SlideShare a Scribd company logo

Work with Developers for Fun and Progress - AppSec California

L
leifdreizler

Leif Dreizler's presentation at AppSec California 2019

Internet
1 of 50
Download to read offline
Working with Developers for Fun and Progress
About Me ● Red Team at Redspin ● SB OWASP + AppSec California + Bay Area OWASP ● Green Team at Bugcrowd ● Blue Team at Segment
The Slides are Online, I’m Online ● https://www.slideshare.net/leifdreizler/ TODO ● @leifdreizler TODO
Influential Presentations ● Twubhubbook: Like an AppSec Program, but for Startups - Neil Matatall/Brent Johnson (GitHub) ● We Come Bearing Gifts: Enabling Product Security with Culture and Cloud - Astha Singhal/Patrick Thomas (Netflix) ● Starting an AppSec Program: An Honest Retrospective - John Melton (NetSuite) ● Pushing Left, Like a Boss - Tanya Janca (Microsoft) #1 - https://youtu.be/JEE7wXHa1kY #2 - https://youtu.be/L1WaMzN4dhY #3 - https://youtu.be/ETkHISgEh3g #4 - https://youtu.be/8kqtrX6C10c
● Enable, Don’t Block - “Effective Security teams should measure themselves by what they enable, not by what they block” - Rich Smith ● Security Has to Start with Quality - “Vulnerabilities are bugs. The more bugs in your code, the more vulnerabilities”
 
 Favorite Quotes Source: https://reqtest.com/general/a-bug-goes-skateboarding-on-boehms-curve/
● Enable, Don’t Block - “Effective Security teams should measure themselves by what they enable, not by what they block” - Rich Smith ● Security Has to Start with Quality - “Vulnerabilities are bugs. The more bugs in your code, the more vulnerabilities” ● Choose People over Tools - “Learn to lean on your tools. But depend on your people to keep you out of trouble” 
 
 Favorite Quotes “Make it easy for engineers to write secure code and you’ll get secure code.”
Outline 1. Building a Team and Program 2. Training 3. Successful Vendor Implementation 4. Engineering Embed Program @leifdreizler
Organizational Buy In ● Whole company needs to care about security ● $ecurity Headcount ● Engineering time Building a Team Jonathan Marcil - Threat Modeling Toolkit (https://youtu.be/KGy_KCRUGd4)
Building a Team ● Host/speak/volunteer/sponsor meetups/conferences Building a Team
Building a Team ● Host/speak/volunteer/sponsor meetups/conferences ● OSS Contributions Coleen Coolidge - How to Build a Security Team and Program (https://youtu.be/b0r5vc_eCoU) Building a Team
Shift Left Tanya Janca, @shehackspurple Source: https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95
Training ● Part 1 - Think Like an Attacker ● Part 2 - Secure Code Review Source: Security Solutions for Hyperconnectivity and the Internet of Things
Reviews Training - Think Like an Attacker Training - Secure Code Review
Think Like an Attacker - Creating Relevant Content ● Bug bounty submissions ● Pentests ● Internal findings Training - Think Like an Attacker -
OWASP Juice Shop Source: https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Training - Think Like an Attacker
Hands-On Training Schedule 1. Vuln category 1 (Slides + Examples) 2. Vuln category 2 3. Interactive Training (Burp Suite + Juice Shop)
 
