How to Kickstart an Application Security Program

all right I'll bring some over uh all right uh don't forget to tip your bartenders we're bringing this home uh the last Talk of the day but not the least uh we're gonna learn how to kick start an application security program [Music] uh so thank you to b-size Knoxville's thank you for everyone that stuck around for the last talk to 10 of you um really appreciate it um I will explain why that song was my walk-up song I'm a big baseball fan so having a walk-up song is something I've always dreamed about it actually died when I was like 10 because I stopped playing little league but I was very happy to find out that they had a walk-up song

here because it was a dream come true so um yeah let's uh let's talk about how to Kickstart an application security program uh my name is Timothy D Block um and we'll just get right into it we need an appsec program those were the words that were ordered to me by management uh that started my path down application security and this is a point this is probably the most important point about building an application security program that I want to make because I don't really talk about it a whole lot through the rest of this presentation but you need leadership and management support to start an application security program if you don't have that you're kind of dead in

the water it's going to make it very difficult to get anything started for my role it was actually a collaboration between the development team and the security team so when I came in to work on application security um uh you know I had that support and even them coming to me and telling me we need an absec program uh we're gonna walk through two different Journeys but this is my first journey um so but before we get to that uh let's talk about why this talk is important um I don't have a programming background I've come from the operations and infrastructure side of it yet I had a lot of experience building out uh programs within security so

um that that experience and that reliability and track record is what management came to me with the challenge of doing that I didn't have an application security background either so I was starting from zero so this talk is DeMent to uh give guidance and give people a starting point who might be in a similar situation where you don't have a lot of experience you you don't know where to start or if you're already in this kind of scenario and I've talked to a couple people who are having to build abstract programs that don't have a ton of experience but you you know you you've got to do the job um so I've also talked to Consultants who

have found that they want to interact better with development teams and they're actually finding some interesting takeaways from this talk and if you're in that field I would love to talk to you to kind of see some of your challenges and what you kind of get from this talk so here's my road map This is How I build out an application security program the first one is understand the environment then I'll Implement security assessments and processes and then I'll do training and those are the first three because this is just kickstarting a program so this is just getting something off the ground uh the other two are kind of obvious too get feedback and review and

look for continuing continued Improvement opportunities we won't really talk about that a whole lot here but we'll focus on the first three so we're going to talk about my first journey which is where they came to me and said we need an abstract program and this is in Columbia South Carolina I'm on a security team of about three people we've got a development team of about 10 to 20 people so it's not not massive but it's it's a good size the advantage I have is that I know the environment I've been there for a year and a half the disadvantage I had is that I'm wearing multiple hats I have to maintain 15 different systems you know anything from

DLP to email antivirus you know anything that you could think of incident response patch management things like that so I'd be very practical with my program because it wasn't going to be my sole Focus the other thing worth noting is that this was in a waterfall methodology which I feel is a little bit easier to get security in there because it waterfalls like just steps it's a process that takes anywhere from weeks to several months typically um so I needed a starting point so where do I start well I start with research and for my let's see for the first prize um I've got posters and some extra badges we'll give away an extra badge

so um who can name everyone's favorite it tool raise your hand if you got it no this would be tied in with research yes sir no Google that's it yep it's everybody's favorite it tool is Google come on um and yes I literally you come up and grab your badge I literally put in how to build knapsack program again I'm starting from zero I have no idea what I'm doing um but as you'll notice there there's your badge yeah he said Google oh okay all right um and I seem to have broken my clicker this clicker is probably not working that great anyways we'll just ditch it um so as you'll see there the top three

results are from a organization called the open web application security project it's a big ass knowledge base non-profit open source free um organization that allows you that gives you a lot of knowledge and information about application security it's folks that both developer and application Security Professionals this is where I started they have several projects that have Frameworks and tools and my first tool that I found and started implementing is a dynamic analyzer called zap burp is the alternative but zap proxy is is free so that's where I started um we what we decided to do was stand up um like a five-day minimum five-day security assessment time time period so we had typically two days of testing and

three days or more of remediation within the process and for anyone that doesn't know what dynamic analyzers or as a couple people have corrected me proxies do is that they capture all your traffic between your your computer and the application and this allows you to map everything and the methodology as you go through the application you click on absolutely everything within the application and then from there you're able to run different tools the first tool will be a spider so it'll go and look for some of the links you may have missed or look for other areas within the application there is a forced browse which will look for hidden directories they have an Ajax

