Join the conversation #devseccon

Integrating crowdsourced security into agile SDLCBy Ante Gulam

Disclaimer

The opinions expressed in this presentation are my own and do not necessarily represent those of my employer.

$whoami

• Chief Information Security Officer• Application Security Evangelist• Ranked world's Top 10 AppSec researchers (cobalt.io)• 13 years of experience in information security• Governance & compliance + hands-on roles

• https://uk.linkedin.com/in/agulam • https://twitter.com/ante_gulam

Interpreting and staging a scene

• Application security threat landscape trends• Emerging technologies & attack vectors• Cyber security skills gap• Inefficient regulations• “Find and adopt” approach• …

TheUKgovernment'srecentCyberSecurityStrategycalledBritain'scyber-security skillsgap a“nationalvulnerabilitythatmustberesolved”.

SCMagazine,Feb2017

Breach Level Index

“Thestateofapplicationsecurityisnotimprovingsignificantly,”Asma Zubair,Whitehat

Internal Challenges (change drivers)

• Cost to fix vulnerabilities vs. cost of exploitation• Mobilizing business lines• Tracking risk posture• Tactical vs. strategic goals• Threat modelling complexity• Real attack surface discovery• 2 fast + 2 complex

Bonus - IaaS and DevOps

• Reducing time to market• Narrowing down attack surface?• Immutable objects (Pets vs Cattle)

• Additional layer requiring visibility• Logging, monitoring, alerting capability

• Re-inventing NSM, NIDS, HIDS etc.• S3, CloudTrail, SQS, ELK …

• Key management (Ansible Vault, CredStash (KMS/DynamoDB) …)

Thespeedoflightsucks.(JohnCarmack)

CURRENT STATE TARGETED STATE

SECURITY MATURITY LEVEL

TRADITIONAL PENETRATION TEST

Traditional approaches

• Fully reactive principles obsolete• Continuous looping• Quick wins over strategic improvement• Slow internal response• Box-ticking exercise• Weak integration

Tailoring security for early delivery

• Crowdsourced assessment != Bug bounty program• Full staged integration capability• Centralized comms and visibility• Full risk remediation tracking• Integration into ticketing systems (Jira)• Broad skill-set pools matching specific assignments• Flexible re-test capability

WEBAPPLICATIONSSECURITYSTATISTICSREPORT2016,WhiteHatSecurity

Crowdsourced(cobalt.io)

17.6days

TIME-TO-FIX: 2016

Crowdsourced workforce

• Targeted skillset matching capability• Strong diversity • Different backgrounds and environments• Commercial and custom toolset base• Collective threat intelligence

Crowdsourced coverage

• Security requirements• Threat modelling• Architecture / design review• Source code analysis• Penetration testing• Awareness and training

Internal preparation

• Functional risk workflow• Security “champions” within existing teams• Strategy driven process• Fundamental documentation• Basic process hygiene• Open-mind

Staged integration scenario

• On-demand assessments• Flexible, controllable timeframes• Full remediation assistance• Reduced noise

• Conceptual buy-in• Natural maturity growth• Risk reduction

• Staged Bug bounty integration• Curated Private -> Public

BUG BOUNTY PROGRAM

Shaping the future posture

• Case specific assessments• Attacker profiling• More granular sets of requirements• Playbook approach (Julian Cohen, RSA)

• Staged threat modelling

Takeaways

• Agile SDLC needs agile security• Crowdsourced integration seems flexible enough• Mythbusting: crowdsourcing and security• What is the alternative?• Transparency builds trust!

Join the conversation #devseccon

Thank you