environment not necessarily having a cookie cutter way of handling it uh from shop to shop move a little further forward here um Agile development was added to the project manager Book of Knowledge in

2013 practiced by many organizations all over the world so if you look at um fire eyes doing it Microsoft does it as far as Agile development goes um even um you know our retailers are doing it and just for uh reference if you wanted to go get your PMP certification in Agile development um the average starting salary in Georgia is about $86,000 a year for an ad for a PMP certified Agro project manager all right so so now as uh as I like to say the trap's been set you can see the spider web there it's lots of commercial and government agencies have fallen in so so we all have ideas I've had ideas from the time I was a kid the things I

would like to do so the idea with agile teams is somebody comes up with an idea you hand it to an agile team they go off and do what they do they have something production ready and bring it back to you um it does have some advantages I'm a glass half full guy you can ask any of the guys I work with um gives developers more visibility and control of the project they're running the show good or bad they're running the show um and by empowering the team you're hoping to harness the entrepreneurial spirit Apple did this back in the early 90s late 80s early 90s um they would hand a team a project and if if the project

took off and did really well they were very much rewarded for it um if they weren't then if they they weren't then they were applying for unemployment in San Jose um other advantages the idea is to set a sustainable Pace I know we've all been through oh my uh exam's coming up got a got a cram for for it got to study for it I got a deadline coming up got to hustle got to hustle the idea here is to break it up into chunks that are manageable and meetable and you actually deliver stuff on time um it encourages developers to meet commitments because they are committing to what they agree is a manageable amount of work over a

given period of time um it also focuses on the stakeholders giving you constant prioritization today you were trying to develop something to detect um uh crypto locker and then all of a sudden that that piece of malware disappears um then it might get de prioritized if you hadn't finished developing it yet um and then the last bullet there is you you're supposed to deliver production ready code with each development cycle and we'll talk about that in a little bit disadvantages um so give a little bit more about my experience I've worked with scrum teams on two continents um both Europe and North America commercial and government I've seen very mature teams of developers who've been you know 10 15

years in the business 20 years in the business um when the entire team's that way or vast majority of the team's that way they're usually very successful if you take a group of developers with less than five years of experience each um throw them into an environment like this um you're going to spend a lot of money and you're going to give a lot of nothing um one other thing is agile teams don't inherently have a system architect role you don't have somebody who's looking at the whole picture um which is very very important so you can uh very quickly become too focused and and forget the fact that you need to update the backend processes when you're

changing the UI and you end up with problems in production because you've delivered production ready code um another thing is if your uh if your stakeholders are um argumentative and Shuffle priorities drastically with every Sprint it can quickly become whack-a-mole oh we got this bug that's immediately the highest priority let's break the Sprint huddle up start over um it can just like with uh intelligence feeds and alerts it can quickly become wack-a-mole um it's so focused on short successes that you can lose your long-term Vision if I can get this little bit of work done I'm going to get padded on the back and I get this little piece of work done and I get padded on the back I'm I get

this little piece of work done and I get padded on the back but the thing that I missed was this little piece of work took me here and this little piece of work took me here but I wanted to go over there so it can uh it truly requires strong project management strong um leadership and the stakeholders have to agree on a direction for whatever you're building or it's not going to work um the other thing is you're always focused on these short-term successes so there there seems to be a tendency for developers to just grab whatever the flavor of the day is that'll do most of what they want to do write some short augmentation for it and

uh and then push it out the door so that they meet their deadlines the uh the good side of that is they're collaborating the bad side of that is um not all of these libraries have been very well tested from a functional um or from a security standpoint um the other piece of it that I'm going to talk more of on the next slide is easy to solo individual team members uh when the teams are not collocated so par programming goes out the window when you've got guys in who are six time zones apart um which is where I was with managing teams in Europe when I lived in South Carolina um a little bit more into the

