Making Security Everybody's Job......Like A Boss - Akolade "Kay" Adelaja

hi good morning everyone I would like to first of all apologize this is my first time doing this I'm a little nervous my experience in the industry as you can see is basically just 7 weeks old I'm only a placement student doing this for the first time but I'm passionate about application security something that I thought I'd be a penetration tester when I went to University it was sexy it looks awesome but then I spoke I I had a little interview and the result of that interview made me go speak to Tanya who I now call my Messiah and she fued my passion for this so please bear with me and if there's anything I've got wrong

please I'll love your feedback as well thank you we're going to talk about devops Dev setups and security being a part of everybody's job now it's it's my opinion that oasp is the best thing that's happened to application security and Dev Ops and Dev SEC Ops is the next new thing I'll get to that in a sec but before I go on can I ask is is there anyone that writes code here no anyone that secures any app make patches or stuff like that in my opinion it's my it's everyone's job regardless of if you write code as a developer if you make security patches or if you check your web apps making sure there are no

vulnerabilities that you should do that securely and in the most secure way possible and that's what this talk is leading to I who's seen this before this is a little bit of social commentary it's not meant to be taking literally but this is how some security people see devops now I know it's a little early and no one wants to start seeing unicorn poop but they feel that everything the golden things the developers do that amazing code they make they have to do the gr work for it they have to make sure that it's always cleaned up it's always nice and no one can attack it this is not how we should see devops this is how I want

us to see devops we're all singing Kumbaya holding hands teaching everybody encouraging empowering our developers so that they can make secure code we don't we have to remove the blame culture we have to shift from siloing ourselves into one particular C and all work together both as developers as the operations and as Security Experts I hope by the time I finish this talk that we all have this Kumbaya moment my mesiah she's the inspiration behind this talk without her I don't think I would have any knowledge whatsoever uh she's the CEO and founder of Weck purple I'm hoping most of you have heard of Tanya janker her book Alis and BBL application security I I have a

running joke and she doesn't appreciate it but I call it my new testament and her website is my temple if if application security was a religion she would be my Jesus Christ and me well like I said I'm just a second year cyber security student at the University of sford 7 weeks ago I started my placement um industrial placement studies at batian and in that time frame in just the seven weeks have been there they've encouraged and pushed me to learn more about application security and even I I never thought I'd be standing here presenting to such an amazing group of people but with their help and their feedback um I'm here to share one of my

passions so what is absc now according to T she said it's every it's every activity you perform to ensure that your software is secure now we already do this from time to time but there is no formalized process process some Industries some organizations sorry don't have a formalized process of application security oh now this is usually this is usually the bad news part but poor application security is a problem over the last few years thanks to Verizon and I'm so I have to update this slide because the 2021 slide says apis are number one and weaps are number two which is kind of like what you've just split our categories into two and told us we suck at the top of the two so

that's not exactly good news but this is not to scare anyone and not to condescend to our developers because they do do amazing jobs but this is a problem that we need to address the industry seems to be more focused on the symptoms not the disease we encourage incident responders penetration testers and we hype them to the max even to a certain extent where some of them might have EOS which is a little detrimental to our industry but we need to deal with the disease itself we have so many front-facing apps but we worry about the perimeter not the window you have your window wide open but you've got security guards around it's not going to stop

anyone from breaking in they could easily jumping through that window grab your safe and they're gone that's what our web apps are they're the they're the window to our industry and is the one way over the last few years that we've had uh breaches this has to be resolved my opinion is introducing Dev setups but before I go into that let me explain why this can actually this is actually a problem in my experience as a university student we do not teach application security or we don't teach our students our future developers how to write secure codes now from my experience I'm not sure about the rest of you here but at sford we had a security course and it

basically focuses on network penetration testing right that's good for me as a cyber security student but not so much for the developers that's not their realm even if some from the research I I made some colleges especially in America are beginning to introduce some secure coding modules to their courses which is great but this is something that we have to it has to be across the board we have to have to empower our developers to make secure code we have to actually teach them and motivate them on how to do these things this is something we're severely lacking in another thing is that we're totally unnumbered now according to GitHub the recent figures shows that there are 500

developers to 20 Ops and two security members during the waterfall or during the period of waterfall this could be up to 2,000 developers to One Security team now if you put the blame of every bridge on that security Personnel then it's going to take 18 months which was what we saw during waterfall for a release cycle to get released thanks to Agile thanks to Dev setups these those release times are pretty much immediate and I'll get into how beneficial that is in a couple of minutes so what is dep SEC Ops according to imra Muhammad the guy from practical dep secops I taken his course he explained that ABC is depc Ops is ABC in

