![Page 1: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/1.jpg)
1
DevSecOps @ Veracode: Security Champions
Chris Eng Vice President, Research
![Page 2: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/2.jpg)
2
Chris Eng, VP of Research
• 15+ years focused solely on application security, both offense and defense
• Leads a team responsible for integrating security expertise into all of Veracode’s products; also product security and SDLC
• Frequent conference speaker and media spokesperson on a range of security-related topics
• Hates the term “thought leadership” (see http://tiny.cc/thoughtleader) @chriseng
![Page 3: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/3.jpg)
3
DevOps – process: where is security?
Security
![Page 4: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/4.jpg)
4
Security champions
• Your security team does not scale indefinitely!
• Build and train a team to take on specific tasks and to be the security “conscience” on their respective teams
![Page 5: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/5.jpg)
5
Pick the right people Start strong
Empower, within limits
![Page 6: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/6.jpg)
6
How to pick the right people
• 1-2 members from every product team
• Volunteers are best
• Influencers – Respected or influential team
members
– Doesn’t have to be a developer
![Page 7: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/7.jpg)
7
How not to pick the right people
• New employee
• New to team or product
• Already responsible for an existing Scrum role – Product Owner
– Scrum Master
– etc.
![Page 8: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/8.jpg)
8
Start strong
• Start with formal training in security fundamentals
• Reinforce with eLearning
• Use CTFs and other opportunities to learn in the wild
![Page 9: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/9.jpg)
9
Empower, within limits
• Security grooming within guidelines
• Security review guidelines
• Know when, and how, to escalate
![Page 10: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/10.jpg)
10
Empower – security grooming
• New feature introductions – New UI elements
– New API endpoints
• New architectures
• New security controls
• New forms or actions
• Fix for pen test finding
![Page 11: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/11.jpg)
11
Empower – security grooming
• AuthN, AuthZ
• Crypto
• Data validation
• Encoding
• Error handling
• Session management
• Cache management
![Page 12: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/12.jpg)
12
Empower – code reviews
Limited topics based on security controls they have proven they understand:
• Data validation
• Encoding
• Parameterization
• Logging
• Error Handling
![Page 13: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/13.jpg)
13
The conscience of security
![Page 14: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/14.jpg)
14 © 2016 VERACODE INC.
Keeping momentum
![Page 15: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/15.jpg)
15
Measuring and managing
![Page 16: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/16.jpg)
16
Measuring and managing
• Baseline security maturity
• Code review certifications
• Individual and team goals
![Page 17: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/17.jpg)
17
Sample AppSec maturity model (you don’t have to read the text)
EXAMPLE
![Page 18: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/18.jpg)
18
Measuring and managing
• Goals for champions – Code review certification
– Spot check grooming decisions
• Goals for teams – Against maturity model
– Baseline and update
• Are you getting what you expect?
![Page 19: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/19.jpg)
19
Learn about their world
• Read – The Phoenix Project
– The DevOps Handbook
• Attend some scrum ceremonies
• Learn their tools
• Write security stories and/or code
![Page 20: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/20.jpg)
20
Maintain high touch
• Support not abandonment
• Monthly group meetings to compare experiences and share information
• Slack channel, mailing list: however the developers prefer to communicate
• Periodic check-ins, e.g. quarterly PSMM check-ins
• Joint projects (e.g. VSSL)
![Page 21: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/21.jpg)
21
Rewards and recognition
• Additional training opportunities – Internal (mentoring)
– External (conferences)
• Teach them to hack – Internal CTF sessions
• Give them swag, badges, certifications
![Page 22: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/22.jpg)
22
Conclusions
• Have empathy
• Overcommunicate
• Remember motivations
• Stay engaged and responsive
• Iterate
![Page 23: DevSecOps @ Veracode: Security Champions...2017/10/04 · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec653ef32b52a2d1c7c3610/html5/thumbnails/23.jpg)
23
Thank You!