6. Security Goes Left
● Hard to staff a large security org
● Not efficient to find bugs in prod
Source: https://www.experimentus.com/itm/W_06_00055_The_Cost_of_Defects.htm
7. Security Goes Left
● Hard to staff a large security org
● Not efficient to find bugs in prod
Tanya Janca, @shehackspurple Source: https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95
● Devs want to build good software
● Devs need to be security minded
8. Training
● Part 1 - Think Like an Attacker
● Part 2 - Secure Code Review
Source: Security Solutions for Hyperconnectivity and the Internet of Things
9. Think Like an Attacker - Creating Relevant Content
● Bug bounty submissions
● Pentests
● Internal findings
15. Secure Code Review
● XSS
● Broken Access Control
● Secrets management
● Error handling
● SSRF
● Crypto
Influenced by OWASP Secure Coding Cheat Sheet
● Defence Against the Dark Web, etc.
Source: Your Personal Password Vault: A Password Journal and Logbook
16. Leif’s Hawaiian Shirt Store
Leif has rushed through building a new Hawaiian shirt store with React. Is there
anything wrong with it?
server.jsApp.js
26. Threat Model Prep
● Eng Team provides Sec with:
○ Links to repos
○ Architecture Diagrams
○ Docs
Source: https://articles.microservices.com/an-alternative-way-of-visualizing-microservice-architecture-837cbee575c1
27. Threat Model Prep
● Eng Team provides Sec with:
○ Links to repos
○ Architecture Diagrams
○ Docs
● Everyone should be thinking
about threats
○ Bonus points for getting EM/PMs
involved
Source: https://thegeekyleader.com/2014/12/07/good-and-bad-software-engineering-manager/
28. Threat Model
● Our process works best w/ 2+ people from Sec
○ Leader + Note-taker
● Leader keeps the conversation moving
● Note-taker creates Attack Tree and Issue Spreadsheet
32. Threat Modeling Benefits
● Great way to meet engineers
● Information exchange
○ Get engineers thinking about security in new ways
○ Learn more about systems you’re supposed to help protect
● Uncover existing risks
● Prevent problems in future development
33. Vendor Adoption
● Partner with Eng During Trial Process
● Create Implementation Examples
● Spread Awareness
● Integrate with Existing Tooling
Source: https://www.itbusinessedge.com/slideshows/nine-questions-to-ask-when-selecting-a-security-vendor.html
34. Example - Snyk
● Security eval - tested on various repos
● Partnered with App team
● Presented at Eng all hands
● Security submitted PRs to core repos
● Wrote Integration with Directory
Snyk is a tool to help companies manage vulnerabilities in their dependencies.
43. Influential Presentations
● Astha Singhal/Patrick Thomas - We Come Bearing Gifts: Enabling Product
Security with Culture and Cloud (AppSec CA 2018) -
https://www.youtube.com/watch?v=L1WaMzN4dhY
● John Melton - Starting an AppSec Program: An Honest Retrospective
(LocoMocoSec 2018) - https://www.youtube.com/watch?v=ETkHISgEh3g
● Neil Matatall/Brent Johnson - Twubhubbook: Like an AppSec Program, but for
Startups (AppSec CA 2017) -
https://www.youtube.com/watch?v=JEE7wXHa1kY
● Tanya Janca - Pushing Left, Like a Boss (DevSecCon Singapore 2018) -
https://www.youtube.com/watch?v=8kqtrX6C10c