Sunday, 28 October 2012

Amazing presentation on integrating security into the SDL

Nick Galbreath  (@NGalbreath)  has published the great presentation he delivered at OWASP's AppSec USA last week.

You can read it on his Rebooting (secure) (web) software development with Continuous Deployment blog entry or use the embedded  slide-share viewer below:

There are lots of great ideas and concepts in there, but for me the slide that really describes what we are trying to do (and how we have to solve the 'software security problem') is this one:

"If we want to fix Security .... we have to fix Development" 
"If we want to fix Security .... we have to fix Development" 
"If we want to fix Security .... we have to fix Development" 
.... (write/say 100x until internalized)
"If we want to fix Security .... we have to fix Development" 

One of the reasons why driving security changes and making code-fixes is so hard, is because security doesn't live in isolation and it is 100% depended on the development process that exists on the other side.

What I like about Nick's pragmatic approach is that he is showing (with real examples) that when there is a slick, fast and effective SDL (with daily pushes to production), security is much easier to embed and there is a much better architecture to 'inject security' into the SDL (and to understand the side effects of those security changes)

The good news is that we 'the security dudes' have such a good reputation with developers, and they trust us so much, that we are the best guys to drive this change.............

.... I can just hear the developers calling the security teams and say "....Hey we want to change how we develop our applications/websites, can't you come over and tell us what to do?  ... Since you've been trying to 'tell us what to do' forever ...  you must have good solutions for how to create the type of Development environment that Nick is talking about'..."

....yeah ..... right :(

Related posts:


Michael Hidalgo said...

Excellent post Dinis. I want to talk about some issues I have seen in Costa Rica, and I can't tell for sure if other countries have the same issue, but I have seen that most of the time developers (due to complex SDL) they are always responsible for everithing:
1.The product has a defect...Did you check witht the developer?
2.The product does not have a good performance... Did you check with the developer?
3.The application does not work.... Did you check with the developer?

And it would be great that all the software developers had the same knowledge than a Security expert, but not always is the case. If all the teams had a security expert (someone that can provide guidance and best practices about security)it would make the software more secure.

I have been quite observer about this topic. And this is one of the reasons why I want to present in our OWASP Day about how important is that all the people involved in the development of applications works together and take the security a bit more seriously.

We need to learn from the past.

Dinis Cruz said...

Yap and the more us (the 'security experts') can help (and add value) to developers the more they will want us to be involved.

But also very important is for the 'security experts' to realize that they might be 'experts' in security, but are usually not 'experts' in development.

This means that they need to respect developers, understand how their world (and frameworks) works, and they need to 'speak the developers language'