PG - The Goodness is Baked In: Baking Assurance into Software - Ebony

[Music] hello hello awesome all right so welcome everyone to my talk thanks so much for coming um I just need to get some very important logistical uh information out of the way my name is Ebony all of these opinions are my own I've not been paid for any of these I'm not advertising anything no one has bought me dinner for this but you're welcome to do so after this if you're interested um I also have some cookies up here so you should help yourself thank you thank step step right on up step right on up all right so um my presentation is the good this is based in how to get um Assurance into software and so uh a little bit about me

uh I'm sometimes teacher uh I'm an avid student uh half security professional um I used to be a software developer actually actually sure now very good one but don't tell anybody um so what do I do now right now I am the Le need for the test security compliance and configuration management of my system and uh it's really funny because most people ask me why security and compliance are different and I'm like if you have to ask it's a problem in itself um so I'm also a tech leg mafiosa and any other ladies in the room if you're interested it's a super awesome group all you guys sorry next time BBE uh this is my first time attending Biz Las Vegas

it's my first time attending blackhead and Devcon and this is my first uh presentation so thank you all for coming and as a side note I had a super awesome week and I got some awesome stories want hear about after this so so today's objectiv um this actually got an order and I'm sorry about that because enjoy big it should have been the first item and shared knowledge probably should have been the third item but if we can all leave without tears then it's going to be a win for everyone involved so uh today's agenda we want to talk about what makes software secure and the ways to secure software and the results when you do it properly so uh I just want you

guys to know that you can inter interrupt me anytime you want if you have questions if you have comments if you want to compliment me on anything that I have on feel free to do so go cookies are good I really didn't tell you to compliment the cookies I told you compliment me but I'll take that all right so what makes software secure um there are a couple of different uh definitions of secure software um uh the cnss the DHS um organizations management users developers they all have completely different definitions of what secure software is and I think that that is probably one of the main areas that it becomes a problem because if software is secure you

shouldn't have 13 different definitions for it um primarily uh for the cnss and the DHS um it's any software that is repeatable and is uh free from vulnerabilities um for most developers in my particular case if nobody complains about it it's secure to me right so it doesn't matter um for my management team I've actually had a very difficult time explaining to them what software is uh what secure software is and they are always asking for some Buzz words to toss around in their demos and their meetings to try to sell it and so uh pretty much if the customer doesn't complain they're happy so it's like whatever um for organization they really don't care as like if they

can sell something with some kind of super awesome new word that's out and they going to put cyber into everything that they are uh pushing then that's that they're all in for that and for most users they don't even care what um secure software is so uh this this presentation I put together actually uh for my management team to give them a perspective on why it's important to incorporate security into the software instead of spr on after the fact so any questions we're good all right awesome so there are a couple of laws and bills that are surrounding um software insurance and the first one is CA the next one I'm going to talk about

is the Cyber Security Act of 2013 and then the ndaa of 2013 and so sisa it's it's not directly involved with uh software insur Assurance however I Incorporated it because it's a pretty big issue issue as far as privacy and security and when they inter where they um connect where they intersect um so sisa was introduced uh I believe in 201 2011 I'm sorry I've been drinking a all week I can't remember everything I was supposed to tell about this presentation um and it is currently in debates in the house the Senate is in the process of drafting competing legislation and there's a number of an Industries a number of corporations that are interested in encouraging it um but for

the most part the the bill was introduced to allow uh organizations to share information uh threats information quote unquote uh to go through Privacy Information to go through you know different things that you do on the internet and share with the government and uh other organizations that manage the security of the country Etc so the cyber security Act of 2013 is actually a very new bill it's currently it was introduced in maybe July June of 2013 I can't recall but I do have notes if you want no activist that's not a big deal um so basically these are some of the major points of the Cyber Security Act uh they want to secure against cyber

attack enhance the competitiveness of the United States they want to enhance the security of the communications and information networks and uh primarily it's really being being used to encourage more individuals to start to uh be involved in the Assurance of software and I think that's a really great thing because the government is starting to recognize that it's important and while I question the implementation I think that the idea is fantastic so uh the ndaa of 2013 is um a law that just got passed uh it actually involves how the Department of Defense spends money uh as far as acquisition and that sort of thing and one of the most important things that I find is um

