Building security into your engineering workflow

https://leaddev.com/events/building-security-your-engineering-workflow

We all want our applications to be secure, but code security is often an afterthought for busy teams. This can lead to serious problems down the line. But times are changing. Tech teams are now viewing app security as more than just a ‘box to tick’. So how can engineers prioritize security and protect their products?

In this panel, we’ll discuss why engineering leaders should view security as an integral part of an engineering org. The panel will look at how to deliver securely in distributed businesses, manage increased data and the ever-present threat of cyber attacks.

Key Takeaways:

  • Assess security threats in an ever-changing tech landscape

  • Incorporate security practises early on in product development

  • Manage schedules for shipping products faster with higher security

  • Establish buy-in within your engineering org to prioritize security in all projects

 

Notes

Security is not "top of mind"

User and product outcome & strategic with security outcomes



What is "shift left"?

"Hey, let's move your security practices into SDLC (software dev. lifecycle )

Implementing security into requirements & design 

Code reviews when code is small chunks and application is small

Shift left empowers developers to fix things they need to fix later

"Shifting all security checks before Production"

Devteam not familiar with attack surface

Attack surface grows with application size

(Learn attack surface when application is small)



Getting the business counterparts as part of the conversations with security risks

"Learner privacy is paramount"

What are our trust domains?

Ecommerce needs to have PCI, so defense in depth would be higher here



Start with requirements, don't start with tools

What is the success criteria?

Tools are how we get there.



Have a center of expertise of security, to provide guidance and allow to deliver quickly

Leverage Devops team topology model

Collaboration mode, platform as a service mode, facilitation mode

Collab mode - initial design phase, consult on product security, privacy, compliance, etc.

facilitation mode - training, education, how does one embed tools into engineering teams dynamics

platform as a service mode - make decisions and practices of what we want to put into the company; team standardizes for adoption



Accountability is important!

Requirements are different based on team (internal work, vs. ecommerce work)



Maintain feedback loop, no more "goes to production, ops problem now!"

Continuous delivery and feedback loop

Dast - dynamic application security testing(?) - part of runtime

SAST - static app;lication security testing

OWASP top ten - follow closely

Agree to licenses

Isolation between dev and production environments



good logging and monitoring, to help understand what happened in prod?  So not to hear from customer or hacker



What happens when it goes wrong?

How well are we ready for incident response?

What happened?  WHo was impacted?  What do we need to do?

Answer those questions so we can recover from incident - will impact quality of recover

How transparent are we with disclosing incidents?

How is your company's "hygiene"? Rotating passwords and automation hygienic practices?  Introduce password scanning into code

Housekeeping on listening & learning?  What changes need to be made?

Train employees on changes

How did breach occur and understand why to not happen again or in a similar application

Incident response team, developers, stakeholders



What are good security metrics?

Where is most risk coming from? Tackle that

Score security findings - critical is 20, high is 10, 

Understand risk, close risk, move into next area

Training, look at trends for security tickets and fixes

Security is a enable, not blocker, look at fix metrics - look at accelerate metrics book

lead time, MTTR, failure rates

Impact - what are known vulnerabiltiess in systems, using open source libraries, 

CVS Score - what edX uses to score vulnerabilities and help prioritize