Are you ready to leverage DevSecOps? Get ready and use it for good.

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers all right so if you want to hear about agile and DevOps and why security is everyone's problem you're in the right place otherwise run away now all right so you're in the right place by the way all the slides are going to be on Twitter later and I think they'll also end up on the b-sides website so don't worry about me I get excited like a little puppy and then I go really fast so everything will be available later so I work at gitlab as the product manager for the secure team which means I write

software tools to help developers do secure software SAS cans dash cams etcetera I'm also an agile advocate I know a lot of you think that's a bad word but if done correctly it's fine and I've been a hacker since at least grade school my mom had to bring me to my first Def Con alright so we're gonna talk about these software lifecycle so if you're not familiar with how developers do what it is they do I'll tell you a bit about that why we're sticking the sec in DevOps and what exactly that means and how you can use that to beat people over the head with a stick and training alright so STL see if you have not gone

to schools Comp Sci major which I have none of the stuff that they're doing was taught I'm also a little bit old so at least none of that was taught back in the like late 1990s early 2000s right now we're talking about like hey let's do deployments using config files into the cloud on containers let's introduce zero trust by the way we're doing test-driven development you are now responsible for doing some testing oh and by the way security team want you to run some security tests to it's like I didn't learn any of us in school and so we've made them responsible for all of that so whenever you think like oh just write some software it's not

that easy so have a little bit of empathy that you're going to have to train them in order to do what it is you want however they're obviously smart people so once you train them they should be able to follow directions all right so DevOps is a practice and agile is a process and the two of them work together right well you don't have to have them work well but the overall theme between the two of them is that you don't want to toss things over the wall so within the team you want to have subject matter experts for each one of the areas so if you're a company that does financial stuff maybe one of the developers should

actually understand a little about about the compliance things that you need to follow so they can be like I think this thing we're about to code follows that compliance in that same vein you should make sure somebody understands the quality team and how they can do proper tests and most importantly later we're going to be talking about agile advocates you need to have at least one person on each one of the dev teams that has a familiarity with what really is security and can ask you intelligent questions and point out things to you so you're not asking when we say subject matter experts we don't really mean expert we mean has better knowledge than the average person

so all right someone read a medium article and this is super trendy so we're obviously going to do this in our organization right you can but please don't just implement it without training everyone involved and don't just rely on articles on the internet like there are good books written on this and they're not long books you can even have them as audiobooks if you don't actually like reading so get everyone on the team to do that book together over the course of a month or two and then discuss it one thing I used to say when I was agile advocate was you don't have to do agile the same way everyone else does but there are certain principles that you

have to obtain that principle so the way you get to that prints looking very but you all have to agree on that principle so as a team you all need to decide what is the first thing you're going to do in order to achieve that goal and then try it and if it doesn't work it er8 on it and improve and this applies for them applying security practices so if you want them all to do a particular thing say like okay let's try this little piece first everyone give it a go and then let's have some feedback around it so trendy is not always bad but yes I a hundred percent agree with all of you if

they're just doing some buzz words in there so they can get some more money it is probably going to be crap and like the cat's going to murder you at that point all right so shift left except my left is your right so it would be shift left why are we shifting things left what are we shifting left what is it going left of well the simple answer is we're trying to move things in the SDLC as far to the start of the process as you can get it reasonably so that later on in the process you're not doing a scramble I'll get into that a little bit more detail next so first step is

requirements gathering this is probably the part that everyone's been involved in somebody comes around and asked you like what is it we want the thing to do well as the security team or the security advocate put in there before we actually do anything I want the bottom line of the requirements to be that we've done a threat model for this and security gets to do a sign-off before it's done get in there as early as you can don't like wait for them to get somewhere down the process and be like yeah let's plan for a security review make it like no I want the developers to work with me to learn how to do threat