a devops environment according to him we already do the we already have these processes developers fix bugs um security personnels um mitigate uh give advice for remediation and mitigation but if we pull all of this together application security developers and it Ops without being siloed all working together then we would reduce um there'll be a faster release date and improved resiliency which I'll go into in a few minutes I'm a big fan of the Mandalorian and I think Dev SEC Ops is the way um and um I was going to the three ways of devops and we'll be able to clarify why this should be the standard for every um organization creating software now the three ways of devops

the first way is to emphasize the efficiency of the entire system the second way is fast feedback and the Third Way is continuous learning in my in my opinion I think this meshes well with security how by emphasizing the efficiency of the entire system we can shift from left right from left to right now I have an I have an analogy with a house right that if you have if you and your partner for example plan to have your dream home you go through the stages of um getting your contractors getting your Architects to design draw get the builders in to come in put fixtures in and everything by the time you get to the last day when you

want to get your keys and you realize that you've got seven kids with only one bathroom you'll have to go back and rebuild the entire process but when you sh from left to right with the speed and you have you have these um you've taken all these considerations in every part of the software development life cycle then you'll be able to release your code in time with a security Personnel in every stage of this life cycle you emphasize the efficiency of the entire system meaning that you get you you have a faster release um cycle so what does this mean for security teams this means the security teams if they want to be able to work in a devops

environment they have to be able to Sprint as well with the developers what does this mean for Dev and op teams they have to engage in security uh in security meetings be able to threat model I've lost my train of thought I'm sorry there he is so they help the absc teams tun their tools for the sake for their sake and for ours for example we have a dash tool or SAS tool in the cicd pipeline not every in my experience I had never heard of yam in any kind of config files until I came to matian without the help of our developers I wouldn't have been able to securely test the tool in the CID pipeline they were

help they were efficient in helping us to tune those tools and get the metrics for them for us to be able to feedback for what they need to um correct also they need to you the dev and upams need to have both positive and negative testing unit tests on their on their application be able to get it to handle invalid inputs this is kind of like the threat modeling almost like the threat modeling stage where you put your evil brainstorming hat on and figure out what are the ways what are the negative use cases which ways can an attack or a malicious threat actor what ways would he go to break your system faster feedback now this is this

is one of my favorite shifting left you have to push left because some in some organiz in some organizations the security team aren't allowed to shift so you literally have to push to go left and which goes back to my house analogy when you go back to the requirement stage and right from that stage you have Security in mind same thing with a house you get your architects in and you tell them look I've got seven kids so I have to make sure I've got a bathroom where every one of us can be free there will be no complaints you have to ensure that they safe get your barriers for your children you go to the design stage and

it's the same thing what do you need to p on the electric sockets to make sure that they don't go put your fingers in there code is almost uh well you're bringing your design to life so your add in your structures and you're ensuring that it's all your balcony has the security gate so your kids don't jump over and then you test it you test it make sure that it meets those security requirements you just don't fix the gate and leave it you know a little wobble and it falls over and I'm sorry your kids are down the stairs and then when you get your keys to get into your new home you find out that H you don't

really need to go back and do anything else cuz you've already had you've considered every um possible thing that could go right or wrong while you're going through the entire stage which means that you get faster feedback on every during each stage of the software development life cycle you get feedback faster on what you should shouldn't do and what will be appropriate for the for the release what does this mean for the security team it's like I said security team will have to learn how to sprint along with development teams will be able to add their inputs based on every stage of the secure development life cycle what about the dev and up teams feedback goes both ways so you want to

be able to tell the security team what you're concerned about what you feel might break the build what you feel might be essential to ensure that you could release your software faster like I said before you participate in security activities incident handling threat modeling security Sprints as well um if you're in a position where your organization has both red and blue teams you could actually perform some of those red team activities and see where some of the deficiencies in your system lies and my personal favorite continuous learning I think most nerds nowadays are more either Gamers I'm like the old school nerd I like a huge chunk of fresh books in front of me I just love the

smell I don't know why but for us like every athlete I'm sure most of us I don't know if you guys are Newcastle fans considering where we are but as a Chelsea fan myself I know athletes they constantly have to Horn their skills even during the off season you see them on nutrition they with their nutritionist they're doing their Fitness regiments it's the same they're continuously learning so that they could be in a position where they always giving their Peak Performance and this could be same this is the same for us as in security we have to constantly um horn our skills what does this mean for the security and devop teams this means be