spider if you have Ajax content and then the fun part is when you get to run active scan and that's where you get to have have it run through a bunch of different vulnerabilities as it attacks the application so yeah we had a five-day minimum testing period there the alternative here is burp it's 300 there is a free version but it's throttled so you could still use a free version 300 is not really a lot to spend on a on a great security tool and it is actually the preferred security tool of like most applications Security Professionals I've talked to I've asked them why and I usually get like a UI thing like it's but it's less buggy they like to lay out

better so I haven't really heard a good technical reason why zap isn't you know it is a lesser thing than burp so it to me it sounds more like preference um so that's the first tool another tool that is possible is a static analyzer and a static analyzer will test code in its rawest form so it's going to you just pretty much zip up the code and upload it to the static analyzer and then we'll go through and look for issues within the code now where there's an issue is that there's a lot of false positives that you kind of to go through because it doesn't have any context unlike a dynamic analyzer that actually has the

live application that you can actually see the vulnerability you have to go confirm a lot of more different different findings within the static analyzer open source focuses on one language usually a commercial option will do multiple languages there's again an oauth Link at the bottom there for you know you to go find more information I've actually found Wikipedia has a pretty good list of uh static analyzers to use and my experience what I'll do is I'll do a static analyzer of the code and then when I'm going through my Dynamic analysis if I don't understand the code then it's like well can I exploit it because it says this is pointing to here you can usually figure

out where the code is actually at so that would be one way to help um with testing for for vulnerabilities within a static analyzer um one of the great things about standing glasses 2 is they're pretty good for Automation and Building inside your sdlc as code is being developed and pushed up through the development process you can test code there there you're going to have to do a lot of tuning because a lot of false positives so vulnerability tracking this is where I kind of had my first misstep or first lesson learned in building out an appsec program

so we were testing a legacy system we found a pretty big vulnerability in it it's internal so we're not like pulling our hair out but we asked the developer okay when can you get this fixed and they gave us a date a month after that date I came back because I was trying to to track all these vulnerabilities via email or a spreadsheet and they told me that it hadn't been done so I quickly realized I needed something to help me track these vulnerabilities that I'm starting to find ideally you want to look for internal options so security findings are just bugs so they should be worked and addressed just like any other bug that

would be submitted to the development team and these are just a bunch of different options that they could be using if that's not available there are some security focused uh vulnerability tracking tools I started with dratus I actually did not have a lot of success right it's ended up being very difficult for me to set up we wanted to set it up in our own server it is typically in Frameworks like Samurai web testing framework Samurai web testing I haven't had any beer testing framework or Samurai WTF document documentation wasn't quite there for me maybe it's better I have talked to people who have had a lot of success with Traders so absolutely something to check out

um from there I moved on to threadfix where um we actually found a free tool that we were able to use now I've recently heard that that tool is no longer supported the community version but it still got done what we need to get done we were able to get it installed as a server that anyone could go to it Imports XML reports and then you can kind of track a lot of things from there metrics things like that it does a lot of the same things as another tool I recently found which is the OAS defect dojo and this is free um it's it's good for importing you can import various different reports from various

different tools so if you're pulling in from multiple sources this would be a good way to kind of bring them all together it has a feature that will dedupe all those findings into one finding um and it integrates with jira so if you need to automatically create tickets or if you need to create tickets after you're done going through them it has that support it's got a one line installation it's really easy I started using this for myself because I did a big vulnerability assessment on our application and I was starting to use a spreadsheet and I said what what am I doing I just spin up and I just spun up a VM Ubuntu

a a VM with Ubuntu and install defect dojo and it's been really great so now now I'm able to pull in multiple reports I actually added a couple security findings outside of tools that I was using and that's going to allow me to generate just one report from all those different things um and I mostly used it to like confirm stuff because there were still some false positives I needed to go through there is a demo available on their site uh just a link you can click on they'll give you login information you can go poke around in it if you're interested so let's talk a little bit about how to handle vulnerabilities because this is