disadvantages um you're trying to build a functional team who can build production ready code with with a group of five to seven individuals um it really really requires strong multi-discipline backgrounds I mean to have a a successful team and you got seven people you've got to have an architect you've got to have a functional tester you've got to have a load tester um you've got to have a lead developer you got to have a couple of developers you've got to have somebody who can be a security assessor uh usually you need somebody to do a pin test if you're going to be doing any serious releases and you need somebody who can build the platform for

them to work on and you only get seven people and you can't kill your project for two weeks if I want to take my kid to Disney so um you really need people who can reach across multi-disciplines and are willing to do so I've seen teams fail epically when they had a developer who also knew how to work on the platform but he said I used to do that now all I want to do is write code so when the platform needed a fix and the guy who was better at it was away um nothing would work and this is my favorite one my absolute favorite fallacy of Agile development um defining done um so you

get a twoe window you get a four-week window whatever it happens to be a one day window um you're delivering production ready code um what defines done is it done when the G when it actually compiles on the developer's desktop no is it develop is it done when you've completed functional testing no uh what about documentation Internal Documentation so that the operations people can support it what about external documentation so that other people who are actually buying this product can actually use it um did you do any security testing did you do any load testing because you don't know exactly what frame the person's going to be running it under um what seems to happen with done is they do say it's

done as soon as it finishes functional testing and then after the Sprint is over they'll add a week of load testing a week of security testing a week for documentation a week in staging and then another week for rollouts and by the time it actually rolls out um they've completed two more Sprints so now everybody behind the chain is behind so your documentation is weeks behind production ready code so but I said I'm an Optimus so we're going to talk about how to fix it the most important priority as far as I'm concerned being a project manager of multiple teams at one point being a developer at one point um and now being on the security side of the house um

build your team extremely carefully um agile evangelists will will preach that changing your team anytime during the life cycle of a product is going to cost you three Sprints to reestablish your velocity I can guarantee you that a security breach or um non-load tested code is going to cost you a lot more than three Sprints um we'll throw Target's name out on the out on the table here what did it cost them for the breach that they had and they're still paying for it um six to seven guys you can't have more than one kid fresh out of college you can't do it there's just not enough even if you guys you know move to Antarctica

live in an iGo and spend 24 hours a day together building whatever this is if you've got more than one unexperienced guy it's too much weight to pull for the rest of the team to actually be successful it's just not going to happen and then the last piece here is team stability is not greater than skill mixture if you're trying to if you've got a team and they've been assigned to project and the project Direction changes a little bit and now you need somebody with some networking background or now you need somebody with um hunting experience if you're doing it's not necessarily software development you're working on eat the three Sprints to reestablish a steady

velocity and make your mix of skills correct take the guy who um is not quite the skill set that you want want move him to another team bring in the guy that's got the skill set that you want because if you don't you're going to regret it the other side of that is I I keep talking about having experienced developers um agile teams are treated like startups there was a quote from IBM in the early 90s that said uh we have no idea what they're doing we just know they're going to build something something you give them a bunch of money and they bring us something back um even very mature developers are not necessarily motivated to do that so um

if you see the responsibility chart up there I've actually had that hanging in my Cube and had people ask me to take it down um but it's important commit to what you're going to do and then do what you committed to or to quote the great Ric Flair if you're going to talk the talk walk the wall um along with that every team member contributes directly to success if you got a team member that's not pulling their weight if you go to the collab net documentation for certified scrum Master they encourage the other team members to encourage pull um everything short of ostracize their team member to get them to actually pull their weight um you got to do it if you

got a bunch of non-confrontational people that have experience and you got one guy who's not pulling his weight um you're in trouble that goes back to building your team carefully um and on the project that I'm currently working on the third bullet is probably one of the biggest pain points in my life the team will accept 120 points worth of work and they know they can only do 60 but they still accept all of this into this into their Sprint and then they don't make it and then I've got to go back to the customer on the other end and say or the stakeholders or whoever it happens to be and say you know we were really trying

to get that feature out to you this quarter but it didn't happen happen and when it happens two or three quarters in a row it becomes a real sore spot for the for the customers and for the people who have to break the news um so commit to what you can do and then the bottom point is actually get it

