DevSecOps Security Champions and How to Implement Them Successfully (Europe 2021)

This session is presented by Sonatype.

breakouteuropelondon2021

(No slides available)

RT

Robbie Tyrie

Information Security Manager, Aegon

TRANSCRIPT

00:00:12

Today, I'm going to talk about the security chunkable and hope to do it. Right. Let's see something I've done in a few organizations lately, um, gets massive benefit between the development team on information security. So that's the four development waste cycle here. This is one of the next assists screens that I've put on here, because predominantly it's going to touch on quite a bit of open source code and it's part of the show as well. So, I mean, who am I, I'm not an expert by, by no stretch of the imagination. Um, I've learned a few things on the way. Um, just what the board adopt. Some committees may appear in this presentation at some point.

00:01:03

So I've got vetted by Clinton information security in it in general, I've got over 20 years. Experience started out at Scottish government on the year 2000 project, which give you an idea of things that was when windows was stolen three 11, and those was still a major thing. Back then, it moved on to police Scotland. I worked on some decent projects, such as GA, um, that switches architecture like the NHS, and then moved on airplane except for Tesco bank. But I helped build the bank from scratch. That was more a infrastructure role there. And then I moved the bike and, uh, security except dental care about security and the police. So with black and skinny at JP Morgan and helped set up their dev ops dev ops management team there. So that was then 21 developers as possible to monitor that entire stage of project. Um, I then ask yourself, waste cycle, are clay still bank with the vulture money to do a bit of clothes migration and that ego not, I am good. I am just, I'm an information security manager. I am responsible for a multitude of projects. I have P secure software development lease. They called it as well because, um, application security, especially, but also Watson projects for database security Splunk, another one. And again, cloud security there as well. So that's, that's a bit about me.

00:02:37

So got to discuss why we need a security champion. Firstly, we need to know what the problem is. Those multiple projects on the goal, many felt when teams and from stuff. And why would you, some technologies, some stats on this stuff make the outsource, do you meet is completely supplier those or software components, especially when the, the open-source landscape, um, and there's no security culture and the development community. Um, one thing I would notice not here that I've seen everywhere as delivery as can. So we need to solve that and security champions go, going to help with that one.

00:03:20

So how do we clear our security culture? Well, when you do the test on it, up to your tech security and the consideration, that's one question mark that you should be asking yourself, are there films appropriate and can fuck up to the business requirements, the innovative clinical applications on functions? Why as well, I mean, these are all questions that you need to ask yourself when you're actually looking at security outcome and your support security culture as well. So what is a security culture anyway, by Southern Maine and made about security in your project, you do any day, it can consideration of security. I have a responsibility for, for your code as well. You want to be sharing knowledge across your teams. Don't keep everything to one area and half, and I'll be honest for security. So, I mean, that can be things like I say, I've done seminars and meet ups, that sort of thing have enough Gusto in case you want to take an interest and for sick. And the biggest thing is getting management buy-in as well, but should we take no responsibility for your poor quality, um, and being aware of security issues and changes is another one.

00:04:40

So what are the bulk of sleep, Horst and polls of what the blockers for implement and security champions? Well, obviously everybody's too busy. Everybody's got demands to meeting project deadlines, um, baskets, not the elephant. That's one thing I've seen payment claim. Again, our management upsale, you've got firewalls that are controlling your security is there. Why do we need to take your software security in consideration? Um, obviously say that you've got to do this to do it only as a pilot project as well. Well, yeah, as a pilot project, then you'll see the results and you'll wonder why the other thing has, especially in an idea with vitamins split up to what he's moving to. Nose changes, changes too fast. They can send that information security. I've seen teams that will always send three things or they, um, if you find a vulnerability in any accord, then that's your whole paper and pulling apart.

00:05:40

And I gave, I'm going to mention this team and team again, delivery above security delivery is Ken and many, many organizations. So about security seems to be an after thought. People are scared to face the issues which I'll take team and solve and not one party had of the so need. These are reasons why it's less difficult, but if you've got that attitude, you know, you're guaranteed to have some problems and you end up with a massive or technical debt when you do the seat to death. So my advice would be if you're thinking of doing a secure software development and you put security champions in place sooner, rather than wait up, because the way we've the suddenly I'm on a team before our security incident approach, um, especially in the open-source landscape, vulnerable is, can be changed on a daily basis. Um, that's one thing that we've seen a benefit from the sort of fake products.