modeling they do it and have me review it you don't have to do all of the work you can teach people how to start some of that for you and then you can review it so started the requirements phase get all your project managers to put a security line in there if you're doing dev sec ops you are an important part of that process meaning you get to put some requirements in there and you can say I require that we're gonna run security scans and I require that we have a threat model alright so next comes design this is great everybody is doing the design they've done the threat model for you but I mean we're all about agile

we want to be reusing things right you have how many dev teams and they're all probably doing stuff that's somewhat similar why don't you have a repository that any senior developer has access to that they have clear tags and labels on so somebody can see like I know somebody did a mobile app over there that similar the one we're doing in security already signed off on that why don't I use that and just make a couple iterations to that it'll make it a lot easier for me to go forward and maybe I can read they're GCP or AWS configs wouldn't that be great less work for me and security already signed off on it make these

things as easily available and findable as possible and when you're going through it with someone and you're like hey over here you said TLS we have a policy for that note please have policies please make them easy to read if you have technical writers have a technical writer review it because if you have a policy that makes me want to like stab myself with a spork I'm not going to read it and then I'm not going to do it but if you have someone go through and make it easy to read or you point at things like just go follow the mozilla standards if there's one out there that's already well-written you can be like remember when you're

implementing this I'm gonna link you to this policy as long as you follow that policy I'm gonna permit that but if you don't follow that policy you're done all right so now you're doing coding this is where you get into having the automated quality test and automated security tests wait again testing and I'm just gonna go to the next one this is the most important one you don't actually get to fire anyone so if there's any managers in the room just because you've automated the tests doesn't mean you don't need quality people the quality people are going well quality engineers sorry are going to be able to go through and find specific things automated tests

are going to look for well did this respond with what I was expecting I'm going to give an example from my favorite quality tester that I ever had named Aarthi she was amazing she went back and forth back and forth back and forth back and forth eight times and then entered in the thing and then it exploded and I'm like why eight times she's like whoa and I did it times one through six nothing happened I'm like well what were you gonna do it's like the eighth time didn't do anything she's like a couple words I'm like why she's like have you ever seen someone who's frustrated with an app go back and forth him like yeah she's like users are gonna

do that and I'm like you are correct so it is unlikely that your developers are gonna automate it to do back and forth back forth with the back fourth buttons this is why you need security people they're gonna be like well this API is secure on its own in this API is secure on its own but when they're passing it through and it's going through that point there i've benefice at something there I could get that data yes yes you can so automated tests are gonna find the low-hanging fruit you still need your people to find those complicated items all right so deployment a maintenance I bet a lot of you kind of get annoyed

because once something is out to prod everyone's like we don't need to worry about anything there but that's sort of where it's the worst because if you don't patch then dun-dun-duh especially if you don't put bathrooms and yes three buckets so make sure everyone is planning in the development and maintenance stages that there are occasional scans that are happening and occasional checkups nothing is ever going to be a hundred percent secure but if you have each one of these security check-ins and all the steps in the SDLC that we talked about you've got security and depths and hopefully you are less likely to get breached or at least you'll be harder and someone will have to work for it so

security is code I mentioned this a little bit earlier right now a lot of your deployments are happening through config files do you know what those config files do you should probably someone on your security team actually understand the fifty bajillion settings in AWS that are related to security and the nice thing is once you figure out those settings and come up with your recommended config file and pass it out to your devs you can say this is our standard if you want to deviate from it you have to talk to us but all the devs will be like wait does that work yeah okay done why are they going to reinvent the wheel if you give them a thing that

works and you have made secure everybody wins everybody's happy so that security is code all right now here's the other thing trust but verify we've now gotten into the world and zero trust gets tossed around a lot and it is important but you're kind of outsourcing a lot of stuff you've got cloud providers you've got maybe third-party software companies that are SAS so even if your dev team is running security scans and doing everything that they say they are are your vendors actually doing that you don't have to constantly double check their work but do random spot checks literally grab a d20 roll it if it comes up on a three today we're gonna check if

