The slides include 
+ links to my favorite #DevSecOps talks, blog posts, & useful tools.
I've organized them by category so that you can easily delve into whichever topics are most useful to you and your company right now.
Prikaži ovu nit
Over the past few years I've spent 100s (1000s?) of hours studying how companies have scaled their security.
Here are my @AppSecCali slides that distill what I've learned- the big, scalable, systematic wins that measurably improve your security posture.https://docs.google.com/presentation/d/1zbj9XBiv6r6zla0KHNfs63Ux45QZAfRut2zlK7o-dRw/edit#slide=id.g6555b225cd_0_1069 …
-
-
-
Talk structure
Big Picture
* Mindsets / Principles
* Choosing how to invest your time
Scaling Your Company's Security
* Fundamentals, scaling efforts, long term wins
Action Plan
* Tie everything together and put it into practicePrikaži ovu nit -
Mindsets / Principles
Automate as much as possible
Build guardrails, don't be gatekeepers
Prefer high signal tools & alerting (FNs > FPs)
Devs are your customers - security tool/library UI & UX are important!
And for the kids these days 
pic.twitter.com/26oWhsGt0w
Prikaži ovu nit -
Choosing How to Invest Your Time
Ask yourself:
Of my near / medium term tasks, which will provide the most long-term strategic value?
Can I do a near term task a little bit differently to make it much more useful later?Prikaži ovu nit -
Tools in Your Security Tool Belt
Key insight:
Certain approaches are *inherently* better or worse in certain situations, regardless of the specific tool.
Instead of:
"How can I make tool X better?"
Ask:
"Is approach Y a good fit for what I'm trying to do?"pic.twitter.com/xtk17O06vS
Prikaži ovu nit -
I also think it's useful to target vulns in terms of their * Class - XSS, SSRF, access controls, ... * Complexity - What level of analysis complexity is needed to find/prevent it consistently with high signal? Both can influence our approach.pic.twitter.com/Fu3Gz9ZIg1
Prikaži ovu nit -
Eventually your breakdown may look like this: * Secure defaults - solve many issues categorically * Tools - helpful for security baselines *
#BugBounty - Continuous coverage *#Pentesting - Find the hard stuff * Runtime monitoring - Best for finding certain hard casespic.twitter.com/VngdbgEkKa
Prikaži ovu nit -
Here's how the
@netflix#appsec team has been thinking about it: This first image is from@astha_singhal and@coffeetocode@AppSecCali '18: https://www.youtube.com/watch?v=L1WaMzN4dhY&feature=youtu.be&t=1855 … The 2nd is@HelloArbit & Esha Kanekar@AppSecCali '19: https://tldrsec.com/blog/appsec-cali-2019/#a-pragmatic-approach-for-internal-security-partnerships …pic.twitter.com/GUGBjYgPXU
Prikaži ovu nit -
The Fundamentals
* Vulnerability Management
* Continuous Scanning
* Asset Inventory
These are not the fundamentals because they're easy. In fact, they're *really* hard to do well.
But, if you have a solid base, you can build awesome, high leverage things on top of them.Prikaži ovu nit -
Vuln Management
Table stakes for knowing a) how you're currently doing and b) if your future initiatives actually help.
Minimize friction, track all vulns in 1 system, define a consistent workflow, track vuln class/risk/what found it/+ other meta info
Example dashboardspic.twitter.com/8DztY1deiW
Prikaži ovu nit -
Continuous Scanning
Building a pipeline to continuously scan new code as its committed and deployed is one of the most consistent trends I've seen.
I've found at least 10 talks from diff companies about their approach.
Here are trends they all generally agree on:pic.twitter.com/94yzwMkkx3
Prikaži ovu nit -
* Focus on iteration speed (adding/removing tools, testing new rules) * Scans should be fast - give devs feedback while they have context * Show tool findings within dev systems (e.g PR comment) * Focus on high signal checks (+95% TP) * Capture metrics: common finding types, FPs
Prikaži ovu nit -
What to Look For
Static analysis
* Banned / dangerous functions (e.g. exec)
* Security-relevant code additions
* Sensitive file changes
* Out of date deps
Dynamic
* Ensure a security baseline
* Regression unit tests
* Fuzzing
Don't try to find every bug, too noisy
Prikaži ovu nit -
Asset Inventory
Know what you own & how they connect.
Start with:
* Code - CODEOWNERs file
* Cloud - servers, services used, creds, permissions, ...
See cartography by @lyft &@sachafaust: represent assets as nodes, relationships as edges -> Neo4J https://github.com/lyft/cartography …pic.twitter.com/dBQrR3czIN
Prikaži ovu nit -
An example of the power of asset inventory (steps 1, 3, 4 via graph traversal)
New Struts RCE #StrutsBleed ->
1. Find all Internet facing servers
2. Use curl PoC to determine which are vulnerable
3. Determine code running those services
4. Find code owner, ask them to fixpic.twitter.com/ZN0lqaRzh8
Prikaži ovu nit -
Scaling Your Efforts
Once you have the fundamentals, here are some ways to start scaling.