00:06:45

They can see each in a way, but he fails and what vouchers to move to if you do have a vulnerable. So I'd say that that's been a massive help for us, but if you don't work at bed, it's going to blow up in your face and all the way up. So what's the solution here. So solution as I implement a security advocates, so what security childcare got active members of our team that helped make decisions about when to engage the security team. They will act as a voice of security for a given product or team and assess them the security that she has of security box for their team or area. And also when went there, if you want a bit more detailed description from, from all wars, she's quite helpful.

00:07:39

So who are the security champions? So you've got your developers to be developers can be architects, or you can be project manager, guy save on the desk or the box. And my experience, Dave we'd make ideal security champions. Um, they've got vested system, their code, they know the code on site, and they're the ones that can talk technical or technical level with your information security team. While I would say that does make good security champions, as people have got good communication skills are also happy to talk to their management team as well with what the problem is. So if you think people with these, these skills over play good, but the purpose as the self-manage fail over possible, sort of that , I deal with the security Tompkins. She built effects that it's only when they can't fix an issue themselves, should they be walking with the information security team?

00:08:49

So what's the benefits benefits of having a security champion has obviously got a bed insecurity, your team, that teams you're engaged in non-security people and obviously yep. Cleat and a security culture, social security is no longer or the back of your mates and your fame to defects area, and you'll be able to make informed decisions. So some of the, some of the good attributes for security champions as I'm getting up to where I'm about, there was top 10 for web box, um, secure code and methodology, basic three, I'll be honest. There's another one. Um, if you're then skeleton, you can learn what a bit of development waste cycle close on your technologies for examples and other thing. And then they become a childcare. So some kids are my experience, know how to use the scanning tools, verify that assaults perform quarter views, be informed in each project, what information security influence management, um, and be able to help other filament colleagues fix security problems early.

00:10:02

So as you can see, you can have definite sort of wave also security chunkins here. So there's Katie application as well as another way as, as well. But ultimately we've got to be a single point of contact for, um, for like for that particular area, doesn't have to be a dev team itself. You can do it as on a project level and on a product level as well on all places, I've done it at baseline drawbacks. But, um, I found that what best really based on our technology stack, such as Java or.net, you have a single point of contact for each. It does help the information security it, can you do it that way? So the expectations offer security champion are to share the knowledge between the colleagues helping the decision maker. So that's on an information security management release management point of view as well, cardiac security, if you, so don't call it abuse for more junior staff, one of our vulnerabilities within their code scan results.

00:11:04

So there may be a licensing issues where you can, where, you know, we always so many ways CNCS 40 of the scanning tools. I've seen that at some places and a chunk and should always have access so they can see what the results of the scans are. Um, they should be able to help player cases, security issue, and a book information security. It can help them there by, um, what can I, what's critical based ups phos or the NovaSeq assessments. Um, assess by this will sound a lot of good one, if you a security champion, cause you've got to be quite popular.

00:11:45

So this is about a bit the timescales and hope and actually do it. And I'm not way off. I've seen it done typically between four and 12 weeks. That's where from scratch and management. Buy-in the pace and the size of the organization as well. But ultimately the identified the team, the fame that all nominate the champions that you're working for set up communication channels. Um, , that seems to help when you can get it as well, sort of the person create a strategy for information security. If that boss help build the knowledge base. Um, I know you can also do a weight once in a while on sessions as well, which is quite helpful and maintain and emphasize that that is key. Once you've got the security champion in place, you want to make sure that though that, I mean onboard them and still keep after a few weeks when nothing's happening puts you've put your security cycle in place.

00:12:43

And so what can smoothly, um, one thing that we've seen where the security champions that's another benefit for half an arm is not just an application side of things of, they are single point of contact form, contact your team. That's not information security projects on the goal. They're the first point of contact that circle I'll reach out for any queries or get their opinion on things. So as we've done in the whole application and Fayette landscape as well, it's just good when you're normally in Shopkins. It's always good to give. I get, I get some help from your information security guys, because I mean the other ones that I've got, they're working side by side with them as well. So they should have an input in the nomination.

