Secure Coding - SecDevOps vs DevSecOps

hi everyone uh hope you're having good time in this security conference thanks for having me here Ray paa it's my first time in B sites and my first time in a security conference so I'm a bit excited

right thank you so uh my topic for today is uh skew coding Dev SEC Ops versus SE Dev Ops as they may seem to be the same thing and an integration within developing secur security and operations there's still some distinction uh distinction with between them and obviously uh we're going to determine in my perspective what is the best uh the best approach to a more secure ecosystem so okay let's get on every single one of the topics on itself starting with coding basically coding today is like air we have it everywhere right every single let say device every single thing it's based on coding and it's going to be like that for a long time uh yeah so it has solved many

problems modern old problems and it's going to be and it's going to do that still uh it drives Innovation obviously we're looking at especially uh lately with artificial intelligence self-driving cars and these are like pretty pretty Innovative and but still there is a need for let's say uh securing this type of uh practice starting next with h devops which any devops here or developers no okay F nice good so we're on the same page I mean we have some conflicts but we still love each other you know uh yeah so uh devop is about automation it's fairly a new term I would say for my experience like for in the last 10 years maybe less

but yeah it has helped a lot in modernizing the let's say the uh methodologies that uh applications are taking from let's say from initial stages to uh production uh in different methodologies like before we had agile or waterfall uh they were pretty good initially right devops helped in uh improving that those methodologies actually giving more uh more speed in the release in the release schedules and as well uh improved um collaboration within the operations team and the developing team yes and security yeah security I think is last in this equation which is essentially the most important one cuz data needs to be secured right and uh code uh let's say developers and operations focus on their own

uh on their own let's say tasks rather than security yeah and security cyber threats so everything every let's say every vulnerability every uh data data exfiltration or every attack that has happened initially has led to some let's say to some major uh major leaks which has have affected multiple organizations or or uh uh let's say reputation obviously big cash laws Etc uh we need security let's say integrated in these uh two processes for three reasons obviously starting with uh uh starting with securing the data let's say I'm going to speak more for that later but uh basically encrypting uh a better performance regarding security and uh third I would say uh let U let the client client

reliability I would say so they know that their data is secure and obviously they can use and they can share the data safely between different environments okay next let's talk about secure coding we didn't have much developers but uh in regards to uh making code secure U I completely agree that developers are not out of the box security practitioners like their initial responsibility is not implementing best security practice IES because that would obviously slow them down but still secure coding yeah that uh uh writing code in a high level language that follows strict principles obviously will with uh the intention of preventing uh as I mentioned earlier potential vulnerabilities in apps and like in later development or uh cause

harm in data and in different systems best practices so uh there are quite a few practices that can help in the uh securing the development devops generally but specifically for development in this topic uh first things don't trust the user some of the best practices that obviously developers can use are the first one which is the first interaction from uh the applications or different systems with the users are don't trust the users input validation output and coding basically so uh the way that the data input from users is validated to let's say to uh know how the backend system will filter specific malicious requests like I would mention SQL injection or uh ssrf uh or crite scripting Etc

cryptography well uh as we know crypto cryptography has been around for a while uh obviously some being deprecated some being very old some being vulnerable and easy easily uh hack trouble so uh getting the cryptography right so uh from the initial side of the let's say from uh coding perspective data should be encrypted data should be encrypted encrypted encrypted every time of course cuz uh if if a middle a middleman or a hacker would get access to that specific code uh let's say or data without being encrypted it would be easily it would lead to a bigger let's say a bigger uh affection or or uh critical let's say critical data loss to that company keep it secure and simple so

every application should do at least three of these I've mentioned only these three there's way more but these ones in uh in my perspective seem more uh important authentication obviously uh making sure like I'm basically trying to get to the zero trust principle in this in just for this part authentication uh session management and obviously uh password every application obviously should have these three it's they would lead to obviously less uh less attacks happening or less user errors if these uh three practices are done correctly and I'm going to be short for the next Mones just for the sake of time threat threat model and uh for threat modeling our softwares obviously uh for data protection and communication

security uh doing a threat modeling during the process or initially for the product that is be is going to be built from a specific uh developing team it's important that will help you or will ease the task of the security team eventually uh to let's say to secure the architecture of each uh application automation is our friend yes I'll talk about that in the devops part of thing which is uh obviously going to help uh developers in uh more like let's say uh getting across that agile or waterfall model to have a more rapid product release right yeah and establish level of trust automate responses that would still fall under the devops procedure I'm going to talk on the last

slide next slide yep devops completely important uh procedure but in my perspective as a cyber security analyst of course security is missing and in this Infinity box infinity loop we need security somewhere in there in the middle in the beginning in the end it matters which position it is but for the for this not at this point right Dev oops okay so help the let's say what's devops devops would the is a methodology that helps the development team and different companies or team teams to uh actually have a a quicker release uh a quicker release time for their products uh helping in uh in managing and change management for their uh code releases or for their entire uh development process