very key when you're working with Developers so you're going through finding vulnerabilities and generating report for the dev team before you take them that report you need to confirm your findings do not waste the devs times with false positive that's an easy way to get them to not like you and you can hand them nine actual vulnerabilities you have one false positive and you have just lost them they will de-prioritize those other nines just as well so we want to work with the developers to find a solution and if you're you're like me who don't doesn't have a strong programming background it's more difficult but they are very much open to questions and I've found a lot of times they usually know

what the fix is um I had one case where we found some SQL injection and so the developer wanted to see it and I showed it to her and showed her the attack code and she went gosh yeah because they're so smart so there's an appreciation there and once I showed the attack coach he figured out what was going on and what needed to what needed to be fixed so and that's that's a case of if nothing else if you don't have a strong program or background at least have a really strong application security base and that's where I spent a lot of my time focusing once you start using zap you you will start picking up on things because the

reports will give you a lot of information references uh to go out and try to figure this stuff out um so let's talk about training so an interesting thing happened when I uh started implementing Oasis app and some other tools into the process uh they wanted to start learning it they said show me how to use the tools so this is a waterfall methodology so to to we were I was Finding vulnerabilities um and they started getting interesting and interested in it and so we started having one-on-one in group sessions and I was probably a little bit meanier than I needed to be with it but um on zap there's a on the once you

install it's like a getting started page and it's just a field that you drop in a URL and hit attack and it gives you some vulnerabilities but that is just very uh that's that's a very shallow scan of the application I didn't tell them that they needed to actually go through and click everything so they came back and they said they thought they were good to go I want to test the application and found other stuff um and then I and then I that was a good way to to teach them to how to actually move forward with it and get more interest within the tool um so we started having this training I had

an interesting uh we had an interesting security issue pop-up where a fishing story came in so the the we were reported that users were getting registered on our portal and an email was being a phishing email was being sent after they registered so we got together had a plan of action I was going to go research the phishing email they were going to go generate a new user and then see if they actually got a phishing email so we all break I did my research I had planned to also go through back through with zap and register a user to see if there was maybe some other vulnerability that's typically how I go and touch some of our

older stuff as if something pops up that puts us in that code that we could address at that time and so we get back together I have you know the phishing email was seen in other states so we it was very low chance that it was um you know specific to us and they came back and said yeah that wasn't that there was no email generated after we had a registered user and they then handed me the zap report this was my response like the yes that that's absolutely what we want we want them to you know be using this tool and they went ahead and did something that I was planning on going to do so this is

this is this is what brought on my Epiphany which is we want to improve the developers mindset if especially if they're interested in security we want to get them involved with the tools that we're using there's this concept of moving as far left of the software development life cycle and um so you have your assessment you want to start getting into code review you want to get into QA you want to get into design meetings the furthest point left is the developer's mindset so if we can get them thinking about security as they're coding we're one up on the game and this this will be a long process but this is this highlights why I'm a big

proponent of training and why it's one of the phases in my program we talk about this Talent shortage all the time security has a talent shortage application security seems to be even worse than security as far as Talent shortage and finding people that can get in the development life cycle to improve security you know let's Leverage The developers as I mentioned they're already uh you know they most of the time they knew what the fix was they know what they needed to do I mean and how can they not with the constant news of breaches and vulnerabilities coming out in applications um you know Cloud bleed I was asked what they should do about cloudbeat so

they're hearing about this stuff on a regular basis so that was my first journey and I'm going to take a drink um my next Journey was a little bit different

I moved to Nashville Tennessee which is a big reason why I'm here it's a lot closer than Columbia South Carolina well about an hour closer still um but I was hired as uh to sit with the development team so application security is going to be my sole role we have a security team of about 10 to 20 people a development team of about 50 plus people so it's a much it's a big step up in environments my role is to sit with the devs it's also an agile methodology so I have to really get security embedded in the problem in the problem in the development life cycle some people might yeah some people in security might think

it is a problem absolutely so my first step is to understand the environment uh uh for me it usually takes me about three months to start getting the gists of an organization of an environment six months to start feeling comfortable and in about one to two years I start feeling really confident uh within within an environment so it does take a lot of time and these aren't really like Steps these are more like guidelines phases whatever you want to call them they can kind of blend together I was dealing with issues within the first two to three months of of being on site so my first step though is to build relationships this is a picture of Johnny Christmas at

