Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
From rogue one to rebel alliance by Peter Chestna
1. Join the conversation #DevSecCon
BY PETER CHESTNA, CA VERACODE
From Rogue One to
Rebel Alliance
2. Who am I?
• 25+ Years Software Development Experience
• 11+ Years Application Security Experience
• Certified Agile Product Owner and Scrum
Master
• At Veracode since 2006
• From Waterfall to Agile to DevOps
• From Monolith to MicroService
• Consultant on DevSecOps best practices
• Fun Fact: I love whiskey!
@PeteChestna
3. Agenda
• Why do we need them?
• Sell the program
• Recruit your team
• Train your team
• Give them goals
• Measure them
• Reward them
@PeteChestna
4. Why do we need champions?
Companies with InfoSec or CISO
• Physical security
• Endpoint security
• Disaster recovery
• Content filtering & phishing
prevention
• Intrusion prevention & protection
• Incident response
• Compliance
• …
@PeteChestna
5. Why do we need champions?
AppSec responsibilities
• Dozens to hundreds of teams
• Thousands of applications
• Risk assessment
• Mitigation testing and approval
• External attestation
• Reporting x-Org
@PeteChestna
6. Compounded by Compressed Timelines
Waterfall Agile DevOps
1-4 Releases
Per Year
12-24 Releases
Per Year
100+ Releases
Per Year
@PeteChestna
7. Why do we need champions?
What about Red Team and pen testing?
• Most companies can’t
find/hire/train/afford
• Only for high value items
(critical controls)
• Too late in the process for most
vulnerabilities
• Too slow for today’s SDLC
• Hard to scale
• Not cost effective for simple vulns
@PeteChestna
8. Why do we need champions?
Just hire more people – yeah right
@PeteChestna
ISACA - 2016 Cybersecurity Skills Gap
12. Here’s The Thing
What one thing
get’s in the way
of AppSec more
than any other?
@PeteChestna
13. Start with Accountability
• Shared between development and security
• Part of annual goals for both teams
• Measured and reported regularly
@PeteChestna
14. Sell the program
• Management
• Integrate into existing
process (low cost)
• Team
• Less waiting
• Better support
• Individual
• Extra training
• Better job skills
@PeteChestna
15. Describe the job
• Security Grooming
• Bill of materials
• PSIRT
• Secure code reviews
• Conscience of security
@PeteChestna
16. Recruit your team - Do
• 1-2 members from every
product team
• Volunteers are best
• Influencers
• Respected or influential team
members
• Doesn’t have to be dev
@PeteChestna
17. Recruit your team – Don’t
• New employee
• New to team or product
• Not an existing Scrum role
• Product Owner
• Scrum Master
@PeteChestna
18. Train your team
Security Fundamentals
• CIA
• Trust no one
• Deny by default
• Defense in depth
CTF exercises
• Overthewire.org
@PeteChestna
19. Train them - Grooming Guidelines
• New feature introductions
• New UI elements
• New API endpoints
• New Architectures
• New Security Controls
• New Forms or Actions
• Fix for pen test finding
@PeteChestna
21. Train them – Secure code reviews
Limited topics based on
security controls
• Data validation
• Encoding
• Parameterization
• Logging
• Error Handling
@PeteChestna
22. Empower them, within limits
Goal for year 1:
• Take over security grooming
• Slow, deliberate, mentored
transition
• Escalate when needed
• Take additional training
(eLearning)
@PeteChestna
23. Measure them
• Goals for champions
• Code review certification
• Spot check grooming
decisions
• Goals for teams
• Against maturity model
• Baseline and update
• Are you getting what you
expect?
@PeteChestna
24. Reward them
• Additional training
opportunities
• Internal (mentor)
• External (conferences)
• Teach them to hack
• Internal CTF sessions
• Give them swag, badges,
certifications
@PeteChestna
25. Learn about their world
• Read
• Phoenix Project
• DevOps Handbook
• Attend some scrum
ceremonies
• Learn their tools
• Write security stories and/or
code
@PeteChestna