* Threat Modeling
* Security Enginenering
* Continuous Compliance
* Detection & ResponsePrikaži ovu nit
-
Threat Modeling
Security team can't TM every story. What do you focus on?
Common approaches:
1. Self-service security questionnaires for devs
2. Add lightweight threat modeling to SDLC
3. Threat model as code
Talk links, example questionnaires, etc:https://docs.google.com/presentation/d/1zbj9XBiv6r6zla0KHNfs63Ux45QZAfRut2zlK7o-dRw/edit#slide=id.g7cb6a2a1f9_1_202 …Prikaži ovu nit -
Security Engr
Build safe by default libs, tools, & services for devs so they can do their jobs without thinking about security.
If X requires security context to not foot gun -> build a wrapper lib.
Good dev UX is critical.
Build security into project starter templatesPrikaži ovu nit -
@Hackimedes: how DocuSign killed ReDoS, XXE, open redirects, SSRF via secure-by-default libs + ensuring their use 1. Find the bad pattern 2. Make the safe pattern the default 3. Train the devs to use the platform 4. Build tools to enforce the new rules https://shellcon.io/slides/dont-run-with-scissors-shellcon2019.pptx …Prikaži ovu nit -
Continuous Compliance
Specify compliance, security, & other policy requirements in code
* https://www.inspec.io/
* https://www.capitalone.com/tech/solutions/cloud-custodian …
You can also scan config management scripts:
Terraform:
https://github.com/liamg/tfsec
https://github.com/bridgecrewio/checkov …https://github.com/cesar-rodriguez/terrascan …Prikaži ovu nit -
CloudFormation: https://github.com/Skyscanner/cfripper/ … https://github.com/stelligent/cfn_nag … AWS IAM policies: https://github.com/duo-labs/parliament/ … by
@0xdabbad00https://duo.com/blog/an-aws-iam-policy-linter-parliament …Prikaži ovu nit -
Detection & Response
Slack IR bot: when a user does something fishy, ask them if it was actually them + 2FA prompt.
Blog post by @ryanhuber https://slack.engineering/distributed-security-alerting-c89414c992d6 … PoC bot release by Dropbox: https://github.com/dropbox/securitybot …@appsecusa '18 by@krachpot https://www.youtube.com/watch?v=jNxjUKZpDWo …pic.twitter.com/8K2enjAFii
Prikaži ovu nit -
Other neat examples: How Dropbox auto gathers relevant context for their analysts Twilio's SOCless: write runbooks to scalably handle events https://www.twilio.com/blog/introducing-twilio-socless … "Githubification" of Infosec by
@JohnLaTwC - how blue teams can push the industry forward togetherpic.twitter.com/fZmx7KiOdQ
Prikaži ovu nit -
Security Endgame
Long term, high leverage investments
* Automating Least Privilege
* Targeting Vuln Classes: Case Study
* Enforce Invariants
* Quantifying RiskPrikaži ovu nit -
Automating Least Privilege
RepoKid (https://github.com/Netflix/repokid ) by @travismcpeak automatically removes unused permissions from IAM roles. Policy Sentry (https://github.com/salesforce/policy_sentry …) by Kinnaird McQuade makes it easier to generate least privilege IAM policiespic.twitter.com/9tmaW29uP7
Prikaži ovu nit -
Targeting Vuln Classes
Aggregate historical vulns, group by vuln class / discovery method, weight by impact
What can find/prevent them at scale (while minimizing cost & AppSec time)?
* Is 1 method finding most high severity vulns?
* Past successes you can learn from?pic.twitter.com/wNJveK4S6v
Prikaži ovu nit -
The goal here is to become *strategically more effective and higher leveraged over time*. Imagine you did a time audit of how your
#appsec team spends its time. Hm, that's a lot of time on XSS, let's drill in. Eliminate XSS -> reinvest that time in solving other problemspic.twitter.com/xH0BSDHomD
Prikaži ovu nit -
Short term, these efforts won't yield much. But this will compound as you become higher leveraged over time
* Invest effort based on vuln history
* Consider: vuln classes, what’s finding them, impact
* What’s the most effective way (AppSec time / $) to reduce risk?pic.twitter.com/nBngWbQhrL
Prikaži ovu nit -
Invariants
Enforce or alert on things that should *always* or *never* be true.
e.g.
Manual changes should never be made through the AWS Console - https://arkadiyt.com/2019/11/12/detecting-manual-aws-console-actions/ … by @arkadiyt CloudTrail should always be on
Auto re-enable w/ a Lambda if it's ever disabledPrikaži ovu nit -
We should never use these <regions> or <cloud services> * If this occurs, likely malicious activity * Can also be done per-app / service From
@travismcpeak &@__muscles great talk@AppSecCali '19 talk:https://tldrsec.com/blog/appsec-cali-2019/#netflixs-layered-approach-to-reducing-risk-of-credential-compromise …Prikaži ovu nit - Još 9 drugih odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.