done collaboration we're talking about multifunctional discipline or multi-disciplined Personnel they need to communicate about everything um the second bullet us says PA programming is not just about code review um I'm a oh sorry I'm a GC certified secure programmer I look at things differently than the guy who's got the CIS degree and 10 years of software development experience um churning out you code for uh brochure Weare when he looks at my code he's going to look at different things than I look at when I look at his code it's it teaches it helps each team member become more multi-disciplined you just can't I can't say enough about it I could spend two hours talking about just that um the

other thing is or the next thing on the list stand-ups are not optional and require details for uh several months I had a team member who uh came into one of the scr meetings and he said oh I'm working on integrating single sign on into this this and this that's all he would say every day for three months um and in the end I went back and fixed it but you need uh you need to come into your standups every day as as described on time pass the ball around say what you got to say give enough details to know that if you do need help the people who are there who might be able to help you can step

up and help you right away um you're trying to develop a product as if you were a startup and get it out the door you can't um you can't just hold information to yourself um stakehold holder involvement if something changes they need to get involved right away and at the end end of every Sprint they need to check off the work that was done and accepted and then re prioritize as quickly as possible so you can get the next Sprint started um if you don't keep up with reprioritizing it we're not going to end up over there we're going to end up somewhere out the parking lot and don't be tempted to single out team members because of their

Specialties as I said I've had Security Plus um GX certified security programmer but I shouldn't be the only one who's doing security assessments on the software that the team's putting together if you do that and I win the lottery um the team is immediately in

trouble and uh one more thought on that one before I move [Music] on there's uh one particular team member of mine that I said I would mention at some point during this talk so that you'd have to actually listen to the whole thing so George buddy this one's for you all right so everybody's heard this military term keep it simple son um modern applications have dozens of moving Parts databases you've got some stuff you've got an operating system you've got an application platform you've got a front end if you're doing a model view controller you can have that in actually multiple languages you can have cues for handling load um but as Mr Einstein so eloquently said here

everything should be made as simple as possible but not simpler along with that I have another quote that I that I love to put in at this point says there are two ways ways of constru constructing a software design one way is to make it so simple that there are obviously no deficiencies and the other is to make it so complicated that there are are no obvious def deficiencies the first method is far more difficult but when you pass it off to your operations people and you pass it off to your customers who are actually using it um it works if you make it so complicated that nobody can understand it there's a very high problem ability that nobody can

actually run

it understand your risks understand what you're building you've handed the upper management has handed the keys to the kingdom to the development team or the um security operations team if you're if you're not doing software development um know your application know where they are know what's supposed to be there the same thing you hear about networks oh I didn't know that router was over there sending um SNMP data to Beijing or I didn't know that firewall was configured to allow all ports outbound um in software oh I didn't know this guy was using go and he was using a version that was like two years old because that's about how long ago it's been around

um know your environment test your environment test it often every build should kick off some automated testing every patch should kick off um a larger set of testing every release should kick off an even bigger set of testing um another thing test your third party Solutions the example that I love to to use is struts um when struts came out there was some example code that show you how to put together your model view controller really really quick um but it had a cross cross- site scripting flaw in the example I can count dozens of applications that I've that I've worked on and I've been to that uh actually copy and pasted this example code into

their View and now you have cross-site scripting vulnerabilities in your production application and it takes like 90 seconds to test it and find it so youve got to test your third party Solutions in addition to what you're working on train your development team um as I said earlier that the G secure software programmer it's no joke it's a hard test I studied for it for a couple of weeks and that was with to renew it so I'd already gotten it once so I spent a couple of weeks studying for it going going through the materials again and it still was hard and that's what you need you need something to make these guys think not only about this

little piece of code that they're writing but then the piece of code that's running on this application server that's running on this network that's um available to this environment even if the environment you're talking about is your customers environment think about how they're going to use it think about how they're going to abuse it so that you don't end up with something um that you could have very easily taken care of and have to rush out patches or um give somebody some money back or even worse have your name and your company's name spread all over the news and the internet and Twitter and everything else um the last piece there is you've got to