 Repeat! Source: https://www.dreamstime.com/royalty-free-stock-photography-computer-hacker-hands-image8278907 https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ Training - Think Like an Attacker
Hands-on Training Training - Think Like an Attacker
Security 1337erboard
Secure Code Review ● XSS ● Broken Access Control ● Secrets management ● Error handling ● SSRF + DNS Rebinding ● …and more! Influenced by OWASP Secure Coding Cheat Sheet Source: Your Personal Password Vault: A Password Journal and Logbook Training - Secure Code Review
Absolute AppSec #42 https://github.com/segmentio/netsec https://github.com/segmentio/netc
Leif’s Hawaiian Shirt Store I’ve paid David to build a new Hawaiian shirt store with React. Is there anything wrong with it? server.jsApp.js Training - Secure Code Review
Leif’s Hawaiian Shirt Store Training - Secure Code Review
App.js Training - Secure Code Review
server.js Training - Secure Code Review
AppSec Training ● Meet new eng hires ● Common vuln types ● “Security Judgment” ● Think about PRs in new ways ● Have fun! Training - Secure Code Review
Training - Secure Code Review Training - Think Like an Attacker
Vendor Adoption Source: https://www.itbusinessedge.com/slideshows/nine-questions-to-ask-when-selecting-a-security-vendor.html Partner with Engineering during the evaluation process
Example - Snyk ● Security eval - tested on various repos ● Partnered with App team ● Presented at Eng all hands ● Security submitted PRs to core repos ● Wrote Integration with Directory Vendor Adoption Snyk is a tool to help companies manage vulnerabilities in their dependencies.
Directory Integration Vendor Adoption
Vendor Adoption
Bug Bounty Pay for anything that gives value Source: https://www.ixxiyourworld.com/en/products/ixxi-images/boba-fett-film-poster/ https://bugcrowd.com/segment? preview=7d6237547ee4ad71a249877be1858ffe
Source: https://articles.microservices.com/an-alternative-way-of-visualizing-microservice-architecture-837cbee575c1 Bug Report → Jira ● Description ● Easy to follow repro steps ● Severity ● Remediation Criteria ● Suggested Remediation
Security ➡ Engineering Embed Program ● Software design docs ● Get appropriate buy-in ● Work with Design ● Write good test cases ● Follow deployment procedures Follow the Normal Process Engineering Embed
Full Stack (Security) Engineering ● Meet developers, designers, product managers ● Deeper understanding of engineer process ● Learn more about the code base you’re protecting ● Diversify your skillset Walk a mile in the developer’s code Engineering Embed
Engineering Embed
Password Strength Meter 0 1 2 3 4 5 Analytics PM Full-stack Design Marketing Copy Engineering Embed
Password Strength Meter Engineering Embed
Engineering Embed
Security ➡ Engineering Embed Program ● Great way to meet people ● Shows you can build useful features/tools ● Sec learns eng process/tooling/constraints ● Bring back knowledge to the security team Engineering Embed
Security ➡ Engineering Embed Program ● Great way to meet people ● Shows you can build useful features/tools ● Sec learns eng process/tooling/constraints ● Bring back knowledge to the security team Engineering Embed
Developer Friendly SAST #33 Salus https://youtu.be/TGBTrshyE9Y
In Case of Emergency ● Compliance requirements (GDPR, ISO27001, etc.) ● Recent Pentests (shown to customers) ● Customer security questionnaires ● My peers at companies x, y, an z do thing
Key Takeaways • Get Involved! • Build Your Dream Team
Key Takeaways • Get Involved! • Build Your Dream Team @leifdreizler • Vulnerabilities are Just Bugs • Security is Everyone’s Job • “Security Judgment” • Successfully Partner Cross-functionally • Reduce Operational Work • Save your No’s
Key Takeaways • Get Involved! • Build Your Dream Team (this includes developers!) @leifdreizler • Vulnerabilities are Just Bugs • Security is Everyone’s Job • “Security Judgment” • Successfully Partner Cross-functionally • Reduce Operational Work • Save your No’s
Closing Thoughts
TODO @leifdreizler

Recommended

DevOps - Understanding Core Concepts (Old)
DevOps - Understanding Core Concepts (Old)DevOps - Understanding Core Concepts (Old)
DevOps - Understanding Core Concepts (Old)Nitin Bhide
 
Effective Android Development. UA Mobile 2016.
Effective Android Development. UA Mobile 2016.Effective Android Development. UA Mobile 2016.
Effective Android Development. UA Mobile 2016.UA Mobile
 
Breaking News and Breaking Software by Andy Hume
Breaking News and Breaking Software by Andy HumeBreaking News and Breaking Software by Andy Hume
Breaking News and Breaking Software by Andy HumeSyncConf
 
