security in agile development · 2020. 1. 17. · security in agile development joakim. who am i?...
TRANSCRIPT
![Page 1: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/1.jpg)
Security in Agile Development
Joakim
![Page 2: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/2.jpg)
Who am I?@JoakimTaurenApplication Security Architect@Visma Enterprise Development
“Hack all the things, drink all the booze”
Current scope:~100 dev teams~900+ developers
![Page 3: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/3.jpg)
Governance model
● ~300 Dev teams● 2000+ Developers● 25+ Countries● 70M+ lines of code
In SAST
![Page 4: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/4.jpg)
Security at scale?
![Page 5: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/5.jpg)
![Page 6: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/6.jpg)
![Page 7: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/7.jpg)
Security as a service● Central services for methodology, tooling and manual
testing ● Main Goal: Assist teams● Provide: Services for FREE for all teams
Transparency on all levelsConfluence and Jira
![Page 8: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/8.jpg)
The Security ProgramOWASP SAMM - Empower teams
● Security Training (ST)● SSA,PSA,RA● SPIP,PSOC,CTI● SAST,DAST,MAVA,ATVS,Bug Bounty
![Page 9: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/9.jpg)
The dev team● Is responsible● Knows the end users● Aware of their context● Receives support from us● Own initiative
Security Engineer in each dev/app teamService Owner accountable
![Page 10: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/10.jpg)
Security EngineerRole within each dev teamEvangelist/Champion of SecuritySecurity culture promotor
Ensures Security is part of dev every day
![Page 11: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/11.jpg)
Security GuildA community of:
● Security Engineers● Security Professionals● Like-minded individuals
Gathers every other week online -> engagement
Has a chat channel
![Page 12: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/12.jpg)
Target portfolio (Confluence)Transparent list (current sec status) of ALL teams
Can be viewed by anyoneIn Visma
![Page 13: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/13.jpg)
Security Self-AssessmentA number of questions for each team to answer
Core elements this serves
● Context based education● Review process two-way learning● Each item that needs attention -> Jira
![Page 14: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/14.jpg)
Security Self-AssessmentExample questions:
● Client Side input validation?● Input validation coverage and quality?● Handling of passwords?● Dynamic SQL?
![Page 15: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/15.jpg)
Security Self-AssessmentThe challenge and key to successful assessments:
Transparency
![Page 16: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/16.jpg)
Security Maturity Index● Transparent list (again!)● Performance vs requirement● Supports continuous improvement● Numeric value between 0-XXXXX● Tool for teams and mgmt
○ Required tier set by mgmt
![Page 17: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/17.jpg)
![Page 18: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/18.jpg)
![Page 19: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/19.jpg)
Security Maturity IndexPerformance must be displayed to management
Tool for both management and team
Assists in evaluating needs
![Page 20: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/20.jpg)
TransparencyFrom Security Maturity Index
.
.
.
.
.
Down to individual vulnerabilities
![Page 21: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/21.jpg)
Product SOC● Incidents● Attribution● Investigation● Sherlock Holmes of Cyber● Cyber Threat Intelligence
![Page 22: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/22.jpg)
Product SOCSuccesses 2019: 1 person behind bars (cannot disclose)
Ultimate goal:
● Police reports.● More police reports..● Even more police reports...
![Page 23: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/23.jpg)
Cyber Threat IntelligenceSecurity analysts monitor and search for:
● Anyone distributing Visma accounts or secrets on black markets● Mentionings of Visma brand names, employees, or services together with
hostile language● Chatter about pending attacks against Visma infrastructure● Vulnerabilities and 0-day exploits impacting our technology stack● and many other topics...
Any team in Visma can enroll to CTI as a Service, at no additional cost.
![Page 24: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/24.jpg)
Responsible Disclosurehttps://www.visma.com/trust-centre/security/
● Reproducible● Coordinated disclosure● Target only your own accounts, devices and information● No phishing or social engineering● Don’t disrupt the services
![Page 25: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/25.jpg)
Bounty plz?
![Page 26: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/26.jpg)
Bug BountyTeams can onboard for free!
Final steps towards true maturity
We do have prerequisites for onboarding
● 0 known vulnerabilities
![Page 27: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/27.jpg)
Wrap-up, the tools● Coverity (SAST)● Detectify (DAST)● Protecode + Retire.js (ATVS)● “Internal” Hackers (6 persons)(MAVA)● RecordedFuture (CTI)
![Page 28: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/28.jpg)
So… Security as a Service?The cool thing?
● All services are free-of-charge!!
Why?
● Money should not be the limiting factor● Abstract the team away from money
![Page 29: Security in Agile Development · 2020. 1. 17. · Security in Agile Development Joakim. Who am I? ... ~100 dev teams ~900+ developers. Governance model ~300 Dev teams 2000+ Developers](https://reader035.vdocuments.net/reader035/viewer/2022081410/609f5b214d5f0f763d6c4ef0/html5/thumbnails/29.jpg)
ConclusionsTransparency and gamification works!
True maturity = police reports, Bug Bounties
Provide services for free!!
Each time you reuse a password..