for the security team the security teams has to be able to enable and Empower developers to be able to introduce materials that are materials that are necessary for what for the work they do to make sure that whatever the code they write the libraries they use are both secure the tools that might be required say from a security perspective a d sass tool using sneak and stuff like that to be able to teach those developers and show them how you could use this to find um vulnerabilities in that code Dev op team what does this mean for them that means they have to be open-minded this isn't we're not trying to be condescending we're not saying the

software developers suck or they need to get better we just want them to hone their skills to get to just like athletes to be better and be efficient at what they do at all times finally to be able to make security everyone's job it requires a culture change first of all we can't stop blaming everybody a breach happens we can't say okay it's your fault you deal with it we know it's happened the pro the solution should be how do we make sure this doesn't happen again what can we learn from this breach or this incident or this vulnerability and how can we make sure that we're better in a better place for it to be able to do

that we have to change uh our security culture even something as minute as passing a pentest celebrate that any a running a pipeline and it comes with no highs and criticals celebrate that offer Pizza break you guys did awesome those kind of mentality change helps you reinforce the fact that okay this is something we need to be doing every day and it shouldn't be it shouldn't be secondary to our jobs it should be a part of our jobs we have to reinforce that culture change if we're going to be doing that like I said we're too siloed as teams security is on his own devs are on their own the it operations team on their own

and only talk when they need to we need to be able to work closely with these guys we need to even to a certain extent embed ourselves in their teams understand their working patterns learn from them and be able to offer Solutions when problems come the only way can do be able to do that is if we all work together all closely together like I said no more blaming take a if if um sorry if a particular situation has happened or occurred we need to shift from this is your fault to okay what do we do to make this better what can we learn from this moment and become and ensure that we're more resilience in the

future and then my resources uh like I said OAS I think is the best thing that's ever happened to application security I'm an OAS student member myself and the benefits I get from just a learning perspective is is awesome I would encourage everyone of you to join up and my Jesus Christ herself please follow her um she's amazing her insight to everything application security being that she's been a software developer herself and a security professional now is in ightful she works with uh they used to be called neur Legion but they're called bright now and I've tested their Dash tool and it's pretty awesome and it's thanks to her so please follow her medium follow

on Twitter check out her her topics on YouTube and please visit the Weck purple Academy it is it is awesome and yeah that's me thank you if there are any questions I'll take your questions thank you that's your first talk amazing man thank you honestly another round of applause I mean first talk thank you do we have any questions for [Applause] key oh not really a question but a piece of information I think uh T Year's we hack purple company got folded into bright and now the whole Training Academy has become free for anybody to use so all the paid training courses now have become free for anybody and her aback training courses are very good yeah I'd

recommend anybody to go and sign up for those courses thank you I appreciate that any more questions for

K that's a bit of a mean one you you said at the start something that um sort of reverberated with some of my previous experience sort of with um security teams can't shift anywhere they're not allowed trying to break down those cultures I was going to ask and that's unfair given you've mentioned sort of your short time in the industry how you think we can kind of break down those barriers but equally you also said just give pizza and that's possibly the best we can ever get so I've definitely taken that one on board because Pizza wins everything but I'll see if you've got anything else that add of that list as well yeah no like I'm I'm glad you

considered the fact that this is pretty much me in hyers trying to walk so I don't think I'm in a position to be able to give that kind of high level advice from a rudimentary point of view and as someone who's like I said making my baby steps it would it would be awesome to have with' ped the pentest here some dominoes I I'd love that I'd know that every time we have to have any type of security challenge I have to be on it because I have petza it's it's a small start and I'm sure there are more things that we could do to be able to change the security culture and that's part of

my remit I'm learning as well and I want to be in a position where I can be here maybe next year and give this talk again and be able to say okay based on the year I've had these are the things I think we need to be able to do to be able to have a great security culture thank you other Pizza brands are [Music] available I do think that sometimes if you need to move a culture you need to find out who's blocking you uh traditionally it's the we can't afford that that's not that important and and then you have to speak their language so if someone's blocking you in anything uh speak to them in their own

language not in yours because they don't care about abset they don't care about security the company makes plastic Pam trees so if we do this we can make more plastic Pam trees that's the way to start moving change when you have such a wall it's not easy but it is the don't try and solve it all at once move it celebrate your little successes with pizza you're right and I should have mentioned this during my talk but if security wins the business wins right or if the business wins security wins if the business is out of business right we the outa job take for example the company I work with matian which is a software development company if we had