section 925 in the ndaa discusses uh secure software and acquiring it and incorporating automated vulnerability scanning tools incorporate security into all of the life cycle development phases and uh what the other thing that it did corporating to life cycle development phases and using the static analysis tools and using the automated vulnerability tools and so I think that that's really great and I think that it's moving in the right direction as far as ensuring that you are a little past compliant but I still feel that it needs some uh work and obviously that's great because uh they have some time they're actually in the middle of drafting the ndaa of 2014 and they're taking suggestions and starting to

incorporate into those as well but I'm not going to bore you with this this is this is not important stuff this is like you know behind the scenes stuff but this is important for your management because security um really has to go from the top down as a developer uh how many developers do we have in here awesome you guys are off so as a developer it's really hard to get your management staff to really understand what security is and why it's important because they don't care they just want money money money and so you got to explain how it affects the bottom line and so the ndaa actually does that because for the Inda of 2013 it actually

starts to like I said require the automative vulnerability analysis they start to designate secure software coding standards and you have to start to incorporate your security development plan into your statements of work into your contract so now the government is actually asking to show proof of how it is that you're securing the software so I think that's pretty important so what makes software well I can tell you what makes some dos Sno dog super awesome right here um with this cupcake suit and all but software secure we're going to talk about the recipe the environment the ingredients the equipment and the results so couple ways to secure sof this is actually a super awesome recipe

if you want to try it I can give you these slides after this but you can probably find on Google so so uh in my personal opinion these are four things that I find to be really important when you start to transition over to secure coding with your te team and these are things that I found really important for my team because they were um flailing for very badly uh so the culture change and security is a business decision education and awareness and then uh secure coding standards and of course test test test test test test and if you think it's done test some more so questions no questions good okay awesome all right so

we're going to talk about environment and um in terms of environment we're actually going to discuss uh your organization in terms of my organization so uh I work on a system right now and we were we have a certification to house various types of data and the problem with uh getting certification to house various types of data is that they want to come in and they want to scan everything they want to check your compliance for everything they want to check a bunch of boxes they want to come in they want to completely destroy your site all your important development work work that you've Incorporated they just want to bash it so uh when we originally uh transitioned

into the start of the secure software our kitchen looked nothing like this our kitchen looked just like this it was terrible we had rats we had roaches they were doing all kinds of privilege escalation it was seel ejection cring SES like it was crazy and so now at this point um the business the management site actually started to understand why it was important because they understood that this is going to be a hit to their money this is going to be a hit to their bottom line and I think that as a developer if we can start to communicate that from the bottom to the top I think that we'll be more effective in starting

to incorporate security from the Baseline so any my so green I've I've done just you just one person seriously okay well everybody knows the punching line but I'm really disappointed I was going to incorporate a video because I talked to like 50 people this week and nobody seen it this is a great Charon hon work I'm not promoting it but anyway let's go um so the ingredients is so ingredient our people and I've just ruined that movie for you but you should still watch it cuz it's awesome YouTube it it's all over all right so ingredients of making secure software we have education awareness secure coding standard culture change and peer review all right so education in

awareness um education and awareness becomes really important because as I stated um until about 5 years ago my team didn't even know what squl injection was and um now when I start to do interviews for other developers when I start to bring in uh dpas I ask them I'm like you know do you know what crossy scripting is do you know what SQL injection is do you know what crossy request forgery is they're like no I have no idea what you're talking about but I have Google well that's a good start but I really feel like at this point um everybody that starts to go into this field needs to start to know that that

has to actually start being incorporated into classes into teaching into curriculum for colleges like everything it's it's really important to provide that Baseline because that's what you're building everything else on that's that's your foundation of all your money right there so it's also really important as far as the developer goes because it's a career it's a career Assurance for you management does not like to spend a lot of money on people however they will invest a lot of money in people that were multiple heads so if you can go in and you can do the development you can check for the security you can do the production that's something that they're interested in that's going to be super awesome for

you I mean if you trying to make more money then that's where you need to be if you want to advance yourself then that's where you need to be if you want to get some lackes to do your work for you like that's what I'm trying to do so that's where you need to be so that's that's going to be really important um as far as secure coding standards there are a bunch to choose from there's they're all over the Internet you have all sorts of different options and actually it's so funny because when I was doing this presentation I I didn't realize how frequently baked in was used and actually Microsoft has a website