you know this vendor that said that we're gonna do X actually did it read the report verify one of the things in it so what you don't know can hurt you this applies to engineering it applies to anybody else so don't let them say oh well you know like we don't want to look there it's not necessarily important it's if you don't go look at show Dan to see what you've exposed on the internet doesn't mean that nobody else is going to so show them videos from conferences show them articles that say look just because you don't want to scan our entire IP space look at what these people do it's called show down Safari on Twitter look

at the nonsense they find do you want us to end up there and get breached because we just didn't look so hopefully that helps them kind of realize you can't just hide the most important thing is you don't scale I mean if you have infinite money please hire me I mean I like my job but infinite money can't argue with that so since you don't scale you have to rely on automation and in order to get effective automation because you can automate anything and whatever you automate could be wrong this is where we get into you need to take a couple devs and explain to them how you're thinking and what you want and here's why I'm

autumn ating this so they can help you do the automation because you may not have that skill set but they at least know what outcome you want and dev setups you're one of the important things so you should be able to get prioritized if you're not getting prioritized and they say they're doing dev suck-ups kick up a fit because you are literally a KPI all right so what does this whole secure bit in the middle here everyone's actually starting to notice security is everyone's responsibility and it's not a differentiator anymore before if you were amazingly secure you were differentiated now that's a cost of entry into the business you don't want to be the company that got breached and

everyone had to get the replaced credit cards and then you become a joke so you need to get the engineers to understand how it relates to them so a lot of times they're like oh target that's not gonna happen to us well it's like well it was actually a particular vendor who went in and is a config issue and we use vendors and that could happen and this is why we do this kind of scan so you're trying to get everyone to understand how all of this nonsense in the news relates to that maybe you want to do a Lunch and Learn or a weekly email and just make it relatable here's why we care here's what

of that actually matters because a lot of its fun you all know a ton of those articles are like that's bowling and it's not actually falling but you can take the chance to explain that to everyone and to be probably Jillian tools in your ecosystem every single one of them is a touch point so you want to make sure everyone understands hey every single time you have a different login any of those are breach about every time we have connections and data paths between any of our systems that's breach about so the more tools that you chain together the more work you have here's the plug for me get lab integrates everything so you have less

logins to worry about what regardless of with you use me or a variety of tools just make sure maybe there's a password manager deployed to all of your developers and there's a two-factor authentication turned on for everything if you do that you've just reduced how much risk of somebody introducing something into your pipeline and amazing amount because a lot of the breaches that happen are because someone had a token that they checked in but if that token has a two-factor on it it's gonna be useless so let's see if my little thingy works okay like perfect so where do we really want the secure part of the dev sitemaps to be we want it to be

right here as I am writing the code as a developer I want instant feedback on the work that I personally did right now I don't want to know about something I did last month I don't want to know what my teammate did last month so right here so ideally what you're trying to do is as I'm writing that merge request go run the scans there your automated quality scans your automated security scans your regression skins and tell me right away that there's a problem and give me as much information as possible on how to remediate that so I don't have to go to the security team then if I do find a problem and I don't know how to fix it

if you have groan those security advocates internally they can escalate to that person first and say well there's this whole thing about a cross-site scripting and I'm not really sure what to do about it and they can be like oh this is how you remedy that and then that's not somebody constantly coming up to you now if both the security advocate and that developer don't understand how to fix it they obviously want to be able to ask like to you so make it easy that there is someone on your team who is always available even if they don't have the answer make it so they can reach out get you and you are like I will get you an

answer by X or at least I will give you an update by X because if they feel not heard they're probably just gonna ignore scan results and that's not what you want which actually we're gonna get into ignoring low scan results later but does a hold everything but if it's a critical or high you want them to escalate to you and say we will find the answer and we will work with you and then where you really want to be spending your time that makes it valuable is on prod because that's where the good data is and that's where the most risk is so if you can spend the majority of your time scanning and verifying all the different