00:13:35

So our first step is to identify the team spoke about us or there they say, you can do it by technology stack or something more expressed that by the, as well or byproducts, but again, and for six shifts have an input on LS. One, um, you can have multiple security champions. Our team deputy is a good idea to be fair. Obviously the annual even things like that, or just busy periods, you can speak to your decade, but ultimately it should really be a single point of contact follow-up particular idea. So the fate and the rule as the next step. So measurement of the consecrated state and the team you want an all how mature your security landscape has. That's a good one. Um, knowing what skills are for protect your developers, et cetera, or architects I've ever SSL, but it gets scary chunking the famous short two material of goals. So, um, for example, start off, start off, wait, just scan a couple of ups and get the skill of the champion.

00:14:47

they do what they want to achieve as well. So a good thing, um, identify yesterday, just get him help. Um, if you've got a lot of bugs in your code, that's probably a good place to start, good data to start on, um, and provide the queer and the fatals for the champion. Um, say, uh, VCA MIPS access as good as well. So they know their roles and responsibilities, but what I've seen as with general heroes verifying the of the discards as we're conducting the scans themselves, being involved in that east process and doing quarterly reviews as well. What can I technical debt as well as another thing? So, one thing I've always seen is when I see a new implement and at a development waste sequel, then when you do that, and then the foster instance, you're going to have a massive backlog of security vulnerabilities. You have technical, just security, technical data, and effect that you've got to have them walk through the Volvo and the security champions in that process. It's going to give you crack ones, cause there'll be a way to tell you create correctly what they're able to flex fast. And ultimately that's what management is looking for. If you see a problem you want to affects cope with.

00:16:02

So normally in a Tompkins, the next thing, they should have a very good understanding of team scores and how it operates. You want me to get approvals on all levels? I cannot stress that enough. Otherwise you've got to here. I've got an all team for security. You're probably looking for the next year. Experienced team members here must have commitment from senior management. One way that I've done this in a fast as the art security champion specific objectives, personal development plan. So management can get or see the benefit quick, quickly as well, have an official reviews.

00:16:49

So on that way, if you don't get approval for us, there's no point in donut. You can do office CDO desk if you want, but if you've not got management, buy-in, you're completely wasting your time with us. Um, so do we need to get, get them on board once you've got 'em once you've got your security chunk, like I'm feel we could chunk it into something that appears government and the West's, um, make sure that the skill of a single point of contact from a paradise from auction in some cases, and get them all through the organization as well. Then our single point of call it tactical in a foster instance for application security communities. Um, that's quite useful from information security's point of view, as you can probably imagine as well. And I guess bite him a beautiful on the pub as well. Make them feel wanted setting up communication channels is, is the next step.

00:17:49

Put them on me. I once was Tim scripts of daycare. I'd meet in Sweden information security team as well. So after a couple of weeks, so you get together and just review what's been, what's been happening. So Jane, that I'll catch up, um, once you were on sessions, as I, as all good thing as well. Um, but also get management, understand the role and, and, and detail as well. So invite, um, management and there's some of these meetings as well, just so all be on WhatsApp and then application security landscape also, uh, building our knowledge basis. So security Tompkins, um, quite a way to fake that all sort of sports, no it's, uh, mentioned, uh, racing it's X beforehand. Definitely do that. Um, what's your Vasques and vulnerabilities that you'd come up with a it off and then that can help you focus on scene in front of developers as well.

00:18:46

Um, I can name specific decent Jean of course is for developers, but I won't, you can reach out to me if you, if you want to hit some point, not one, but yeah, Tina's Creek cause I, I, something everybody should be doing. So what sports next ODA grow, maintain and grow your interest. So development fell apart community of practice, if any of the thing you're secure coding standards. So if you're doing web apps, you can base that on the top 10, for example, obviously also that would fall to, um, what I mean by that is that your mandate scanning at each point of the development waste cycle, you'll have toolkits by with checkpoints, what you actually do, if it feels at all get, um, what, what I've done in the past of St. Paul of course, up in the paperweight sort of fell poss cannot be able to so called back and the deposit say I've owned about his phone, the half defects that at that point, that pretty much guarantees secure, call them production as well, but just could think of a bunch of strategies and all the things you can, you can always unfortunately organization and, and get them involved in information security projects as well.

00:20:02

Um, have the security Tompkins involved in decision-making and information security. If you're looking at strategy for examples, good that have the chunk kids can be involved in setting that InfoSec strategy because they've got the feet on the ground at the end of the day, um, setting up monthly quarterly review meetings, what's the next thing, uh, maintain so that the champions meet them and pertinent the sessions on InfoSec. Go there, give them feedback for that NGL approval and put them on any appropriate Shannon as well.