any kind of problems that affected the business will be the first to leave the developers aren't going they're going to be there to try and fix the problem and make sure that the company ends more money so if the business wins security wins and I think that's a very important part to put in because sometimes some security folks forget the fact that we have to make these things 100% secure not necessarily but thank you for sharing that I appreciate it and thank you for having me I appreciate you listening one question oh my God I'm sweating here don't worry I'm not really going to ask a question but um because the kind of comment was made of well how

can you make this happen um I very much just want to say very much agree with your your uh comment of you know sitting on the Sprint that's what I do every morning um and yeah you know it's um developers they they they don't NE they don't have the time often to look at security themselves and understand it and yeah Us in security we can't always understand everything of the code they're writing um but basically I I work with squads as a security analyst and um yeah I I alternate between my squads every morning sitting in on their their Sprints look at their Gyra tickets um see what they're working on um and pick up from that the things that might I

might want to look into that might cause issues but also then when you know they get stuff that needs data protection type you know data governance overview um hold their hand through that process and and help them with it and so yeah you become that kind of critical friend uh they come to you and they ask you the questions they ask you for help in meeting data governance requirements um but then they start to trust you more as to how do we make this more secure and yeah then you get to the pentest test and it works or you can you can see the problems that come up in the pent test and you can say well that shouldn't

actually be too difficult to fix I think you just need to tweak this and few it's not going to add another month onto our Sprints and that so um yeah it's I very much back what you say no thank you for adding to it it's part of I think one of our jobs as application security engineers at least from in my opinion is it's all good to have that technical knowledge and being able to solve and deal with bugs and vulnerabilities but importantly we have to be able to empower the developers they are the ones in a position to direct write the code they will be the ones to be able to remediate it faster so if we can Empower

them in a security way about how to consider how to make security a part of their jobs then we will probably not have to be critical friends anymore we'll just be normal bodies you know you could just come to me and we talk about this because you understand the security problem and I could help with maybe explaining some of that more thank you for that I appreciate that any questions any really horrible hard questions for someone on first talk something super something super horrible critical you've said about having seven kids how have you got the I don't have seven kids I've got two how have you got the patience to deal with them and has

that helped you in your upset career that's a developers that's an actually great question because my first daughter has cerebral py and I should have said this story as well as part of how application security is missing for for students at University my daughter when she was 6 months old um before she had her her brain injury we always sat together during my University classes cuz everything was done at home to make it easier because she kept on crying I would just give her Cheetos right like here's some what sits eat that after 3 weeks of doing that her mom kicked my ass it was I didn't have coffee for a week it was painful but then I started giving her

Tomatoes instead she didn't like it at all hated it cried even worse but I put my foot down and made her take those tomatoes and now she's a fruit lover she's a vegetable lover she could eat man I was surprised when this this chick was eating um a corn on the cob by herself and she's got cereal py but because she's used to having her vegetables we know that having P your five a day is good for you in the long run right compared to having Cheetos or whats it every day same thing could be applied to our to our developers right they from their experiences only when they come into industry sometimes or if

they go externally and learn they learn how to write secure code if we keep if we keep pushing them in this by giving them this new vegetables they might not necessarily like it they used to having their fancy features and not in and not insecurity wise having to break it but if we keep feeding them these vegetables in my opinion in time they would love vegetables as well so they will always want to write the secure code they'll always consider Security First maybe not consider maybe not as as the be all and end all but it would be a part of the thinking when they writing their codes that's the one way I could equate the

two together and it's the one thing I learned from having children that you have to be patient you can't just all be screaming and shouting and saying you have to do this you have you also have to show them why they have to do it why is this good for you compared to the stuff that you actually like before so what we're saying is good code Pizza bad [Laughter] code hey right oh we have another question is it about vegetables right yeah it's just an observation it was a really good presentation um I think though you might want to consider going to the developers convention and delivering this presentation to them because I think you've just reminded all

of us what we go through on a day-to-day basis but of a play Devil's Advocate to myself I like a little bit of insecure cord I like the people who click links I like the people who open attachments I want to pull them into my bosom and nurture them cuz without them I don't actually have a job thank you right any other questions look at that survived his first talk his first grilling oh I've got the sweats to prove it now as well you did a really good J I appreciate it thank you right big round of applause for [Applause] k