which uh obviously uh and strives more uh collaboration within within uh the teams reduces release Cycles when whenever newer features are set to be released it would uh help in in eing that process of course because developers won't have to directly work with uh designated it team member right the way it used to be before so kind of a a better approach improve collaboration as I mentioned break down SOS different teams as it was before development team operations team always fighting with each other do this do that don't do this that's kind of a bad approach in in regards to uh uh communication and collaboration of course so yeah uh benefits accelerated time to the market as I mentioned uh

time is money right every company would agree on that so uh helping in releasing the application to market the quickest and obviously with Mo improved with most features uh already already developed Etc that would help the companies cuz basically every company is out there for the money meaning that uh applications help them uh automate and ease their uh their work processes their business processes to achieve their goals yeah yep now bad joke from chat GPT why did the devops engineer become a magician because they could make security disappear faster than you can say Abra Kadabra and I say that from experience okay because they like to they don't like security generally so yeah but it's a

must now security uh being in security has uh let's say has helped me get a better understanding of this process it's relatively new there's there has always been let's say code uh review there has always been vulnerability Assessments in code in coding every time there has always been uh QA right quality assurance for functionality or be it security but there has never been a defined process how to do it or what which is the best methodology to do it cuz that like every let's say every aspect of security in the last decade or two decades is Shifting left right we're shifting towards security cuz we're seeing that happen right we're seeing we're seeing breaches every day we're

seeing loss of money loss of reputation from companies and it all starts with code it all it all starts with code basically every application every single uh platform that employees that companies use starts with coding and if we uh in my perspective if we start securing that environment since the very start it would help in mitigating not all of these cuz there's there's not something like 100% secure but at least um let's say decreasing it right so in uh adding Security in devops some uh some let's say practices that would be uh good to automate of course add the automated security tests and scans in that in that process specifically for uh Dev seops because I will tell the

difference from them from both of them soon and so uh it helps secur adding Security in devops will help in uh detecting the issues or the code vulnerabilities in real time right so that would that would that would cause less downtime in uh in specific products and fast the make the release process faster and of course collaboration as I mentioned earlier the devops concept gives quite a good collaboration between the developer and the operations team but adding the security um in the let's say in the bigger window will help ease that process as everyone would be in the same page and obviously as we know security is a shared responsibility for everyone cuz if it's just a security team in a

company then we're screwed challenges so uh there are challenges of course um promoting security not very user not a lot of users are security uh Masters right it's basically a new term I would say new term when I mention from two from year 2000 and now it's like the most the best period of cyber security where it's being focused like I would say even the last 15 years but I'm just expanding it tool integration uh tools help a lot we we can never have as many people as we want to actually do all the processes manually it's hard it's time spending is is uh Financial spending and companies do not want to spend a lot on security

we know that right uh speed versus security if it's just devops um I'm in the perspective where I think I think that the release process will be quite faster CU it doesn't matter if they're using let's say I would say old libraries or they're using uh bad U coding practices it will just be uh let's say code make sure it works and then push it production that's pretty quick right but um there there needs to be a balance because if that would happen all the time then we would have breaches every second right so in uh integrating security uh into um into that into that uh equation would be would be uh great but always a balance

we cannot have much security and less let's say less uh reliability and speed there needs to be a a BAL a balancing there skill gaps um it's like in my experience I've noticed that the best role for this kind of uh for this kind of field is uh application security from different communities I've not I've noticed that application security do deal a lot with securing applications uh be them work with uh development development teams as well as operation teams so but it's a quite a in my perspective new role in like last 5 10 years for what I for my experience uh and there is a good Gap there obviously it needs lots of expertise it needs experience in all the

all the security domains be it Network initially then coding and then obviously security that's that's something that requires a lot of experience not just you cannot learn that in schools right yeah uh need for integration well uh integrating these uh Solutions all together would be uh cost effective of course Cu uh you would basically ease the uh the release time if you dealt with security initially means that during the during the process you don't have to actually Implement uh Security checks which would uh obviously not uh take back let's say the the production release date or something like that compliance we have a lot of compliance nowadays right it it has been around for a while but regarding

security a lot of compliance around now be it PCI DSS be it gdpr be it I don't know you mention it everyone wants compliance and it helps with business as well business relations now nowadays if you want to do business with a company like with a serious company they will ask they will ask you do you have are you compliant to this certification I'm just saying ISO 27,000 to no okay bye threat mitigation continuous Improvement and steam streamlined workflow uh all three of these uh will help the security team more specifically and the developing team in um making a final more secure product that's cops can Dev cops principle helps that's a good question I'm very positive regarding Dev seops