DevOps Note 20120224
DevOps Note 20120224DevOps Note 20120224
DevOps Note 20120224Hirokazu MORIKAWA
 
CookpadTechConf2018-(Mobile)TestAutomation
CookpadTechConf2018-(Mobile)TestAutomationCookpadTechConf2018-(Mobile)TestAutomation
CookpadTechConf2018-(Mobile)TestAutomationKazuaki Matsuo
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Stop Testing (Only) The Functionality of Your Mobile Apps!
Stop Testing (Only) The Functionality of Your Mobile Apps!Stop Testing (Only) The Functionality of Your Mobile Apps!
Stop Testing (Only) The Functionality of Your Mobile Apps!Applitools
 

Recommended

DevOps - Understanding Core Concepts (Old)
DevOps - Understanding Core Concepts (Old)DevOps - Understanding Core Concepts (Old)
DevOps - Understanding Core Concepts (Old)Nitin Bhide
 
Effective Android Development. UA Mobile 2016.
Effective Android Development. UA Mobile 2016.Effective Android Development. UA Mobile 2016.
Effective Android Development. UA Mobile 2016.UA Mobile
 
Breaking News and Breaking Software by Andy Hume
Breaking News and Breaking Software by Andy HumeBreaking News and Breaking Software by Andy Hume
Breaking News and Breaking Software by Andy HumeSyncConf
 
DevOps Note 20120224
DevOps Note 20120224DevOps Note 20120224
DevOps Note 20120224Hirokazu MORIKAWA
 
CookpadTechConf2018-(Mobile)TestAutomation
CookpadTechConf2018-(Mobile)TestAutomationCookpadTechConf2018-(Mobile)TestAutomation
CookpadTechConf2018-(Mobile)TestAutomationKazuaki Matsuo
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Stop Testing (Only) The Functionality of Your Mobile Apps!
Stop Testing (Only) The Functionality of Your Mobile Apps!Stop Testing (Only) The Functionality of Your Mobile Apps!
Stop Testing (Only) The Functionality of Your Mobile Apps!Applitools
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 
Year Zero
Year ZeroYear Zero
Year Zeroleifdreizler
 
DroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java toolsDroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java toolsjeromevdl
 
Go ahead outside Japan
Go ahead outside JapanGo ahead outside Japan
Go ahead outside JapanKazuaki Matsuo
 
Pain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakPain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakSigma Software
 
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...Sauce Labs
 
The Road To Technical Team Lead
The Road To Technical Team LeadThe Road To Technical Team Lead
The Road To Technical Team Leadbenwaine
 
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit PrasadApplitools
 
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Applitools
 
FAKE (F# Make) & Automation
FAKE (F# Make) & AutomationFAKE (F# Make) & Automation
FAKE (F# Make) & AutomationSergey Tihon
 
4 Ways to Speed Up Your Mobile App Dev Daily Grind
4 Ways to Speed Up Your Mobile App Dev Daily Grind4 Ways to Speed Up Your Mobile App Dev Daily Grind
4 Ways to Speed Up Your Mobile App Dev Daily GrindPerfecto by Perforce
 
Bringing Quality Design Systems to Life with Storybook & Applitools
Bringing Quality Design Systems to Life with Storybook & ApplitoolsBringing Quality Design Systems to Life with Storybook & Applitools
Bringing Quality Design Systems to Life with Storybook & ApplitoolsApplitools
 
Shift left-testing
Shift left-testingShift left-testing
Shift left-testingAlan Richardson
 
Testing Pyramid
Testing PyramidTesting Pyramid
Testing PyramidRobert J Chatfield
 
How we've built Yahoo Fantasy Football (Droidcon Italy '15)
How we've built Yahoo Fantasy Football (Droidcon Italy '15)How we've built Yahoo Fantasy Football (Droidcon Italy '15)
How we've built Yahoo Fantasy Football (Droidcon Italy '15)Alex Florescu
 
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon
 
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsMyth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsApplitools
 