50 bajillion prod environments you have scattered all over the place that's where the most value is going to be all right so there's a lot of different types of scanners I'm gonna go through it quickly because I know some people do and some people don't know about how they work and just so you know we've got most of these all built into our different stages so fast this runs against the code and it is specific to pattern matching so think of it like your spell checker in Microsoft Word and it's gonna find API keys or sorry secret section it's gonna find your like API keys your tokens it's gonna find like particular hash types and so this is

really good for just checking did somebody accidentally put some tokens in there and now we get into sass which is the same thing except instead of looking for tokens it's looking for fingerprints on a specific language and so I can say well this could be a cross-site scripting this could be a sequel injection the one downfall of sassed is it is not actually going to tell you if it is exploitable so there could be a mitigation a couple lines above or a couple lines below and so you're gonna have a lot of fun positives with this but it is a good place to start all right so with dependency scanning also known as third-party libraries depending on how

you want to term it I'm sure everyone's heard that patch patch patch this is kind of the same thing third-party libraries if you use one that's outdated may have a CVE or another vole against it and if you are reliant on that you are now possibly going to be able to be breached by that even though you didn't write insecure code somebody you're relying on did so there's a lot of scanners out there and they will tell you hey this thing that you're using has a CVE so you need to upgrade that and upgrading it can be painful but you should be able to run it hopefully in your test environment and see how many

things you need to update in order to make that work so container scanning if you're using containers in your environment there's things like Claire and that will actually scan the container to see or any of the layers of this containing things with CBE's and it's not checking for live breach Abul things it's just do any of the pieces that contain this config have things that are known to be just insecure but that's a great place to start especially if you aren't doing any of that right now so license compliance is a little bit security a little bit not some licenses will make you open-source your code if you have secret sauce in your code you

don't want open source that so you may want to look into the different types of licenses if you're unaware of that and as a company prohibit certain ones it's going to be classes of them all right - is smarter so before we were talking about all the things that are gonna run just on the code itself now here's things that are going to run against running code so - does the downfall that although it's language agnostic and it's running against the environment you have to have fully working code so if the code isn't compiling or you know you don't have enough bandwidth to have the environment be robust and handle a lot of traffic it's not gonna be able to run but once

it is running it's sort of like fast and then it's looking for certain types of vulnerabilities but then it tells if it is breached so I was saying before is this sequel injection usable well no I tried to do it Injection and it rejected me because there's actually a laugh-in place okay we can ignore that not a big deal all right I asked is dast like got smarter and has agents inside and looks for logs so if you can do I asked do it but it is more expensive so I'll just kind of put that caveat on there all right buzzing it's a lot of fun and baby ducks are fuzzy but it's very noisy and it is not realistic

because it's just throwing random stuff as much as a cat and that is going to find some problems but it's not necessarily going to find realistic problems so I would leave this off until the end but if you can occasionally on a weekend or a long holiday weekend let a fuzzer run wild it can find things like buffer overflow so I believe that was actually how Hartley got identified was somebody ended up doing some fuzzing in there so if you do have time to set it aside and run it but I would not rely on this constantly all right so tons of scanner choices where do you start well you probably have some security bugs that you have in your backlog right

now right can you try and look at your threat models look at the bugs you found and pick a theme does that theme match one of the particular types of scanners start with that scanner and then start with the highest-risk projects and go from there you can't turn on all of the scanners you will drowned in results and also don't like look for everything start with just criticals and then maybe just hide everything high-end below you need to put in the effort where it matters the most some people are like we need to kill all of them it's like no you need to kill the most dangerous ones so if you can identify this piece of software over

here has access to credit card data or social security data start there before you get to the PII data okay PII data totally next after that it's like okay well over here people could make us look goofy by messing with our website or web forms or whatever like okay fine that started like you do want to prevent that but that is definitely third in the list of priorities so specifically I was talking about targeting different things exclude your testa directories exclude any directories that are static like when you look through your code or have your developer look through the code with you there are probably areas that you're like that is super low priority and/or that static and where