b-sides Nashville 2015 about meeting people at conferences a lot of those same techniques can can be used when you're building relationships with the development team and we do that because we want to get to know them as a person another resource that's really good for that is How to Win Friends and Influence People by Dale Carnegie that's a very good resource for building relationships with with the development team goodness is that me Adrian just he's just making sure you're all awake so for those wondering why I had I touch myself as my walk-up song I couldn't decide so Shake It Off by Taylor Swift is actually something I used to blast at the security in the SEC in the office of

my last job and in Threads and anywhere I could hahaha anywhere I could center field I've got a I got a lot of Baseball fans um that I interact with so that's where that's from I touch myself with a developer recommendation I I went ahead I had a walk-up song I was trying to get ideas and I had about 20 ideas um and several of them came from the developer team and I don't have a lot of devs follow me on Twitter so this should show you that we're a lot alike um we are I've found that there are a lot of introverts I think a lot can be the same to said about the security the

security Community um there's you know we like Star Wars we nerd out on games we like to drink um etc etc et cetera and one of the reasons why I focused on building better relationships with people is that I want to show them that security isn't intimidating because I got a lot of fish fisheye um fish eyes when I first got there um we want to show them that we can have fun um that that it's it's not you know there's not a whole lot of difference with us and we want to have come we want to get to know them because it's going to make it a lot easier to have harder conversations within security especially

when we're going to other departments devs included we're going to have a lot of hard conversations with them about something that came up I have these pretty regularly even even though I've been there a year and they've gotten to know me pretty well even when I walk up to someone's desk there there's always that little tightening up of of uh oh what's he about to say and it's like no no I just want to ask you to lunch you want to go to lunch or something you know so I mean it's it still happens but we really want to kind of show The Human Side of us to kind of uh make them you know respond a lot better especially

when we have these hard conversations if you're looking for a group of people within the development team to get to start building a relationship with I would recommend scrum Masters business analyst product owners anyone that helps move tickets throughout the development life cycle because security is going to have to be in all the same areas so you you know those things align right there in fact my first meeting was with the scrum Masters to one understand their process and for them to kind of understand where I was coming from my other my next thing is I attend meetings I attend as many meetings as I possibly can daily weekly monthly whatever I can get into you might have

to go bug them to hey can I get an invite to this meeting because they they might forget you or they might not want you there but um you know and my objective in there is to just observe I don't speak up a whole lot I try not to I want to understand their goals and challenges their frustrations so that can be a little more tactful with them when I want to get something in place or again have to have a hard conversation with them I'm also in there to gauge security Acumen I want to understand what they know about security and kind of start getting a feel for what each developer knows because some of them are going to have

different different levels of security knowledge and security acceptance if you will I've heard them talk about a decision start going down the wrong path and at that point I could have spoke up and said something but I was like let's let's see where they go with this I want to see if they self-correct and a lot of the times they did self-correct they knew they know I'm sitting in there so I don't really have to say a whole lot for them to actually have security of my you know security at the Forefront of their mind um that's not to say that if there is an actual issue to speak that you don't speak up um but try to do it in the form of a

question what's the problem we're trying to solve what uh have you thought about this why are you doing it this way things like that will help them towards the problem um one issue we had was we had the developers using an outside teleconference solution that was like free no password protection we had an internal option that you know uh was pretty easy to set up and get going I asked them why they weren't using that and it was a matter of they just thought it sucked and I was like all right well let me go try this so I went and tried it myself showed them that it showed them the setup asked them if they tried for a few

times they tried it a few times and you know they were they moved away from the other one simple things like that people have a reason for doing what they're doing and so it's better to try and understand that first before you start saying no you can't do this they respond a lot better to that too the other thing is to inventory all the things um this isn't unlike Asset Management this this is you know a lot like knowing computer and networking equipment within your environment um you are going to be looked to as a resource to secure if all this stuff is in your environment this is like one-fifth of a bigger infographic that I