Jeremias Rößler
Jeremias RößlerJeremias Rößler
Jeremias RößlerCodeFest
 
DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!Sandeep Joshi
 
Rakuten and Microsoft talk DevOps in Real World
Rakuten and Microsoft talk DevOps in Real WorldRakuten and Microsoft talk DevOps in Real World
Rakuten and Microsoft talk DevOps in Real WorldTsuyoshi Ushio
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Enhancing Software Engineering Practices at Our Startup.pptx
Enhancing Software Engineering Practices at Our Startup.pptxEnhancing Software Engineering Practices at Our Startup.pptx
Enhancing Software Engineering Practices at Our Startup.pptxmuktar42
 

More Related Content

What's hot

DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 
DroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java toolsDroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java toolsjeromevdl
 
Go ahead outside Japan
Go ahead outside JapanGo ahead outside Japan
Go ahead outside JapanKazuaki Matsuo
 
Pain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakPain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakSigma Software
 
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...Sauce Labs
 
The Road To Technical Team Lead
The Road To Technical Team LeadThe Road To Technical Team Lead
The Road To Technical Team Leadbenwaine
 
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit PrasadApplitools
 
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Applitools
 
FAKE (F# Make) & Automation
FAKE (F# Make) & AutomationFAKE (F# Make) & Automation
FAKE (F# Make) & AutomationSergey Tihon
 
4 Ways to Speed Up Your Mobile App Dev Daily Grind
4 Ways to Speed Up Your Mobile App Dev Daily Grind4 Ways to Speed Up Your Mobile App Dev Daily Grind
4 Ways to Speed Up Your Mobile App Dev Daily GrindPerfecto by Perforce
 
Bringing Quality Design Systems to Life with Storybook & Applitools
Bringing Quality Design Systems to Life with Storybook & ApplitoolsBringing Quality Design Systems to Life with Storybook & Applitools
Bringing Quality Design Systems to Life with Storybook & ApplitoolsApplitools
 
How we've built Yahoo Fantasy Football (Droidcon Italy '15)
How we've built Yahoo Fantasy Football (Droidcon Italy '15)How we've built Yahoo Fantasy Football (Droidcon Italy '15)
How we've built Yahoo Fantasy Football (Droidcon Italy '15)Alex Florescu
 
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon
 
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsMyth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsApplitools
 
Jeremias Rößler
Jeremias RößlerJeremias Rößler
Jeremias RößlerCodeFest
 

What's hot (18)

DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
 
Year Zero
Year ZeroYear Zero
Year Zero
 
DroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java toolsDroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java tools
 
Go ahead outside Japan
Go ahead outside JapanGo ahead outside Japan
Go ahead outside Japan
 
Pain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakPain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr Sugak
 
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
 
The Road To Technical Team Lead
The Road To Technical Team LeadThe Road To Technical Team Lead
The Road To Technical Team Lead
 
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
 
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
 
FAKE (F# Make) & Automation
FAKE (F# Make) & AutomationFAKE (F# Make) & Automation
FAKE (F# Make) & Automation
 
4 Ways to Speed Up Your Mobile App Dev Daily Grind
4 Ways to Speed Up Your Mobile App Dev Daily Grind4 Ways to Speed Up Your Mobile App Dev Daily Grind
4 Ways to Speed Up Your Mobile App Dev Daily Grind
 
Bringing Quality Design Systems to Life with Storybook & Applitools
Bringing Quality Design Systems to Life with Storybook & ApplitoolsBringing Quality Design Systems to Life with Storybook & Applitools
Bringing Quality Design Systems to Life with Storybook & Applitools
 
Shift left-testing
Shift left-testingShift left-testing
Shift left-testing
 
Testing Pyramid
Testing PyramidTesting Pyramid
Testing Pyramid
 
How we've built Yahoo Fantasy Football (Droidcon Italy '15)
How we've built Yahoo Fantasy Football (Droidcon Italy '15)How we've built Yahoo Fantasy Football (Droidcon Italy '15)
How we've built Yahoo Fantasy Football (Droidcon Italy '15)
 
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
 
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsMyth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
 