that has access to nothing important exclude them why even scan them to start looking surely yes you would love to scan everything but don't start there because if people have like hundred page reports they're gonna like die and ignore you so then the next thing is you're gonna go with the criticals and work your way down and as you're working your way down and people are putting exceptions don't allow the exceptions to be a one-off don't have everybody just stick it into the software and then wander off have a centralized list somewhere secured not open publicly that says okay well we can ignore anything that says LDAP because we're not using LDAP here we can ignore

anything that says this particular thing because we're not using that so if I've researched that and confirmed for Project X we are not using why I should be able to share that information with everyone else who's going to be able to also dismiss those and if you can actually have something parse the JSON results and go through and automatically reject those going forward for you maybe have the devs help you write that that's going to save you a bunch of time because you know anything where the vuln is specifically around this we're not using that part of the library or we are not using this particular thing in our environment so we don't need to worry

about it and instead of having everybody research that individually centralize it make it easier and you can do that as low key or as high tech as you want it can literally be a shared list between the team that they automate in or it could be actually in some particular software where you're actually able to configure it to smartly do that all right so dev training so we said that we need to have security advocates and we need to have the developers where how to write secure code and they're not coming out of school with this knowledge how do you give them that knowledge well there's computer-based training classes and there's also customizable classes I've listed a couple here

there's obviously a ton more and the key here is it needs to be language specific so if part of your organization which is usually what we see as part of the organization's this language parts this and parts this usually people are not unified a their entire organization if it's a larger organization so you have to get different language training for different groups of people it is going to cost you more money but it's going to save you in potential fines breaches and shenanigans later so just invest in that and if you want to start with like the CBT based stuff which has all sorts of meanings alternate I'm meaning computer-based training in this one please start there it's not as great as

live training but it is a place to start so the next thing is how many of you don't walk picking did you have that moment of oh that's on my front door give the developers that moment show them burps we zap all sorts of other things like oh when you talk about doing that that's what you mean that was easy that's exactly the moment you want to give them they will then actually think about security more because at the top of your head when you're doing things you're not thinking about stuff you're thinking about I need to make this software do this thing so the project manager is happy and signs off oh and I remember how easy it was to

pop a webform let me pop in a couple things here all right so if you do have security advocates please make a volunteer-based if you make it a sign based people are going to not be excited to learn they're not going to be passionate about it they're not going to want to share what they learn with other people they will do just enough to check it off on their review for the annual whatever and move on but if you make it volunteers you're gonna find people who actually I like how this is kind of cool you might even find people that eventually come over to work on the security team alright so how do i

summarize this I'm trying to summarize all of the things because I talk a lot so the security advocate is a developer on the development team who has an interest in security they're now going to be your subject matter expert but again expert just means better than the rest of the team so depending on the maturity level of the team and how much they know about security like it can be eight that much more and then the team moves up here and then that person has to move up there so it's a moving target but they just need to know more the other devs and they're gonna be your eyes and ears if none of you have ever

brought in snackies for a developer or a project manager and had them complain about their project and accidentally find out about security issues that nobody raised to you before during that session you should try it and this is basically what your institutionalizing you're into institutionalizing people who hang out with you and chat with you and you're gonna get a heads up on things that you otherwise would not have had the opportunity to find out about give them stickers give them coffee give them veggies and ranch dressing whatever it is that makes them happy people and want to hang out with you give that to them alright so how do we keep getting them to be up a little bit right as I

said they have to keep being slightly ahead well can you have like your own little mini CTF team like wouldn't it be cool to be a security advocate like once a month we get to do a CTF in the afternoons on Friday and they feed us I mean that's probably not very expensive for you to run there's a ton of free CTF stuff right and they learn a bunch of stuff especially if you made me CTF your own software a copy of your own software and a protected dev environment also what lunch and learns I mean you probably are gonna learn lots of things here can you go back and do a lunch learn where you all watch one of these

