A presentation at Invited Talk with Developers by Anant Shrivastava
Developers and Security My 2 paisa’s based on decade and half of my experience Anant Shrivastava Geek | Researcher
Why my thoughts matter • Been a Developer/Maintainer of a moderately successful wordpress plugin. • Closed plugin 9 years ago coz of other commitments and … • Faced non responsible disclosure • So fixed the bug and then called it quits
Why my thoughts matter • Maintained a custom Debian based distribution single handedly since 2012-2018 • Next version to come out in 2 months timeframe. • The entire infrastructure and related setup was handled as primary dev + admin
Why my thoughts matter • Run a static code analysis project called codevigilant • As of now focused on PHP mainly wordpress plugin and themes • 200+ public disclosures, • 150+ to be disclosed. • Lots under validation process Built and Maintained Backend, automation, website Disclosure process, co-ordination
Why my thoughts matter • Building a fully static HTML CSS only website • Website heavily data driven • Specific aim to not use Javascript at all in website directly • Coding my own hugo theme as well as writing custom wrappers
Why my thoughts matter • Running my own collection of websites (~10+) on Wordpress self hosted since 2007 • Maintained entire offensive, defensive and operations network for an infosec company for 5+ years single handedly • Build automations and supporting various opensource projects via time, effort, money, documentation etc
Why my thoughts matter Worked at Spoken / Trained at
Developers and Security My 2 Paisa’s based on decade and half of my experience of Development / Administration / Infosec
Software eating the world
Data Breach Investigation Report 2021 • Web applications are primary technical cause of breaches • 2011 to 2021 : 10 years things have flipped
The mess of misunderstanding
How to move forward https://www.slideshare.net/notsosecure/devsecops-what-why-and-how-blackhat-2019
Collaboration is the key https://www.slideshare.net/anantshri/diverseccon-keynote-my-2-paisas-on-infosec-world
Developers have a more ingrained role to play • Security is considered an art and not a science • Security needs to be commoditized and converted to science • How do you do it • Exactly how dev’s have done this with infrastructure • From manual and long drawn process we have reached to • All codified near instantaneous infrastructure deployments
DevOps needs to eat security • DevSecOps as a term should not have existed but its here and people use it. • Eat security art side and make it security science • Automatable • Documented • Testable • Repeatable It may not be 100% possible but it is achievable in high 90’s
Developers to take full ownership • No one and I repeat no one other then dev knows code better • Leverage security team and support function: • Take inputs from them as early and as often as possible • Take final ownership of product in your hand • If security team acts as bottleneck they are doing it wrong
World needs more stable and secure software https://owasp.org/www-pdf-archive/Jim_Manico_(Hamburg)_-_Securiing_the_SDLC.pdf
Collaboration in action https://twitter.com/anantshri/status/1483031251439464448
Mix bag of responses • Some responses specifically asking devs to do this or that • Lots of suggestions to follow secure early or put security in early stages. • Unsurprisingly lots spooked with third party dependencies • But a common theme emerged in all these tweets especially from veterans of this field.
Embrace your power
Lots of other useful advices
Some very creative ideas
Did we forgot dependency tracking
Some basic ideas to kickstart the brain • Use customizable tools like semgrep • Learn how to test the vulnerabilities • Try to find bug as close to writing code as you can IDE Plugin > git commit hook > CI tool
Quick References • https://owasp.org/www-project-application-security-verification-standard/ • https://owasp.org/www-project-proactive-controls/ • https://owasp.org/www-project-integration-standards/ • https://owasp.org/www-project-spotlight-series/
Important points recap • Developers are the best judge of how the code gets changed • Security teams can help but they can’t take ownership • Pick tools that work for you and automate sec stuff
Thanks, and open to questions
View My 2 Paisa’s on Developers and Security.
Dismiss
My thoughts and utopian dreams on developers and information security and how the world should be in my humble opinion.