about it and there's a whole bunch of different things but um one of the one of the secure coding standards and practices that we currently use on my team uh is from Microsoft and they actually have our website dedicated to it and it actually has some really good information um if you decide that you want to look it up after this um the other thing that we the other thing that I like to use personally is OAS because um while OAS is uh really primarily volunteer and the community based it provides a lot of information from a lot of different people from a lot of different environments so you're not really limited to only what you are

familiar with you actually have an entire world of you know stuff way more stuff than you um peer reviews peer reviews become very important um we have a bunch of developers in here I going to tell you I have a developer on my team and he literally writes entire pages of code on one line and I think suck it's so terrible to go in and try to peer review something that goes in one line and a lot of times Well actually for a long time for several years no one bothered to go in and see what he was doing because it was like nobody wants to read this what the he so as it turns

out um he was putting all kinds of information into query strings it was passwords being shown it was all kinds of crazy stuff and um nobody BS to do that and so PE review really becomes really important because you know um I don't know how interested or how aggressive of a developer you are but I mean sometimes you might be developing you know 10 12 hours whatever like it's nothing and then you're just done looking at it so it's really important to get this second set of eyes on it so you can start to collaborate and that sort of thing so the last thing and this is actually the very most important thing because I've mentioned it like

three times already um it has to be a culture change and one of the things that uh I find to be most important when I'm teaching or when I'm talking to management and I is anybody in management here you can raise your hand okay all right you guys look cool so it'll be fine um one of the things that uh I do when I'm teaching when I'm talking to maning I kind of I kind of dumb it down a little bit I compare it to something that they're already familiar with um so uh when I tell them about cookies I tell them about the sugar-free cookies that are not so great and I tell them about

the cookies that already had the sugar baked in and then I explain the comparison and contrast and they're like oh my gosh I didn't you just say that in the first place like I've been staying here for 5 years so I mean it's it's it's very really really really important and like I said the culture change really it doesn't come from your team and it's not enough for you to complain about it with your other developers how beat down you are how stupid your management team is or whatever so it's really becomes important to start to explain that and to address the issue from the top down so questions concerns no all right cool all right so now we're going to talk

about the equipment so um equipment I have security is a priority collaboration tools and peer reviews because like I said peer reviews are so so so so important but um collaboration tools become really important particularly if you're working with a um team that is spread out all over the place uh because you want to be able to address issues efficiently but you also want to be able to share that information if you're working 10 12 hours and then you just like okay I lesson learned in my head see you later it really becomes an issue because the rest of your team is like like okay well I'm stuck on this for another 3 hours I don't know how to

address this I you've already had this problem but nobody's helping me with it so um peer reviews I can't really talk enough about how important those are so excuse me somebody want to give some water anybody uh so security is a priority like I said I keep repeating it but it's so important like you have to really start you really have to start from the top down if management does not agree that the incorporation of security is important then there won't be any investment in security and that's really what we need because you invest in your time here you investing in your lessons you investing in your certifications you investing in your hacking you investing

in your spying on your neighbors it's not going to make a difference thank you excuse me it's not going to make a difference and so like I said it's super super super super super important and my main management staff they never even gave a second thought to security until they thought that the site was going to get shut down and they weren't going to get the contract again so then it was like oh my gosh what do you need anything you need just let us know you can have the world so the second thing I'm talk about our um pans and up here I have uh users users developers management and organization so the same way that you don't bake

cupcakes for the same amount of time that you are wait do I have any Bakers in here Bakers no Bakers bam I like it did you bring or something no my recipe a darn it well I have an awesome white recipe cake in there so yeah we can do that all right so the same way that you wouldn't bake cupcakes for the same amount of time that you would bake a fun cake or a pie all of these different individuals have a different effect from the uh security so users users are affected by their information so if there's an attack on a website if there's an attack on a system and you have all this important user information

and somebody starts using your identity then that's going to be an issue for you for developers like I mentioned it's really career security for you like this is this is where you need to be this is where the industry is going I already talked about the ndaa of 2013 and how they have to start to incorporate the language into their contract work so this is what management is looking for so this is really um excuse me that actually probably should be whatever so this is really um important so as far as management goes It's All About responsibility and so that really becomes an issue because if the site goes down if the site crashes whatever yeah you may be yelling at your