presentations and munch on your lunch can somebody who goes to DEFCON come back and give a report to everybody else about the cool stuff that they didn't learned or maybe somebody did a CTF on their weekend can they go through like I did this hack the box level let me tell you about it I also have a repo whether it's slack or whatever we're sharing good findings and then tagging them this was a good talk on cross-site scripting this was a good talk on Ruby and preventing you know bad oh off stuff like whatever it is tag it have it so that somebody else who comes into the program later can benefit from all the

prior knowledge because otherwise it's just you're gonna have to repeat it all or find it all again all right so you're trying to grow these people and the end goal of this growth is one per team and with agile teams they have the pizza rule right so it's supposed to be about eight people because you're all supposed to be able to eat a pizza together which I mean like some people don't like pizza any more but whatever I'd like approximately that number so you want to have one part that's a lot depending on the size of your organization which is why I'm saying start somewhere start with just having like two or three security people throughout the

organization maybe you have one in product maybe you have one that's a principal engineer maybe you have one in infrastructure just start with a couple and then remember we're gonna make it fun there's gonna be CTF so there's gonna be like stickers and all sorts of things then it's gonna start to grow and these people are volunteering in don't make it a huge time commitment just make it a learning thing that we're gonna learn one thing a month and you're gonna be slightly more knowledgeable than everybody else we're just gonna keep growing it and it's gonna grow itself over time this is not a speedy process all right so here we go this is the most

controversial slide that I have for some reason don't say no literally take the word no removed from York like vocab you like you can say how about we do this that methods vulnerable let's look for an alternate method I don't think that's a good idea we have to do this another way there's a million ways to say no without saying no as soon as you say no people stop listening to you they don't give a they will go find a way to do the thing that they want I can't transfer files well I'm just gonna go start Dropbox and move things around and then suddenly you're Dropbox that you really didn't want there right shadow IT that's terrible so

do not be the grumpy cat like plaster on the smile and be like okay you need to transfer really large files to whom how often where internally externally let's find a solution and we're not going to use Dropbox [Laughter] all right so how do we know we got there I mean nothing really matters unless you can say like we got there so the business is gonna be like right we're not in a breach does that mean we're there we can stop well no we're gonna turn on the scanner and I'm gonna warn you there's gonna be a bajillion results our graphs gonna go nothing and everyone's gonna scream but that's okay because then the graphs gonna change

over time so that's where we're gonna start so just say for the baseline numbers are high because now we know about the risks that we have and every time you add a new scan you have to rehab this conversation I know it seems like I just had this conversation with that breath I don't care go have the conversation with every single manager and c-level again hey we're about to turn on a new scan again we're gonna have a lot more vulnerabilities coming in we expect that and that's perfectly okay because then we now know about the risks that we have instead of having things that we don't know about come in and cause us to be in the news have that

conversation have it calmly be able to answer their questions if you have somebody who really is good at that type of presentation go send them around and then reward them with like a Starbucks gift card or something for going through that effort all right every time you hit some kind of awesome place celebrate it there is way too often that on security teams and on developer teams you just keep pushing out code and pushing out fixes and it's one thing after another and like oh this is exhausting and everything is terrible whenever I was trying to breach us yes that's true but how much stuff did you stop in the past month how many things did you improve in

the past month how many people did you educate in the past month that all counts that is all amazing work and you should get credit and kudos for that and so you need to make sure on the security team and the dev team that you are saying hey we did this training and we stopped having as many new high and criticals come into our environment it dropped by 15% that is amazing and send out email to everybody and let them know you appreciate that hey we implemented a scan everything jumped up but the number of new production vulnerabilities decreased our pre prod ones increased but then you will fix them within one iteration and they did not make it to prod we found

