SESSION ID: HUM-W01 Ten Things I Wish Every Developer Knew About Security Christopher J. Romeo CEO Security Journey @edgeroute #RSAC #RSAC About Chris Romeo S EC U R I T Y BAC KG RO U N D CEO / Co-Founder @ Security Journey 22 years in the security world, CISSP, CSSLP – 10 years at Cisco, leading security education. Co-Lead of the OWASP Triangle Chapter L I ST E N TO M E TA L K TO M E @edgeroute The Application Security Podcast @AppSecPodcast @edgeroute #RSAC A future where all developers are security enlightened @edgeroute #RSAC Applicability of the ”Ten Things” Developers Executives Application Security Program Managers and Directors @edgeroute #RSAC Agenda The security state of the developer Ten things I wish every developer knew about security – Description – Assess – Build Conclusion Q+A @edgeroute The goal of an application security program IT IS NOT IT IS To reach zero bugs because it’s not possible! To fix bugs faster…and…to illuminate as many vulns as possible. To reflect blame upon developers for security concerns. To measurably improve the security posture of the organization. @edgeroute #RSAC #RSAC The security state of the developer APPLICATIONS ATTACKERS DOWN UP UP SECURE CODING @edgeroute #RSAC The responsibility for security NOTE: Only three in ten open source maintainers consider themselves to have high security knowledge. Source: The state of open source security report 2019, snyk @edgeroute #RSAC Concerned, but no time Concern about open source security Security is important, but time is scarce 83% of developers are concerned about whether the open source code they use is secure. 48% of developers say they believe security is important but don’t have enough time to spend on it. Source: Enterprise JavaScript in 2019, npm Source: DevSecOps Community Survey 2019, Sonatype @edgeroute Stack Overflow: Dev’s current source of knowledge “ “ … in some cases an insecure suggestion by a user with a high reputation score was selected as the accepted answer, as opposed to the correct fix by a user with a lower reputation score. Secure Coding Practices in Java: Challenges and Vulnerabilities … in 1,305,820 Android applications available at Google Play. We show that 196,403 (15%) … contain vulnerable code snippets that were very likely copied from Stack Overflow. Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security @edgeroute #RSAC #RSAC First set of conclusions CONCLUSION 1 Security knowledge is low. CONCLUSION 2 CONCLUSION 3 CONCLUSION 4 Security concern is serious. Security resource allocation is lacking. Stack Overflow is a source of security vulnerability. @edgeroute #RSAC The easy way out C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure Database Access C4 Encode and Escape Data C5 Validate All Inputs C6 Implement Digital Identity C7 Enforce Access Control C8 Protect Data Everywhere C9 Implement Security Logging and Monitoring C10 Handle All Errors and Exceptions @edgeroute #RSAC Think at a higher level @edgeroute Ten things I wish every developer knew about security 10 9 8 7 6 Tactical usage of next generation AppSec. Docker and Kubernetes are not security products. GitHub is not the best secret store. The Sec in DevOps is silent. Shift {left, right, outwards} – just start. @edgeroute #RSAC Ten things I wish every developer knew about security 5Third-party and open source vulnerabilities are rampant. 4 3 2 1 OWASP is a treasure trove of security resources. You cannot hack yourself secure but do take a risk-based approach. Security is your ally, not your opponent. Everyone is a security person and the security need is pervasive. @edgeroute #RSAC #1: Everyone is a security person and the security need is pervasive. #RSAC 10 THINGS @edgeroute #1: Everyone is a security person and the security need is pervasive. ASSESS BUILD Take the organization’s security culture pulse. Gain Executive buy-in. Communicate publicly about investment in security. Gather the perspectives of Security Champions. Review technology areas & identify weak spots. Simplify methodology, language, and framework choices and provide adequate security guidance. Examine SDL and consider uniformity of artifacts. @edgeroute #RSAC #RSAC #2: Security is your ally, not your opponent. The security team succeeds when the developer succeeds, in a valued