it's not my favorite one but uh as I've mentioned here uh integrating devops is uh easier uh in the process and less let's say less cost um less costly cuz you can actually uh focus on integrate like let's say uh focus on the product more than the security so that's not the best practice when it comes to security but it will help uh in maintaining efficiency anyway uh it will not slow down development and deployment process right the good thing is that you will have co uh let's say collaborative responsibility uh devops obviously uh emphasizes shared responsibility with all teams be it operations be it development it can let's say it can be the middleman in uh making that process

friendlier let's uh in in applying best practices regarding the code on uh the application as well as applying the best security principles when releasing uh the product still you can make real progress with uh with Dev SEC Ops but because uh it balances everything right automation you can automate a lot of process actually in uh in devs Ops and that's a good thing uh we're going to talk about SE devops in the next slide but uh that this is the main in my perspective the main uh the main good thing or priority over SE Dev Ops for Dev SEC Ops I'm just playing around here they're basically the same thing they just uh change like priority changes are

we prior prioritizing applications are we prioritizing uh let's say efficiency or are we prioritizing security and threats and data loss and what be it right uh keep kpis for improvement yeah so uh as a mentioned it measures s Success Through keep kpis which is obviously uh a good time like if there is a vulnerability in uh one step of uh let's say one step of the one step of the development prior to releasing the production de Security will stop it right it will say okay this will go back to to whatever to the development team to fix that SQL injection vulnerability or or that uh uh vulnerability uh sorry vulnerable uh Library so it's a good

thing right and uh they're going to let's say they're going to have a Common Language you you'll have to go through security one step at a time right you have to you don't you can't miss it and that's a good thing it like it obviously will uh will Foster a common language which will help uh in having that that understanding towards all the all the domains be it development uh operations and security Now this is my favorite okay I'm I'm a security guy so I obviously prioritize this one why is that it has its own fallbacks but uh generally let's say for newer uh for new companies or new applications this would be the best uh

the best approach why uh because it obviously places Security on the first uh on the first uh and takes Security in consideration making every decision from a security standpoint so uh even in the initial uh in the initial product architecture let's say there is no product there is zero code no lines right we start with security are we going to build this app yeah what's the best most secure architecture to build this app this workflow this app this thing this thing in my perspective this is the best approach because obviously you will have uh Security in mind since the since the uh First Steps make those decision uh prioritize security as much as the actual steps of

integrating security into the devops but of course in that uh in that security uh focused always and yeah the I would say I'm going to mention that uh below but most developers as I said are not security uh Security Experts right they will need education they will need uh they will need training of course they will need to get that mindset that security is important and from my experience I can tell that most developers don't care about security the only ones that do are the ones that are actually shifting to application security and it's it's a real challenge for us I believe that everyone here or whoever is dealing with the SE or dealing with developers all

vulnerability management regarding code has had that that challenge someday right it's kind of a and that's why I think securing uh starting with s devops would be the best approach you can manage risks as well uh and eliminate it since the beginning that will obviously uh even reduce the let's say the application release cuz let's in the I'm going to take the dev SEC Ops right uh if there is we we let's say we configure the code entirely right we every code every line of code is written now we're going to go through security vulnerability go uh vulnerability arises through an automated scan right oh take it back to developers why if you integrate that

security in every step from the beginning towards let's say every day of whatever uh developer codes it will uh ease that release time it's hard initially because it's going to take some investment and some um some let's say time from all the teams but obviously it will cause less interruptions throughout the release process uh as I mentioned potential pitfalls is only the uh it it can uh let's say it can easily focus on on vulnerabilities that could not probably could not be there or are false positive like as I said you it can spend a lot of time initially uh to architecture to secure architecture that application but it can lead as I mentioned to a security

theater right we're going to focus too much on security we don't want that we want security and efficiency but primary security of course cuz too much security then everything will basically sometimes not work and yeah it will obviously influence the mindset uh of the developing team and the and the and the operations team but it will uh in my in my perspective will give that a security mindset to all um to all people right to all at least teams which is good because today we're looking that everything is as I can give you an example let's say uh de devs Ops right we have that we have that uh in in in an airport we go

through an airport we go through checking and then we go through the control where you have to take everything off take your belt off even take your shoes off that's basically a SE devops practice there are like 0.1 chances that there will be some bomb under your shoe right but still that one as uh the colleague mentioned earlier uh red team has to be right just one time right so you better be saved and sorry and yeah some differences that would be between de SEC Ops and seg devops uh seg devops obviously places uh equal emphasis on both development and security while seg devops leans toward development and uh application release money basically timing yeah uh seg

