Webinar–Building A Culture of Secure Programming in Your Organization
0 likes73 views
This document discusses building a culture of secure programming within an organization. It notes that culture can account for 20-30% of differences in corporate performance. It discusses challenges of modern software development like polyglot environments and faster development cycles. It argues security must understand developer technologies and processes. It promotes solutions like security champions who work with developers, security training, automation, and early involvement to align security and development pressures. The goal is open communication, security as enablers rather than blockers, and nurturing a proactive security culture.
Webinar–Building A Culture of Secure Programming in Your Organization
- 1. © 2019 Synopsys, Inc.1 Building a Culture of Secure Programming in Your Organization Amanvir Sangha Synopsys Software Integrity Group—2019
- 2. © 2019 Synopsys, Inc.2 Introduction Software security engineer consultant, Synopsys • Static analysis, code review • Training • Penetration testing Experience: Software Security Engineer (FinTech) • Bug bounty/vulnerability disclosure programs • Building AppSec from the ground up Software Engineer (FinTech) • Building life insurance software • Focus on quality and high assurance: TDD, BDD Startup (Security) • Building a SaaS platform for vulnerability scanning amanvir@synopsys.com @_amanvir
- 3. © 2019 Synopsys, Inc.4 Agenda • Why culture? • Modern software engineering - Challenges in modern software engineering - Dealing with constant change • Solutions to new challenges • Allowing security to be an enabler - Maintaining velocity • Nurturing a culture of proactive security - Automation - Tooling - Environment
- 4. © 2019 Synopsys, Inc.6 Why focus on culture? Culture “can account for 20-30% of the differential in corporate performance when compared with ‘culturally unremarkable’ competitors.” 1 1 https://hbr.org/2013/05/six-components-of-culture Technologies change, but people stay the same.
- 5. © 2019 Synopsys, Inc.7 Rise of polyglot environments polyglot /ˈpɒlɪɡlɒt/ adjective 1. knowing or using several languages.
- 6. © 2019 Synopsys, Inc.8 “If a company chooses to write its software in a comparatively esoteric language, they'll be able to hire better programmers, because they'll attract only those who cared enough to learn it.” —Paul Graham, The Python Paradox, 2004
- 7. © 2019 Synopsys, Inc.9 Why polyglot? • Polyglot developers allow companies to build software faster • It’s a competitive advantage: if you don’t do it, you don’t survive • But it brings new challenges: – How do we deal with this complexity? – How do we keep up?
- 8. © 2019 Synopsys, Inc.11 Polyglot environments Now • Microservices! • Deploying to the cloud • Several stacks • Agile/DevOps: Daily, if not hourly deployment, constant code changes • How does security keep up? In the past • Monolithic applications • Typically one or two stacks • Waterfall methodology • Infrequent deployments • Security can “keep up”
- 9. © 2019 Synopsys, Inc.13 Observation: teams in 2019 Operations • DevOps: AWS, Kubernetes, Terraform, Ansible • Everything written as code Quality • Automated: TDD, BDD, automated testing in CI/CD pipelines • Everything written as code Security Development • Multiple languages, multiple platforms, multiple architectures • Everything written as code • Tools and process oriented • Not moving as fast • Working silo
- 10. © 2019 Synopsys, Inc.14 Polyglot environments = new challenges • Environment are now much more complex • Faster rate of change Key questions Does your security team understand the technologies the developer teams are using? Are they familiar with the languages use? Can they code in them? Are they moving at the same pace as the development teams?