developers because you felt like they should have been doing something different but you as the management staff you're the one that's getting in trouble nobody cares about the developer that's been working 8 n hours two hours whatever because everybody thinks developers are Slackers anyway so that's that's really becomes important for you and as far as organization ation it's all about reputation reputation is really Priceless you can't do you I can't even say it's really difficult to get a reputation back um it's once someone does not trust you there's really nothing else to do they're they're going to go somewhere else they're going to look somewhere else they're going to buy somewhere else so as they questions we're good we're

moving on if this works all right so essential for the equip are tools really need tools I usually use toothpicks to make sure that something is done these are a couple of items that you can use to make sure that uh your security is appropriately Incorporated um I don't work for any of these companies none of these companies have B me I haven't even seen these companies but these are tools that my team regularly uses um atics I think it's really awesome uh as a vulnerability scanner because uh you can start to actually uh pull out false positives so they stop looking at it and you can um start to see how the attacks are done and

actually it's a really awesome learning Tool uh for anyone that's new to security because it shows you what was done to cause the error so that you can appropriately fix it and then nessus has anybody heard of nessus like everybody's heard nessus this this is like the primary tool used by the entire compliance team for DHS every time they go in it's Nessy Skin n Skin n oh you missing 17 catches what are you going to do about it so anyway um nesses is actually a really good tool as far as catch management goes um I really don't like the interface of it personally go yeah so the current version of has D built in on your team do you do you uh

have uh different Associates or different team members uh V Shar or do you do that your team uh that is that awesome question thank you very much unfortunately it's actually just me that does that so I do it all and actually we just uh got app scan a little while ago it actually I had to fight with 24 different people literally 24 different people to get a Enterprise license that we already had that we already paid for that they just didn't want to use so yeah it's it's crazy so yes that's me all the above um also uh the tel test studio is a visual studio plugin if you use Visual Studio to do a year devel work and it's

awesome because you can start to um do bug tracking and it's a really great collaboration tool particularly like I said if you have a team that's spread out um and then app scan which was mentioned previously it actually does source code reviews so when you do builds and that sort of thing you can check to see uh the information that goes back and forth between the different uh entries so it's great um the other option of course is manual testing which is actually one of the reasons that I'm here to get my manual testing up so um they have a lot lot of classes they have a lot of different tutorials online you have virtual

machines they have a lot of um vulnerability uh practice applications um I want to say the uh DBW and maybe the web buggy Bank what you say buggy Bank buggy Bank thank you it Go all right so I thought this is really funny it cracked me up it cracked me up so much every time I read it I know I'm so lame but anyway um uh secure software is not magic it does not just happen it actually requires a lot of work unlike baking which is Magic I just wanted to let you guys know that so as far as results so uh one of the examples that I got for results was from uh Blue Cross

and Blue Shield of Massachusetts and I actually like their uh incorporation of security into their process because as they have started to incorporate security into each of the phases they've actually start to build guidelines and start to build uh standards within their team to start to address common vulnerabilities to start to address common issues and um one of the things that I really like is that the technology instructor he doesn't just tell the coders to do it assume that it's okay he actually starts to make sure that the environment is clean that the environment is pristine that they have all the materials that they need so I think that this is a really great uh business model that

they're starting to incorporate Dobby actually likes this picture a lot more than I do I thought it was funny um one of the things about uh Alternatives is that if you are not doing what your customer needs if you are not producing what your customers want they will go somewhere else they always go somewhere else and apparently this baby is not like baby food but he would go to a breast in High second so I feel like you're way too old to be there never I feel like this talk is going all the way downhill all right so uh I found I found like a billion examples of what happens if the recipe isn't follow but this is a

example that I thought was really great because it actually put a monetary value to it and like I said you know when you're talking to management when you're talking to the top down you have to associate with the dollar figure because they won't care don't care it's the bottom line is money money money I don't care I don't care so anyway uh it was a SQL injection attack the SQL injection was used to get access to a couple SQL databases they stole over 160 million credit cards they ran it up in like 23 different countries there's currently a case uh going on and it was over $300 million that was missing and um you know