I pulled a lot of these different logos from um and you so so there's a lot of Technology out there do you you know Dockers is a new hotness do you know how to secure Docker do you know what you need to be doing about that having an understanding what's in your environment is is good for securing it but also knowing when there's an issue so I've got some posters up here and if someone can point to one of these technologies that has had an issue in the last year I'll give you a poster anyone huh dying yeah poster anyone else want to take a gander at that list and see if there's

just let you grab it could be yeah

sorry it has one anyone else do you have one okay well all right well so it's you know and what I do with these is I take a I do like an assessment so I have a list of questions that I that I ask of these of these things like how many developers are using it is it maintained is it updated basic you know hygiene things about the technology and try to find any kind of resources about um securing this technology and this this will take a lot of time um if you're looking for a tool OAS track is a pretty good tool for being able to pull in you have to manually put in everything but then

um there's an oauth check that will go out and look for the vulnerabilities within that technology so the next phase is to establish your uh your processes your assessment and processes I start at all new applications and features and the reason for that is because I don't want to play catch-up if I start at like Legacy stuff and stuff that they're not touching or isn't presence of mine it's going to take a lot of time for me to get caught up so you want to start at a point where it's like okay from here on anything going out the door needs to have some kind of assessment done on it um within an agile methodology it's

going to be a little more difficult I can't take five days to do that so I'm trying to automate as much as possible the the thing about agile though is that they are doing it in smaller pieces so you should be able to do an assessment pretty quick on a smaller piece or maybe you just Define it as anything that touches uh some sort of functionality that you're concerned with like a like a field or something um pipeline is a framework that will walk through several of the tools and kind of some of the pipelines if you will of uh of an abstract pipeline within like an Agile development life cycle um so Implement processes and and that

makes sense uh with this I've looked for opportunities and usually these have been the result of developer questions um one of the first ones that came to me was asking about third-party vendors and how they should handle this we've had issues in the past or before I got there they had switched to a vendor um and they didn't tell the security team about so the security team's going what you know what what do what do um you know we've got to have certain legal documents in place depending on the field that you're in um so we built a process around a checklist that said this will get you a no immediately this will say you know

from from the compliance team this will mix them so that actually helps them in deciding between like three different vendors if one's just absolute crap with security uh then they have an easier choice to make and then you know we establish timelines for getting the review done and everything the other thing I had and this was because within the first three months we had our first security funding that needed to be addressed and this was before I had done any scans um we needed a process for getting tickets and to be worked on by the development teams we stood up a security finding tickets process that was approved by the developer team security and would start

getting things like that worked and prioritized properly within the development life cycle so uh then training again so I want to talk about training again because again I feel it's very important and I kind of advanced my training ideas and I brought bacon and schwag to my training that is 144 pieces of bacon that is two 72 packs of pre-cooked packaged bacon from Sam's um stood 10 to 15 minutes in front of the microwave cooking all this drop it in the conference room and the look on the developer's faces when they walked in for training was priceless is that is that bacon worth it worth it um you know and that that also allowed me to segue into piggybacking and why

that's bad and we uh we we also spent like several minutes watch watching if you go on YouTube and look for man traps uh kind of showing them if we don't reel in the piggyback and this is where we gotta go um The Man Trap there there's a video of a guy who has a server on a cart they're just trying to get through the Man Trap he's got like three forms of authentication he's got to do and he's just failing miserably every time he gets to the door it's like it starts it just stops so we spent several minutes doing that and and kind of the point of that is to make it interesting it doesn't have to be Death

by PowerPoint slide we have a little bit fun um the and and we're going to kind of walk through here kind of some of the other content that I have in there one of the other things I like to bring to to training is swag so if you can get some company sponsored swag I would highly I would recommend doing that it's something as simple as a stress ball they love I don't know why but they love that pens we actually have koozies that we hand out the cruises aren't as popular I mean who uses the Koozie anymore but I hand out swag and highlight security wins um and the security wins can be anything

from a security tool that they're using to an issue they found in code and just went ahead and addressed something as simple as using a yubi key and I'm doing that because I want to I want I'm going to highlight the wins so that I can get a better response when we start talking about flaws internal issues processes and lessons learned from an incident again these are we're having hard conversations with them so I wanna I wanna tell them that they're doing a good job before I break their heart um so you know gotta gotta make it make it interesting and also you know they're getting beat on a lot by security but also business and other areas they have

tight deadlines so we don't need to necessarily be piling on but we do have to have these conversations the other thing I like to talk about is relevant news so who heard about the mongodb and ransomware earlier this year I see several hands here you all can grab a poster if you don't have one um the uh I had a room full of developers who no one raised their hand so we had a great discussion about mongodb default configuration and how that's bad ransomware uh and you know we also I also was like all right well I'll just pull up Showdown I'll show you how people are finding this stuff and if you pull up Showdown you can see a lot of

