2. About Me
● Red Team at Redspin
● SB OWASP + AppSec California + Bay Area OWASP
● Green Team at Bugcrowd
● Blue Team at Segment
3. The Slides are Online, I’m Online
● https://www.slideshare.net/leifdreizler/ TODO
● @leifdreizler
TODO
4. Influential Presentations
● Twubhubbook: Like an AppSec Program, but for Startups - Neil Matatall/Brent
Johnson (GitHub)
● We Come Bearing Gifts: Enabling Product Security with Culture and Cloud - Astha
Singhal/Patrick Thomas (Netflix)
● Starting an AppSec Program: An Honest Retrospective - John Melton (NetSuite)
● Pushing Left, Like a Boss - Tanya Janca (Microsoft)
#1 - https://youtu.be/JEE7wXHa1kY
#2 - https://youtu.be/L1WaMzN4dhY
#3 - https://youtu.be/ETkHISgEh3g
#4 - https://youtu.be/8kqtrX6C10c
5.
6. ● Enable, Don’t Block - “Effective Security teams should measure themselves by what
they enable, not by what they block” - Rich Smith
● Security Has to Start with Quality - “Vulnerabilities are bugs. The more bugs in your
code, the more vulnerabilities”
Favorite Quotes
Source: https://reqtest.com/general/a-bug-goes-skateboarding-on-boehms-curve/
7. ● Enable, Don’t Block - “Effective Security teams should measure themselves by what
they enable, not by what they block” - Rich Smith
● Security Has to Start with Quality - “Vulnerabilities are bugs. The more bugs in your
code, the more vulnerabilities”
● Choose People over Tools - “Learn to lean on your tools. But depend on your
people to keep you out of trouble”
Favorite Quotes
“Make it easy for engineers to write secure code and you’ll get secure code.”
8. Outline
1. Building a Team and Program
2. Training
3. Successful Vendor Implementation
4. Engineering Embed Program
@leifdreizler
9. Organizational Buy In
● Whole company needs to care about security
● $ecurity Headcount
● Engineering time
Building a Team
Jonathan Marcil - Threat Modeling Toolkit
(https://youtu.be/KGy_KCRUGd4)
10. Building a Team
● Host/speak/volunteer/sponsor meetups/conferences
Building a Team
11. Building a Team
● Host/speak/volunteer/sponsor meetups/conferences
● OSS Contributions
Coleen Coolidge - How to Build a Security Team and Program
(https://youtu.be/b0r5vc_eCoU)
Building a Team
12. Shift Left
Tanya Janca, @shehackspurple Source: https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95
13. Training
● Part 1 - Think Like an Attacker
● Part 2 - Secure Code Review
Source: Security Solutions for Hyperconnectivity and the Internet of Things
15. Think Like an Attacker - Creating Relevant Content
● Bug bounty submissions
● Pentests
● Internal findings
Training - Think Like an Attacker
-
16. OWASP Juice Shop
Source: https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
Training - Think Like an Attacker
17. Hands-On Training Schedule
1. Vuln category 1 (Slides + Examples)
2. Vuln category 2
3. Interactive Training (Burp Suite + Juice Shop)
Repeat!
Source: https://www.dreamstime.com/royalty-free-stock-photography-computer-hacker-hands-image8278907
https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/
Training - Think Like an Attacker
23. Leif’s Hawaiian Shirt Store
I’ve paid David to build a new Hawaiian shirt store with React. Is there anything
wrong with it?
server.jsApp.js
Training - Secure Code Review
28. AppSec Training
● Meet new eng hires
● Common vuln types
● “Security Judgment”
● Think about PRs in new ways
● Have fun!
Training - Secure Code Review
31. Example - Snyk
● Security eval - tested on various repos
● Partnered with App team
● Presented at Eng all hands
● Security submitted PRs to core repos
● Wrote Integration with Directory
Vendor Adoption
Snyk is a tool to help companies manage vulnerabilities in their dependencies.
34. Bug Bounty
Pay for anything that gives value
Source: https://www.ixxiyourworld.com/en/products/ixxi-images/boba-fett-film-poster/
https://bugcrowd.com/segment?
preview=7d6237547ee4ad71a249877be1858ffe
36. Security ➡ Engineering Embed Program
● Software design docs
● Get appropriate buy-in
● Work with Design
● Write good test cases
● Follow deployment procedures
Follow the Normal Process
Engineering Embed
37. Full Stack (Security) Engineering
● Meet developers, designers, product managers
● Deeper understanding of engineer process
● Learn more about the code base you’re protecting
● Diversify your skillset
Walk a mile in the developer’s code
Engineering Embed
42. Security ➡ Engineering Embed Program
● Great way to meet people
● Shows you can build useful features/tools
● Sec learns eng process/tooling/constraints
● Bring back knowledge to the security team
Engineering Embed
43. Security ➡ Engineering Embed Program
● Great way to meet people
● Shows you can build useful features/tools
● Sec learns eng process/tooling/constraints
● Bring back knowledge to the security team
Engineering Embed
45. In Case of Emergency
● Compliance requirements (GDPR, ISO27001, etc.)
● Recent Pentests (shown to customers)
● Customer security questionnaires
● My peers at companies x, y, an z do thing
47. Key Takeaways
• Get Involved!
• Build Your Dream Team
@leifdreizler
• Vulnerabilities are Just Bugs
• Security is Everyone’s Job
• “Security Judgment”
• Successfully Partner Cross-functionally
• Reduce Operational Work
• Save your No’s
48. Key Takeaways
• Get Involved!
• Build Your Dream Team (this includes developers!)
@leifdreizler
• Vulnerabilities are Just Bugs
• Security is Everyone’s Job
• “Security Judgment”
• Successfully Partner Cross-functionally
• Reduce Operational Work
• Save your No’s