if you show your management team something like this they're like what the heck so I had to temper my uh cursing because of video so um and the mitigation was so simple as a SQL in who knows how to mitigate SQL injection in here exactly it's like it's so simple but apparently no one bothered to verify that when you put a a apostrophe into a entry field it wasn't going to completely crash it give you access to all kind the stuff that you shouldn't have had so anyway that was a uh that was a great example that I really appreciated so just as a recap we discussed a couple of things of what makes software secure a couple of

different definitions we discussed ways to secure it we discussed some results I got some resources here I don't expect you to read that but it's one of them I can give them to you later talk to me at the bar do you have any questions awesome that means I wrapped it up I hit this out of the park all right wait question no go question no no oh yes talk about changing culture

[Music] yes um I'm not going to lie to it developers are very hard because uh their motivation is different from management management cares about Ming Developers maybe they care about a flexible schedule maybe they care about you know just doing something different something unusual and so really the thing that I found most effective is to find what their motivation is and then play on it one of my uh I made my team take a leadership tests to see what type of leader they are and uh all of them were team players except one one of them was a country club leader and what a country club leader is is a a person that prefers gifts rather than the

benefit of uplifting the team and so for this particular guy you know every time he come in I'm like hey did you have lunch today are you interested in a muffin you know can I get you anything you know how about I get you some books on this I know you like to learn different things here it is you know this is where you need to be and then you just kind of steer them in the right direction but developers are really really really hard so good luck for question anybody else go just another one talkie AG come up L really popular is that something that you guys implement or have you heard about that

yes actually um we have been implementing a bastardized version of agile for about five years uh last last week yes as a matter of fact last week before I went on vacation uh we actually had a agile Workshop um my company encourages people to move to Agile because the product is produced so much quicker and so of course you know we have products going out quicker money's coming in faster so uh we actually do currently use agile and it's a awesome awesome process for anybody who hasn't uh heard of it or seen it I think it's fantastic I think that the most difficult thing about agile though is explaining to developers that it's a lot

of freedom but it's also within the confines of guidelines and regulations because they're like oh what no documentation no no no Slow Down slow down there's documentation is just on the back end so yeah agile is actually really great for that questions go you mentioned there are a lot of secure hting standards available you have any recommend or you found useful to reference well um the the one that I found most useful to reference right now is Microsoft's uh security practices because my team is is a primarily Windows based and so they trust Microsoft and so it's a lot easier to start to incorporate it that way um when you tell your man staff that you

want to use something that's open source or something that's from the community they're like oh wait wait wait wait we don't have to pay for it I don't know how great it can be CU like you know they're going giving it away for free I don't want it so um yeah Microsoft Is Right now the one that we're using go so I'm a trap leader um to to to feedback on that you push back or resistance for some Community why do I see so much organization organization because a lot of people in the community that bu that are part of the community are well established thought leaders and well you know what this is true however my

management staff are I don't want to say that they're not thought leaders because that's not appropriate but what I will say is that they don't really understand the process in which it's produced and they won't take the time so it's really difficult to try to explain to them why it's important and how we can incorporate it because as I mentioned oh you know if it's free I don't want it's no good if they're giving it away how great can it be and so I'm really actually having to push and starting to incorporate it and so I guess eventually once I can merge the Microsoft and the OAS I can get us off of it so we'll see

how it goes yes sir want to ask you about the laws that you presented early session uh so 99% of the work we do is not for federal government under contract which of those or what aspects of them apply to us well the ndaa of 2013 primarily only involves the Department of Defense so if you don't have government contracts that really doesn't apply to you however um the DHS is actually starting a working group it's called the software and Supply risk work working group and so they are actually starting to require anyone that uh produces software to start to incorporate the security because it cuts down on the number of vulnerabilities that are introduced into various system

that connects to government Network and really the reason that this becomes an issue is because most of the vulnerabilities that are introduced are a result of third party software so questions anyone I have some awesome cookies up here anyone anyone awesome I am this is awesome you can find me on Twitter I'm this is awesome so anyway that's where I am all right so thank you guys so much I'm really disappointed that no one ate these cookies I feel like probably felt uncomfortable Leon you Le you only ate one though so thank you have a good one