have your stakeholders your scrum master um your project manager all got to sit down together and work out um reduce your risks where it makes sense if you're working on a piece of software that's um you know going to be in a a car that has absolutely no external network connections maybe you don't have to worry so much about SSH not being patched um but if that same issue is on a a Wi-Fi router that's sitting on a hospitals Network that has connection to all the uh other devices then that's probably going to be a much higher

priority so see if there's anybody has any questions for me at this point I do have a little more content but I was going to take a break here catch a breath um anybody have any questions H

please having just a little trouble hearing you

um actually I got a lot of suggestions for you um so um don't see anybody from his company in here but uh Tim Toms does a really really great um web application pin testing course okay so that's um the longer developer course that's four days I think it's actually amazing I took it uh this year actually um just as a refresher course for myself even though I haven't been doing web development but it did give me on the detection side of the house it gave me some more things to look for so um I was looking at it from that side um another thing is the uh the GX secure Java programmer if you're doing stuff in Java or they also have

the uh ASP C version of it um is amazing absolutely amazing and then afterwards you can get the certification which is good for four years and then you can renew it again for another four years which is what I just did um it will make you think about it and they look at it from both a Java platform or a c platform and at the web platform so there was tons of questions in there about how to uh close known vulnerabilities in Tom Cat and J boss and I if you were on the other side of it so uh those are things that can do it another thing is if you've got um access to somebody who's a pin

tester read some of the books that they read I don't have any names right off the top of my head but I can give you my C card you can send me an email I can definitely send you some suggestions web applications hackers handbook is a good one thank you James um so lots of lots of information out there the biggest thing is to pick your platform whether it's going to be on the Microsoft side of the house or the Java side of the house or PHP or whatever happens to be um and then Focus there because there's so much information it'll seem like diving into an ocean if you uh if you try to tackle more than one platform at

a time so pick a platform the concepts are going to be the same you just pick up the syntax when you go to the next one so that's my best advice pick one dig into it and then the concepts will carry as long as your career goes so I do owe some credit around lots of uh recommendations there about the numbers at the front the picture from my fellow Americans which happens to be one of my top five favorite comedies um which was filmed about uh three hours away from here [Music]

I'll mention the uh how Apple does it that's where the one of the quotes came from that that I read then the bottom one there we were talking about Target so there's the CNN article about Target and these slides are going to be up on the bid's website so you don't have to try to write anything down or a picture um this article the second one on here the one from security week is actually another good place to get started seven considerations to reduce your attack surface um and oosp has a ton of information out there if you're on it doesn't matter which side of the house you're on just pick pick one and then uh finally I want to thank

you guys for hanging around around at 4:00 at the end of the con thank you to besides Augusta for allowing me to speak and for this great Polo a thank you to uh pentest fell for talking me into submitting my first cfp last year thank you to fire ey for giving me the opportunity to have the day off yesterday to go to the security Union conference and then be here today and then of course uh a big thank you to uh Scott oon the con that I happen to uh be happy to assist put together the logos down in the uh bottom corner there so if I if nobody's thought of any more questions I've got

uh couple of items here to give away so I'll last call for questions so southord has given this great uh Lockpick Set for me to give away um so back on my very first or on my agenda [Music] slide I had a line that says don't fall into the Trap from the movie my fellow Americans who can finish the Senate the quote for me don't fall into the Trap nobody he pull he pulls the string on the presidential doll it says don't fall into the Trap nobody all right

um oh am going to tell you the answer um probably in the given political climate is probably the wrong thing to say but it's don't fall into the Trap Democrats are full of crap so um let's see think of another good question um who can remember what my first computer was right

here Commodore vict 20 yes

sir and for the hacker Playbook which was graciously donated by bides

austa he's disqualified um we'll see if anybody can remember two of the processors that I wrote Assembly Language for there were three or I'll take how about one who want how about yes sir