devops does integrate security from the start and uh obviously that helps in building a more secure application in uh fundamentally in the architecture and while devops will attempt to I mean attempts to include security but obviously May face challenges as I mentioned earlier regarding different vulnerabilities that can come out during the release cycle uh yeah so integration and involvement uh SE devops will uh consider Security in every step of an application development which will uh basically need dedicated security team obviously or dedicated application security persons for throughout that cycle because it's obviously uh a long cycle and sometimes it can take uh a lot of resources but it's a must uh yeah automation both focus on automation I

would say seops emphasizes automation of more Security Solutions it will need more tools I agree on that it will have more more cost it needs more people it needs uh it needs let's say more collaboration with the teams but the final product will be worth it right it can be costly initially when you set a baseline regarding application security but then uh development is a is an ongoing uh is an ongoing is an ongoing process right so uh you'll have that Baseline for one product then you have that for all the the other products Bas will obviously uh reduce the costs with the passing of time uh from I have a saying from the great Ken Thompson he's

the creator of uh Unix you can trust code that you didn't not create totally create yourself I'm saying just for code but if you uh I'm going to take it in a bigger uh expand like even uh Security Solutions or or operation uh operational technology or whatever that has to that can be uh related with the dep devops and security within so we have to keep it fun and safe of course we don't want to be much of an overhead security is always an overhead I get that all the time right most of you understand me I'm sure but uh eventually it become like when you have that right mindset and that right uh approach to it it can

become fun as well as safe so these are the let's say the Recaps for what why we need security integrated be Dev SEC Ops or SE Dev Ops uh early risk mitigation cost efficiency of course cuz it will uh let's say if no one wants breaches right uh an estimated breach in 2023 would be around $20 million just saying right an SMB or a small to mediumsized business would not afford that what we're seeing companies that are uh going bankrupt because of uh because of actual uh breaches right so we need that uh we need that cost efficiency to be at its best starting with code security threat mitigation compliance reputation and Trust reputation and Trust very

important on what I said mitigating threats since the early stages so we don't we have a lot of apts out there a lot of uh hackers that are trying to basically get their profit out of uh out of every uh out of every company or application training and monitoring training developers and uh and operation team members to have that uh shift left uh mindset that would help security teams a lot in uh improving the overall security posture of be it application companies and people yeah and risk management we need to balance security and development objectives always I'm I might be a security focused guy but always we want that efficiency in a company CU we we

wouldn't be working if the company wouldn't be making money so but still uh focusing on that security mindset would help uh us and every every every team member even the company in in uh in different aspects be it uh protecting from let's say from Hackers from attacks uh make the release schedule for new features for new products way easier I believe that would be uh a good practice and yeah that's it h any questions make sure it's strong right okay uh just for short notice uh I work as a devops and uh I wanted to add a strong point to what you said uh you said that most of the devops practices uh are not built safe uh I just want to

add that most of the git Ops platforms nowadays doesn't let you to push code into production if you have if you are planning to do an Enterprise it doesn't let you by default to push code into production without put sorry putting some scanners so they do static analy on your code they do uh you can also integrate Dynamic analysis on your code so uh they try to to block this if you are using some giops practice that's uh SE devops already built in it yeah so the new giops doesn't let you by default to push unsecure code into production totally agree like as I said uh let's say highly uh highly specialized companies who have

the actual uh let's say actual funds and actual budget to afford get I mean get Hub as you mentioned or be it whatever be it AWS or doesn't matter uh it's good I love GitHub it it is Shifting left a lot towards that se devops practice and it's good for devops as well for developers at minimum because it doesn't give them all those red flags all the time so yeah I've noticed that I think that's a new feature in GitHub it's like two last one two years not only on GitHub I also use gitlab and gitlab Ops also the same also the gab bits uh since the moving to devops perspective has moved to with seops in mind is azure

is azure catching up or uh Azure Dev it's they're focusing on a different story we mostly here are juk guys thank you does anyone have any other questions or no okay oh

okay thanks interesting talk um when you talked about uh secure coding training for the developers did you encounter any sort of training needs around interpreting tool outputs I'm can you repeat the last uh sentence Did the developers have training needs to interpret the output of the tools and I will I will think about that for uh developers in my company you know they probably need to do that but yeah no uh as I mentioned even earlier development development teams need that training developer teams they need the security training in my perspective it's a must like not in regards to just oh let's make that product secure but every company nowadays every let's say prestigious company or big company is requiring

security by default so if you're a developer and you don't have I would not say Advanced best secure coding practices but just those initial baselines right you do input validation let's say you uh uh you par parameterize or those SQL queries whatever be it right just basic things not I'm not not thinking the the bigger picture if you don't have that like I think it it's part of even nowadays interviewing a developer developer nowadays what do you think about this security practice right or this and that so it's in my perspective it should be a process in uh in developers taking these uh trainings definitely thank

you yeah thank you