Jeremias Rößler
Jeremias RößlerJeremias Rößler
Jeremias Rößler
 

Similar to Work with Developers for Fun and Progress - AppSec California

DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!Sandeep Joshi
 
Rakuten and Microsoft talk DevOps in Real World
Rakuten and Microsoft talk DevOps in Real WorldRakuten and Microsoft talk DevOps in Real World
Rakuten and Microsoft talk DevOps in Real WorldTsuyoshi Ushio
 
Enhancing Software Engineering Practices at Our Startup.pptx
Enhancing Software Engineering Practices at Our Startup.pptxEnhancing Software Engineering Practices at Our Startup.pptx
Enhancing Software Engineering Practices at Our Startup.pptxmuktar42
 
Dev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrDev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrJohn Allspaw
 
Luiz Fernando Testa Contador - Aplicando DevOps em grandes corporações
Luiz Fernando Testa Contador - Aplicando DevOps em grandes corporaçõesLuiz Fernando Testa Contador - Aplicando DevOps em grandes corporações
Luiz Fernando Testa Contador - Aplicando DevOps em grandes corporaçõesAgile Trends
 
A brief history of automation in Software Engineering
A brief history of automation in Software EngineeringA brief history of automation in Software Engineering
A brief history of automation in Software EngineeringGeorg Buske
 
Functional Prototyping For Mobile Apps
Functional Prototyping For Mobile AppsFunctional Prototyping For Mobile Apps
Functional Prototyping For Mobile AppsMovel
 
QCon'17 talk: CI/CD at scale - lessons from LinkedIn and Mockito
QCon'17 talk: CI/CD at scale - lessons from LinkedIn and MockitoQCon'17 talk: CI/CD at scale - lessons from LinkedIn and Mockito
QCon'17 talk: CI/CD at scale - lessons from LinkedIn and MockitoSzczepan Faber
 
Step away from that knife!
Step away from that knife!Step away from that knife!
Step away from that knife!Michael Goetz
 
Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015Mirco Hering
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
Repertoire of contributions hacktoberfest
Repertoire of contributions hacktoberfestRepertoire of contributions hacktoberfest
Repertoire of contributions hacktoberfestDSCVSSUT
 
DevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation SlidesDevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation SlidesFab L
 
Bug Bounty Career.pdf
Bug Bounty Career.pdfBug Bounty Career.pdf
Bug Bounty Career.pdfVishal318796
 
Fun with Jenkins & Salesforce
Fun with Jenkins & SalesforceFun with Jenkins & Salesforce
Fun with Jenkins & SalesforceAbhinav Gupta
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 

Similar to Work with Developers for Fun and Progress - AppSec California (20)

DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!
 
Rakuten and Microsoft talk DevOps in Real World
Rakuten and Microsoft talk DevOps in Real WorldRakuten and Microsoft talk DevOps in Real World
Rakuten and Microsoft talk DevOps in Real World
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Enhancing Software Engineering Practices at Our Startup.pptx
Enhancing Software Engineering Practices at Our Startup.pptxEnhancing Software Engineering Practices at Our Startup.pptx
Enhancing Software Engineering Practices at Our Startup.pptx
 
Dev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrDev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and Flickr
 
Luiz Fernando Testa Contador - Aplicando DevOps em grandes corporações
Luiz Fernando Testa Contador - Aplicando DevOps em grandes corporaçõesLuiz Fernando Testa Contador - Aplicando DevOps em grandes corporações
Luiz Fernando Testa Contador - Aplicando DevOps em grandes corporações
 
A brief history of automation in Software Engineering
A brief history of automation in Software EngineeringA brief history of automation in Software Engineering
A brief history of automation in Software Engineering
 
Functional Prototyping For Mobile Apps
Functional Prototyping For Mobile AppsFunctional Prototyping For Mobile Apps
Functional Prototyping For Mobile Apps
 
QCon'17 talk: CI/CD at scale - lessons from LinkedIn and Mockito
QCon'17 talk: CI/CD at scale - lessons from LinkedIn and MockitoQCon'17 talk: CI/CD at scale - lessons from LinkedIn and Mockito
QCon'17 talk: CI/CD at scale - lessons from LinkedIn and Mockito
 
Step away from that knife!
Step away from that knife!Step away from that knife!
Step away from that knife!
 