and just put a mongodb you'll see a lot of those hack databases in there so it kind of opened their eyes to some of the stuff going on on the outside and why it's bad to just spin up technology and just leave it there and start throwing data in it and then also you know strategy of the attacker so mongodb they've moved on to elasticsearch and couchdb they're looking for anything that they can go hip and it really highlighted why security is important so congratulations achievement unlocked a knapsack program has stood up it's really it's it's not really all that complicated it feels like it should I know there are some Frameworks out there like be Sim and Sam that can help with

uh you know kind of gauging security with with the program um but just getting something up I think uh is just those Basics there will really help and you'll start really seeing an impact within the sdlc as I mentioned there's also feedback and review and improvements maybe a future talk on that we'll kind of see but if you're looking for other things to do improve your programming skills if you if you have if you have a programming background and you're you're looking to get an application security and building an appsec program you're you got a pretty good Advantage there but that's not to say that people that don't can't can't accomplish that you just have to

work a little bit harder I spend a lot of time on code academy that's probably one of my favorite ones because it has a terminal I go coding and I can't move on until I've actually coded it correctly to get to the next to the to the next step w3school is a good reference point and it's got a ton of stuff on every language I still use that to this day to try and you know understand different things pluralsight has a bunch of Great Courses up there um they have training courses anywhere from an hour to like nine hours worth of stuff and I've used that to really learn some technology uh particularly in the

devops space and a lot of people will actually walk you through and have some kind of uh environment that you can go set up and start using these tools for code combat and code fights are two more fun ones Coke combat is more like an RPG type thing that will teach you code code fights is something I've more recently heard about and our development team like set up their own team four and it's just got a bunch of challenges and those really help with understanding programming a little bit better code.org I went inside signed my daughter up with an account just so I could learn how to code um I could have just said on my own but

it was it was a good father you know father daughter moment uh within the application security field you want to improve your skills there and there's a lot of great resources out there this is just the tip of the iceberg um the Sans 542 web application penetration testing and ethical hacking course uh is the the course that really made things click for me from an application security perspective it is not cheap so I had my organization pay for it I didn't pay for that out of pocket but if you can Tim tomes does the Practical web application penetration testing course he does it usually in the Southeast if you're an organization that wants to have because his training is

focused on Developers if you want to have um you know him come in and do training with your developers he will do that he spends two days breaking the application and then two days actually fixing it so it's not just all about breaking stuff it's also about how to fix it um he's uh I know he did Derby con I believe it's sold out you can certainly get on the waiting list if if you're interested in doing that Derby con training goes about twelve hundred dollars so much much cheaper than Sans and he also hits up a lot of like local user groups like oasp and different things throughout the southeast I think he even went up to Boston so kind of you

just check out his website um then there's also Bill samf who does a lot with mobile if you're in a mobile shop you got the develop SEC podcast by James Jardine which is actually focused at developers um uh brute logic does a lot with cross-site scripting and then you've got this great book which is the web application hackers handbook by default Stewart and Marcus Pinto this is considered the Bible of application security this is 800 Pages it's got a lot of screenshots of burp so defod is is the creator of burp so if you're looking to learn more about burp this is a good book to go through it's also a great reference point for

different vulnerabilities that you're trying to test for it's it's a really thorough book and really really beneficial so final thought time um my role as I was going through it I was hired as what they called a liaison so I am not only bringing the security concerns to the development team but I am taking the development occurrence to the security team again if they're running into issues they are Savvy enough to go around and find a way to do something if they're not getting what they need I recently got some feedback from developers I asked them I was curious I was like what's what's your biggest pain point for security and I was happy to

find out it wasn't security it was actually like infrastructure there was actually nothing I could do um you know I I we also had a uh a meeting yesterday like a team meeting and the VP introduced me as a guest and then the director of engineering said no no he's part of the team and that kind of shows you building relationships and all that being accepted as part of the team is going to help me make more of an impact from security perspective because it makes things there are times when I asked them for something and they drop what they're doing and they help me out and and I can't tell you how how beneficial that is to to me and getting