00:20:43

Uh, this is just an example of some Scott Scott in tools, the other that you can use. So I've got sort of tape and I've seen them the biggest benefit, especially the open-source vulnerable is we've seen them the most issues, obviously, because it can be right in by any anyone main things that they attend for so many organizations, they often check them. So although we're seeing the most vulnerable is that sphere. We're also getting a bigger span of fact. So if you've gotten a focus on one part of their software development waste cycle, and you'd use them on source Hans or percent of the team, it would be that I'd be focused on. So that's um, especially if you're working with third-party suppliers here. So for example, we are using CVSs CVSs scoring system. And so anything that's rated seven or above you'll want beltfield new, that's not only useful for MTN all developers, but if you're working with third party suppliers, it gives them something they focus on as well.

00:21:49

That's understandable. And it doesn't March against any particular security scanning tools, real sets as well. So you have what you're working on. Something create genetically, which I've seen a massive benefit for them as well. Dashboards. Yeah. Passport passports are great management, swamp passports in the Portland. It's the honest with you and all the projects I've worked on when we're setting up a secure software development waste cycle. That's the first thing I've been asked for. When can I get dashboards? When can I get a report on it? Yeah. So that's not, we ended a day and this is what management wanted to see. Um, don't change an analysis is one thing that I found to be fairly beneficial as well. Now we can do that for a postdoc, your department protect your product as well, if you want to focus on a micro level. Um, so yeah, I mean, that is one thing you want to be cause sometimes from day one, as well as looking at your dashboards.

00:22:46

So we have, there's a sleeve at what what's, what's, what's your benefit. And I've got a bit of sleep that I absolutely hate you has the chef, the lift, everybody mentions is shuffle with these days. But I mean, as true, I mean the falling away, you know, you're doing you're, you're scanning the waste as soon as you're going to get in production. So that's a good process. Um, there was another there's another site and I'm sure everybody's seen as well applying code bulk test. So we used to play or put it one continuous one on now I've got a focus on the lease you have next rate key in the middle that's absolute key. So the waste management of course delivery is key. Luis management must be kept informed the Nemours people and overall process. As I'm not in it, you're going to here, I'm a fleet. Um, you need to be able to sit. It's always minus that. If you've got a vulnerability that's critical for your organization, that you have this stock, we said that this is the most challenging part of your whole secure software development waste cycle and assist failed. The security chunking can what could a waste management and key the whole process.

00:24:07

So in some, some cases, um, what I would say, you actually know what chord, what chords, as I swear, as we stand for adoption, you know what you could call it actually looks like. So you want to make sure that your voice mentioned information security. I've got a seat at the table, the thing you have gates, and what could have we Spanish walks with them. Also look at your board console. You have asks from an InfoSec perspective on the landscape of an exception process assist. Yeah, that's a good point actually, especially in the open source landscape some way, but he fails may have a vulnerability, but there's not effects available for it. You can't even go back empty this fellowship and there's no one, you have it doesn't have a vulnerable. And then what I've done is I've done. Team-based we've osteo. So F does no business unpack and you've got the security controls and, and for sex sites, faith, I would recommend given as a maximum that we, after the Navy days, grace period is up potentially.

00:25:17

There could be another source of labor if they were available, but you can be given an accord or a watch point. You can discuss the information security about reengineering, the whole code base to move up the usage of that light. But if I that's, that's a worst case scenario, but it's one that I've seen seen elsewhere in the past. But ultimately you want to be taken at us based approach to things here. So how do you get management by a source of like, um, oh, I'm not waiting that I use scare tactics. That's not just what may be, but it always them, for example, at K school bank, they got famous 16.4 Marine code fateful having a security, a bitch. When you start buying. In fact, I was like that about little set up could be attention, but ultimately sell the benefits, make hallways and get people in the business suit who you are out here are some important that's difficult states also could get short it start off small girl from them and do a gender analysis of reports, charts, the Fest that class or management care about this horse and the plastics again by them.

00:26:27

If you, if you're half day, but you start small and start the Lebanon results start with. So just have a recap here. So normally you find a problem statement in a work as identify the champions, the faint of all set up communication channels and your keyword, Nellis punishment buyer. And if you've got all of them in place, you'll have a security culture and your organization and that set sort of snow or what are you guys if there's any questions, I think you can post them in the chat and that's me.