Why can't developers make it secure?

Transcript

1. Why can’t developers make it secure? Julia Potapenko

2. Security Software Engineer Julia Potapenko @julepka We help companies to

   protect their sensitive and valuable data.

3. If you ask developers what is the problem…

4. • Tight deadlines • Feature priorities If you ask developers

   what is the problem…

5. • Tight deadlines • Feature priorities • Lack of security

   expertise • Security controls con f lict with other features If you ask developers what is the problem…

6. • Tight deadlines • Feature priorities • Lack of security

   expertise • Security controls con f lict with other features • Lack of secure architecture If you ask developers what is the problem…

7. https://www.guardsquare.com/state-of-mobile-application-security-report Tight deadlines

8. https://www.guardsquare.com/state-of-mobile-application-security-report Security controls con f lict with other features Necessity

   of communication https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/

9. https://www.microfocus.com/en-us/assets/security/application-security-risk-report Lack of security expertise No secure coding skills https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/

   https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/ https://www.veracode.com/state-of-software-security-report

10. Secure coding is a separate skill Developers can learn general

    best practices and platform speci f ic recommendations. • Security trainings • Online education materials • Conferences

11. Secure coding is a separate skill Examples: • Data minimisation

    principle (do not store what you don’t really need) • Validate any input from external sources (user input, network requests, etc) • Deny access by default

12. SDLC Requirements Design Develop Test Deploy

13. SDLC Requirements Design Develop Test Deploy Secure coding

14. Security is invisible - No direct business value. - You

    can’t see if it’s working, you can see when it fails.

15. The more we delay security – the more effort it

    takes to be added – the more chances it has to be ignored

16. The longer it takes to f ix an issue, the

    less chances it has to be f ixed https://www.veracode.com/state-of-software-security-report

17. SDLC Requirements Design Develop Test Deploy Secure coding Security assessment

18. Secure SDLC Requirements Design Develop Test Deploy Risk assessment Threat

    modelling & design review Secure coding & static analysis Code review & security testing Security assessment & secure con f iguration

19. Secure SDLC Requirements Design Develop Test Deploy Risk assessment Threat

    modelling & design review Secure coding & static analysis Code review & security testing Security assessment & secure con f iguration Software developers

20. Secure SDLC Requirements Design Develop Test Deploy Risk assessment Threat

    modelling & design review Secure coding & static analysis Code review & security testing Security assessment & secure con f iguration Software developers Architectural decision

21. In a fast-pacing environment… People make poor decisions under the

    pressure. Secure architecture is about decision making. People mess up the processes under the pressure. Secure architecture is about following the process.

22. Secure Architecture Isn’t it a typical responsibility for developers?

23. Secure architecture – is a combination of structural security decisions

    that ef f iciently addresses risks considering business goals.

24. Secure architecture – is a combination of structural security decisions…

    that ef f iciently addresses risks considering

25. Secure architecture – is a combination of structural security decisions

    that ef f iciently addresses risks… considering business g

26. Secure architecture – is a combination of structural security decisions

    that ef f iciently addresses risks considering business goals.

27. Secure Architecture - is about decision making process - is

    based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-speci f ic

28. You operate risks and business goals, abstracting from the tools

    You operate tools, you don’t make business decisions Secure Architecture - is about decision making process - is based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-speci f ic

29. You operate risks and business goals, abstracting from the tools

    You operate tools, you don’t make business decisions Creating structure Adding details Secure Architecture - is about decision making process - is based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-speci f ic

30. BUSINESS GOALS BUILD THE ARCH DECISIONS & DESIGN RISKS &

    TRADEOFFS Building Secure Architecture

31. Building Secure Architecture BUSINESS GOALS BUILD THE ARCH DECISIONS &

    DESIGN RISKS & TRADEOFFS BUSINESS OWNERS DEV TEAM

32. Building Secure Architecture BUSINESS GOALS BUILD THE ARCH DECISIONS &

    DESIGN RISKS & TRADEOFFS BUSINESS OWNERS DEV TEAM SECURITY EXPERTS

33. Building Secure Architecture BUSINESS GOALS BUILD THE ARCH DECISIONS &

    DESIGN RISKS & TRADEOFFS BUSINESS OWNERS DEV TEAM SECURITY EXPERTS

34. Shared Responsibility No one can know everything Who makes decisions?

    Who plans the work and sets priorities? Who will address security?

35. • Business owners • Product and project managers • Software

    developers • UI/UX Designers • DevOps team • QA engineers • … Shared Responsibility No one can know everything Who makes decisions? Who plans the work and sets priorities? Who will address security?

36. Shared Responsibility No one can know everything Each platform is

    different. Secure architecture requires security expertise in each of them. Example: Force upgrade Unlike web, you can’t control when the user updates desktop or mobile app, unless you have implemented additional feature for that. It requires changes from both client and backend.

37. Shared Responsibility No one can know everything Each platform is

    different. Secure architecture requires security expertise in each of them. Example: Screenshot prevention You can’t prevent screenshots for web apps. Why would you want it for Android app? Because users usually automatically sync photos with Google Photos, iCloud, etc.

38. Ownership If you own, you care

39. Ownership • Understand your role • Know what you are

    doing are what for • Communicate The goal: each team member knows who to ask questions. If you own, you care

40. Ownership Example: Owning the features • Understand its value •

    Closer look at related PRs • Keep an eye on updates • Be ready to speak up If you own, you care

41. Ownership Example: Reading security docs “Have you read security policy

    of your compony?” “Have you read risk assessment and threat modelling docs of your project?” If you own, you care

42. Secure architecture requires security expertise processes shared responsibility ownership

43. Want to learn more? “Designing stack agnostic, modern, secure architectures”

    by Eugene Pilyankevich https://www.infoq.com/presentations/design-secure-architectures/ “Secure Development Lifecycle” by Jim Manico https://youtu.be/M7qMP3C5bkU https://owasp.org/www-pdf-archive/Jim_Manico_(Hamburg)_-_Securiing_the_SDLC.pdf Collections of security stats reports https://techbeacon.com/security/27-data-security-stats-matter https://techbeacon.com/security/30-app-sec-stats-matter

44. Thank you! Follow me @julepka