uh security improved within our process um if you can sit with the developers I've had a lot of fun sitting with developers the first week uh I got a lot of stink eye and a lot of people like hesitant like you know what's he doing here you know what is he gonna come in until my code sucks um that's not they are part of my interview process that's also someone they were looking for they weren't looking for someone that's going to come in and start saying their code sucks you want to uh piss off developers or lose them or have them not do anything for you just comment and start saying how much their code sucks or what they're

doing sucks uh it's a it's a good way for them to easily tune you out um so you know my final Point um is that my motto is I I am there to put the put the developers in a position to succeed if I'm not doing that I'm not doing security very well so I have to take their concerns into consideration when we're doing doing various different things so as as the meme says here I'm a people person I have people skills damn it what's wrong with you people um so I have a we have a mug here to give away can anyone tell me who this character is I know people can tell you what the

movie it is yeah I had to go look it up it is not Milton I will take a first name if anyone has one anyone up top there Bill no anyone well I'll keep it jeez e um why are people looking up on their phones aren't you guys hackers oh when is it gone Don no it starts with a t Tom there it is it's Tom simkowski so I'll give you that for you Lauren um yeah so that's pretty much it I have a podcast exploring information security if anyone's interested I have a different security professional on each week um I'm on Twitter at Timothy D Block my email my website um if you're in the market for an

infosec engineer role come talk to me after the fact our company is hiring um questions Junior pen tester and network engineer so yeah any questions yes sir

testing what vendor applications um yeah so like open source stuff like I mean yeah open so the open source stuff I'll throw like our static analyzer and stuff like that if we can get the code from a third party it all kind of depends we've got a compliance team our governance risk and compliance team that they do a lot of the vetting and it's a it's a lot more like legal documentation like if you know they want certain things signed in the event of you know whatever every once in a while I will be asked to go uh test spin up a dynamic analyzer and test an application for something we're using internal we also have our

own senior pen tester so he goes and does most of that stuff um to answer your question yeah

VC vsphere and console

oh like internal

yes so and I forgot to mention the other question if this is being recorded the other question was do I go and this kind of along the same lines do we test vendors do we test vendor applications within uh within our environment and and yes we do I mean we like I said we have a senior pen tester hey so I've been on a yeah I've been on a couple calls where we've we've we've had um report that kind of stuff first you got to get a you got to get a call set up with them which can be difficult and um you know it's kind of up to them to to uh to to trust the vulnerabilities I

mean it's it's trying to think I can explain it because it seems obvious to me um but yeah I mean yeah we go through and test and if we find something that's that's we've you know we've found some nasty stuff and it's it's like hey here's your report we we let them know about it and then we'll set up a call and they'll be like well it's it's uh we're gonna fix this or we're not gonna fix that or yeah yeah I haven't opened any cves I'm not I'm not that at that level so and yeah yeah I haven't done that

okay that's that's a good question um the question was how do you dress Legacy well I try to go back and touch stuff as it becomes presence of mine a lot of times developers will go through and test the apple or like they're going back to rework it or add a new feature or something at that point I'll try to touch it at the same time as them um sometimes it's also a matter of well this is going away and you know if it's like if there's like a timer for that to go away that's very low on the priority list now I've had we've had I've had scenarios where that got reversed this is going away oh wait no

it's not we're sticking around for a little bit longer yeah right right yeah that's I mean that's definitely tough it also depends on how much work you have to do so I I've had plenty of work uh even in my soul role just on what they're currently doing and getting things spun up but as I find time I try to do it with them because what I want to avoid is going and finding something that they aren't working on and then you know bringing a bunch of more work to them and they're already a bunch of under uh under duress with their timelines as well so it's trying to touch kind of what they're doing at the same time

any other questions all right yes

um I mean with an agile they're there we're so agile I didn't mention that was it's like anywhere from a day to like two weeks so it's very quick Cycles um so I have to in those scenarios I'm trying to embed as much in the process as possible um you know and if something gets to to production I mean that's sometimes just gonna happen um you know ideally you're you're in the design you're in the you know you're in QA helping working with them you're in code review um and then you've got some automated Tools in place so that kind of limits how much of that stuff makes it to to production um trying to think of a scenario where

I've actually had that I I I haven't anything and they they also know too to flag stuff that might be you know like a field box or a login page or something at that point it's like well we need to engage Tim on this um and make sure we're getting everything tested and at that point I'll try to do it like in the QA in the earlier State I'll do my testing at the earlier stages any other questions all right thank you foreign