200 things last month which we prevented from going into production take all of that stuff and make sure you are thanking everyone I know it seems hollow but like when you see a message on slack or in your email saying like Sultan was on this call and really rocked it or so and so like prevented this bug in prod this one kind of make you feel warm and fuzzy lots of people get that feeling send that email it seems goofy just do it all right use your data wisely I'm sure we all know like AI you can do all sorts crazy things and statistics it's all a lie well it's true so use it as

transparently and honestly as you can but also call out specific things are there certain types of issues that are being found most frequently okay well we're seeing a whole bunch of tokens being checked in and we really don't understand why this is happening luckily our scanners catching it but how do we prevent that maybe they need to do training around that are some teams doing better than others can that team to a Lunch and Learn for all of the other groups or is there one team that seems to really be struggling maybe you should be spending some quality time with them embed yourself so just use the data don't punish anyone for it if anyone's heard about like phishing

things and like some people are terrified I click the phishing link I'm not going to report it cuz now I'm going to get fired that should not be something in your organization if somebody reports a phishing thing even whether it's a real phishing thing or they just were overly cautious be like thank you for reporting it can you tell me if you clicked it ok you clicked it that's okay let me go check on some things ok well we're just gonna have to run these scans on your computer now but we really appreciate you coming to us to make sure that it would be found before anything bad happens become work with them don't punish them otherwise no one

is going to tell you when the bad happens you want to know when it happens alright so in summary get the engineers to set aside set aside time for automation and scripting this means the project managers or product owners you need to remind dev setups I need some time there and also if they're not setting aside time for tech debt also be like by the way tech debt because otherwise that's going to slow us down and bite us later because tech debt will lead to security problems also get everyone to get security training there's already a training budget somewhere because you've got the OWASP thing you have to do so talk to your compliance department how much does the

compliance department have can you find a dev centric language specific training that also includes the crafted compliance needs Yahtzee no more money spent and you're winning and also trust but verify remember roll a d20 occasionally and be like I'm adding that because if you don't check it you never know if anyone's actually doing it alright so in summary target your high-risk areas look at your tools and processes and decide like how do I get security involved and part of this like as an integral part so people don't even have to think about it because if they have to think about it it's not happening and developer advocates you need them you want to grow them there's a feedback link yeah any

questions yes [Music] so the question was an initial engagement what do we doing why well I write tools for developers to write more secure stuff so it's less of an engagement more like how are we gonna integrate these scanners into your software so that the red team finds less and so that first thing is hey have you done a threat model can I see which databases contain your most sensitive data or can I see on your web interfaces which things have the most like customer access and it'll start with let's turn on the scanners there especially do you have a prior report from a prior pen test or anything can I look at that and

see what types of things they were finding Oh the majority of things they're finding is this that's the type of scanner that we need and so maybe a wife is like the first thing we need to do out of the box and we will turn that on so it's really using historical data for where is the sensitive data and where have you messed up before because you're probably going to continue to mess up there till those training [Music] and it's not very common in you don't have how do you solve that problem so you can write and then test with like Jenkins or selenium to mimic those same kind of scanners because essentially on a webform what if I toss in parentheses

what if I toss in single parens whatever unfortunately that means you're kind of having to write it yourself so target the OS top ten and have at least one test for each one of those types of things and have the developers be integrating those and like have a checklist like can I write a test for X because it's a form or kind of and so that is unfortunate but yeah yes like aggressively at home how do you foul honey felony in SATs in spades what design standards just a constant carnage so aggressively agile organizations how do you get the scanners in there especially if they're not mature how do you find the false net false ones

[Music] so to settle a dispute around is this a true finding or a false finding the best thing to do is the same thing that would happen if a quality scan came back and failed if you can write me a unit test that proves that it's not working and show the results to me and either a recording or whatever and then dismiss it with that result because if you know what a sequel injection is and you can write a unit test that does some sequel injections and proves it's not actually impactful because we've got a wafer because there's this other mitigation or if they can point you at that specific mitigation line that can do it and so

this way you can say you are allowed to push it as long as you've hit this and entered in this field and then later you can go back and verify that video so you're going to be in a slight lag to them but at least they put in that test with that video or screen cap all right all right cool thank you [Applause]