Building security into your engineering workflow
https://leaddev.com/events/building-security-your-engineering-workflow
We all want our applications to be secure, but code security is often an afterthought for busy teams. This can lead to serious problems down the line. But times are changing. Tech teams are now viewing app security as more than just a ‘box to tick’. So how can engineers prioritize security and protect their products?
In this panel, we’ll discuss why engineering leaders should view security as an integral part of an engineering org. The panel will look at how to deliver securely in distributed businesses, manage increased data and the ever-present threat of cyber attacks.
Key Takeaways:
Assess security threats in an ever-changing tech landscape
Incorporate security practises early on in product development
Manage schedules for shipping products faster with higher security
Establish buy-in within your engineering org to prioritize security in all projects
Notes
Security is not "top of mind"
User and product outcome & strategic with security outcomes
What is "shift left"?
"Hey, let's move your security practices into SDLC (software dev. lifecycle )
Implementing security into requirements & design
Code reviews when code is small chunks and application is small
Shift left empowers developers to fix things they need to fix later
"Shifting all security checks before Production"
Devteam not familiar with attack surface
Attack surface grows with application size
(Learn attack surface when application is small)
Getting the business counterparts as part of the conversations with security risks
"Learner privacy is paramount"
What are our trust domains?
Ecommerce needs to have PCI, so defense in depth would be higher here
Start with requirements, don't start with tools
What is the success criteria?
Tools are how we get there.
Have a center of expertise of security, to provide guidance and allow to deliver quickly
Leverage Devops team topology model
Collaboration mode, platform as a service mode, facilitation mode
Collab mode - initial design phase, consult on product security, privacy, compliance, etc.
facilitation mode - training, education, how does one embed tools into engineering teams dynamics
platform as a service mode - make decisions and practices of what we want to put into the company; team standardizes for adoption
Accountability is important!
Requirements are different based on team (internal work, vs. ecommerce work)
Maintain feedback loop, no more "goes to production, ops problem now!"
Continuous delivery and feedback loop
Dast - dynamic application security testing(?) - part of runtime
SAST - static app;lication security testing
OWASP top ten - follow closely
Agree to licenses
Isolation between dev and production environments
good logging and monitoring, to help understand what happened in prod? So not to hear from customer or hacker
What happens when it goes wrong?
How well are we ready for incident response?
What happened? WHo was impacted? What do we need to do?
Answer those questions so we can recover from incident - will impact quality of recover
How transparent are we with disclosing incidents?
How is your company's "hygiene"? Rotating passwords and automation hygienic practices? Introduce password scanning into code
Housekeeping on listening & learning? What changes need to be made?
Train employees on changes
How did breach occur and understand why to not happen again or in a similar application
Incident response team, developers, stakeholders
What are good security metrics?
Where is most risk coming from? Tackle that
Score security findings - critical is 20, high is 10,
Understand risk, close risk, move into next area
Training, look at trends for security tickets and fixes
Security is a enable, not blocker, look at fix metrics - look at accelerate metrics book
lead time, MTTR, failure rates
Impact - what are known vulnerabiltiess in systems, using open source libraries,
CVS Score - what edX uses to score vulnerabilities and help prioritize