What Is Agile Scrum
What Is Agile ScrumWhat Is Agile Scrum
What Is Agile Scrum
 
Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
Usable Software Design
Usable Software DesignUsable Software Design
Usable Software Design
 
Repertoire of contributions hacktoberfest
Repertoire of contributions hacktoberfestRepertoire of contributions hacktoberfest
Repertoire of contributions hacktoberfest
 
DevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation SlidesDevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation Slides
 
Bug Bounty Career.pdf
Bug Bounty Career.pdfBug Bounty Career.pdf
Bug Bounty Career.pdf
 
Fun with Jenkins & Salesforce
Fun with Jenkins & SalesforceFun with Jenkins & Salesforce
Fun with Jenkins & Salesforce
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 

Recently uploaded

Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 

Recently uploaded (17)

Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 

Work with Developers for Fun and Progress - AppSec California

  • 1. Working with Developers for Fun and Progress
  • 2. About Me ● Red Team at Redspin ● SB OWASP + AppSec California + Bay Area OWASP ● Green Team at Bugcrowd ● Blue Team at Segment
  • 3. The Slides are Online, I’m Online ● https://www.slideshare.net/leifdreizler/ TODO ● @leifdreizler TODO
  • 4. Influential Presentations ● Twubhubbook: Like an AppSec Program, but for Startups - Neil Matatall/Brent Johnson (GitHub) ● We Come Bearing Gifts: Enabling Product Security with Culture and Cloud - Astha Singhal/Patrick Thomas (Netflix) ● Starting an AppSec Program: An Honest Retrospective - John Melton (NetSuite) ● Pushing Left, Like a Boss - Tanya Janca (Microsoft) #1 - https://youtu.be/JEE7wXHa1kY #2 - https://youtu.be/L1WaMzN4dhY #3 - https://youtu.be/ETkHISgEh3g #4 - https://youtu.be/8kqtrX6C10c
  • 5.
  • 6. ● Enable, Don’t Block - “Effective Security teams should measure themselves by what they enable, not by what they block” - Rich Smith ● Security Has to Start with Quality - “Vulnerabilities are bugs. The more bugs in your code, the more vulnerabilities”
 
 Favorite Quotes Source: https://reqtest.com/general/a-bug-goes-skateboarding-on-boehms-curve/
  • 7. ● Enable, Don’t Block - “Effective Security teams should measure themselves by what they enable, not by what they block” - Rich Smith ● Security Has to Start with Quality - “Vulnerabilities are bugs. The more bugs in your code, the more vulnerabilities” ● Choose People over Tools - “Learn to lean on your tools. But depend on your people to keep you out of trouble” 
 
 Favorite Quotes “Make it easy for engineers to write secure code and you’ll get secure code.”
  • 8. Outline 1. Building a Team and Program 2. Training 3. Successful Vendor Implementation 4. Engineering Embed Program @leifdreizler
  • 9. Organizational Buy In ● Whole company needs to care about security ● $ecurity Headcount ● Engineering time Building a Team Jonathan Marcil - Threat Modeling Toolkit (https://youtu.be/KGy_KCRUGd4)
  • 10. Building a Team ● Host/speak/volunteer/sponsor meetups/conferences Building a Team
  • 11. Building a Team ● Host/speak/volunteer/sponsor meetups/conferences ● OSS Contributions Coleen Coolidge - How to Build a Security Team and Program (https://youtu.be/b0r5vc_eCoU) Building a Team
  • 12. Shift Left Tanya Janca, @shehackspurple Source: https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95
  • 13. Training ● Part 1 - Think Like an Attacker ● Part 2 - Secure Code Review Source: Security Solutions for Hyperconnectivity and the Internet of Things
  • 14. Reviews Training - Think Like an Attacker Training - Secure Code Review
  • 15. Think Like an Attacker - Creating Relevant Content ● Bug bounty submissions ● Pentests ● Internal findings Training - Think Like an Attacker -
  • 16. OWASP Juice Shop Source: https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Training - Think Like an Attacker
  • 17. Hands-On Training Schedule 1. Vuln category 1 (Slides + Examples) 2. Vuln category 2 3. Interactive Training (Burp Suite + Juice Shop)
 