- 11. © 2019 Synopsys, Inc.15 Security vs. developers' skill sets Security Architecture Risk Analysis, Threat Modeling, Penetration Testing, Static Security Analysis Burp Suite, nmap, Metasploit Maybe can write scripts Developers Test Driven Development, Behaviour Driven-Design, User Experience, User Interface Code Editors, Compilers, Browsers Write code daily, can build production applications and deploy them
- 12. © 2019 Synopsys, Inc.16 Internal security vs. developer pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code
- 13. © 2019 Synopsys, Inc.17 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication
- 14. © 2019 Synopsys, Inc.18 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication Culture: Security Training
- 15. © 2019 Synopsys, Inc.19 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication Culture: Security Training Culture: Security Testing
- 16. © 2019 Synopsys, Inc.20 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication Culture: Security Training Culture: Security Testing Culture: Automation
- 17. © 2019 Synopsys, Inc.21 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication Culture: Security Training Culture: Security Testing Culture: Pair Programming, User Stories Culture: Automation
- 18. © 2019 Synopsys, Inc.22 So what does a Good Culturetm look like? • Open Communication, Interacting with the development teams – Security Champions • Security Training – CTFs, Conferences • Testing – Continuous Testing – Via automation, tools, CI/CD pipelines – Manual Review – For the high priority issues • Automation – Code analysis, pipelines, chatops • General Culture – Pair programming, sharing knowledge, security-centric user stories, transparency
- 19. © 2019 Synopsys, Inc.23 Automation increases velocity and decreases bureaucracy, allowing companies to move faster.
- 20. © 2019 Synopsys, Inc.24 Individuals and interactions over processes and tools • Assumption: We will do a penetration test and find issues with the application • Reality: How do we deal with the results? Are the developer aware of how to fix these findings? How do we prevent these mistakes from happening again in the future? Are we seeing the same vulnerabilities again year over year? “Make it easy to do the right thing” Automation Make your stack secure by default
- 21. © 2019 Synopsys, Inc.25 If you’re not speaking the language of development, and you’re not using tools and processes that align with the developers’ world, you’re not doing software security. —Nick Murison, Head of Software Security Services, Nordics, Synopsys
- 22. © 2019 Synopsys, Inc.26 Security champions • Primarily located in areas outside SSG (e.g. technology/development teams) • Do not directly report to SSG but are key players in evangelizing security activities and culture • Primary responsibilities: – Assist in triage for the engineering team they belong to – Involved in security decisions with their engineering team – Developing code and writing tests relevant to security – Involved in automation in pipelines
- 23. © 2019 Synopsys, Inc.27 Communication and engagement • Early involvement in SDLC leads to lower costs and less security bugs – But! Communication and engagement are necessary for this. Key questions: – Are you aware of new products being built in your organization? – Are you aware of new features that are being implemented? – Are you involved when user stories are written? – Are you involved at the design stage for architecture? • How do we communicate and engage? – Security Champions!
- 24. © 2019 Synopsys, Inc.28 Find your security champions Security DevelopersSweet spot: the developers who can do application security, e.g. pair program with teams, implement security user stories
- 25. © 2019 Synopsys, Inc.31 Nurture your security champions Should we do another CTF next year? • Sparking curiosity in security – If you are not involving your development teams in security, you will not be able to do this • Stay involved with them – Via slack or messaging applications – Weekly meetings • Case Study: DropBox “Trustober” – 30 events centred around security and training – CTFs for developers – Training for staff in security https://blogs.dropbox.com/tech/2018/06/securit y-culture-the-dropbox-way/ 100% YES
- 26. © 2019 Synopsys, Inc.32 Nurture your culture • Security is everyone’s responsibility, collaboration is key – Get every team involved: Operations, Network, Quality, Business and Development • Get involved early • Proactive not reactive • Don’t work in silo, share what you work on • Internal evangelism via security champions • Be empathetic when working with security issues and development teams – This is especially true with working on remediating issues or disclosing vulnerabilities
- 27. © 2019 Synopsys, Inc.33 Strategy & Planning Maturity Action Plan (MAP) Building Security in Maturity Model (BSIMM) Dynamic Application Security Testing Managed Services Static Application Security Testing Penetration Testing Mobile Application Security Testing Professional Services Industry Solutions Architecture and Design Security Training DevSecOps Integration Cloud Security Synopsys Software Security and Quality Portfolio Integrated Tools Seeker & Defensics Dynamic Analysis Coverity Static Analysis Black Duck Software Composition Analysis =Available on the Polaris platform
- 28. © 2019 Synopsys, Inc.34 Build Secure, High-Quality Software Faster
- 29. Thank You
- 30. © 2019 Synopsys, Inc.36