 Repeat! Source: https://www.dreamstime.com/royalty-free-stock-photography-computer-hacker-hands-image8278907 https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ Training - Think Like an Attacker
  • 18. Hands-on Training Training - Think Like an Attacker
  • 20.
  • 21. Secure Code Review ● XSS ● Broken Access Control ● Secrets management ● Error handling ● SSRF + DNS Rebinding ● …and more! Influenced by OWASP Secure Coding Cheat Sheet Source: Your Personal Password Vault: A Password Journal and Logbook Training - Secure Code Review
  • 23. Leif’s Hawaiian Shirt Store I’ve paid David to build a new Hawaiian shirt store with React. Is there anything wrong with it? server.jsApp.js Training - Secure Code Review
  • 24. Leif’s Hawaiian Shirt Store Training - Secure Code Review
  • 27.
  • 28. AppSec Training ● Meet new eng hires ● Common vuln types ● “Security Judgment” ● Think about PRs in new ways ● Have fun! Training - Secure Code Review
  • 29. Training - Secure Code Review Training - Think Like an Attacker
  • 31. Example - Snyk ● Security eval - tested on various repos ● Partnered with App team ● Presented at Eng all hands ● Security submitted PRs to core repos ● Wrote Integration with Directory Vendor Adoption Snyk is a tool to help companies manage vulnerabilities in their dependencies.
  • 34. Bug Bounty Pay for anything that gives value Source: https://www.ixxiyourworld.com/en/products/ixxi-images/boba-fett-film-poster/ https://bugcrowd.com/segment? preview=7d6237547ee4ad71a249877be1858ffe
  • 35. Source: https://articles.microservices.com/an-alternative-way-of-visualizing-microservice-architecture-837cbee575c1 Bug Report → Jira ● Description ● Easy to follow repro steps ● Severity ● Remediation Criteria ● Suggested Remediation
  • 36. Security ➡ Engineering Embed Program ● Software design docs ● Get appropriate buy-in ● Work with Design ● Write good test cases ● Follow deployment procedures Follow the Normal Process Engineering Embed
  • 37. Full Stack (Security) Engineering ● Meet developers, designers, product managers ● Deeper understanding of engineer process ● Learn more about the code base you’re protecting ● Diversify your skillset Walk a mile in the developer’s code Engineering Embed
  • 39. Password Strength Meter 0 1 2 3 4 5 Analytics PM Full-stack Design Marketing Copy Engineering Embed
  • 42. Security ➡ Engineering Embed Program ● Great way to meet people ● Shows you can build useful features/tools ● Sec learns eng process/tooling/constraints ● Bring back knowledge to the security team Engineering Embed
  • 43. Security ➡ Engineering Embed Program ● Great way to meet people ● Shows you can build useful features/tools ● Sec learns eng process/tooling/constraints ● Bring back knowledge to the security team Engineering Embed
  • 45. In Case of Emergency ● Compliance requirements (GDPR, ISO27001, etc.) ● Recent Pentests (shown to customers) ● Customer security questionnaires ● My peers at companies x, y, an z do thing
  • 46. Key Takeaways • Get Involved! • Build Your Dream Team
  • 47. Key Takeaways • Get Involved! • Build Your Dream Team @leifdreizler • Vulnerabilities are Just Bugs • Security is Everyone’s Job • “Security Judgment” • Successfully Partner Cross-functionally • Reduce Operational Work • Save your No’s
  • 48. Key Takeaways • Get Involved! • Build Your Dream Team (this includes developers!) @leifdreizler • Vulnerabilities are Just Bugs • Security is Everyone’s Job • “Security Judgment” • Successfully Partner Cross-functionally • Reduce Operational Work • Save your No’s