Look AppSec people, I know you just love dealing with development teams.  I know the best part of my day is logging into my computer to be greeted by 3 “we don’t think this vulnerability is an issue” emails. Believe me, I’m sure they share the same warm, fuzzy feelings about us as well. But this type of animosity-filled relationship only hurts us both. If we want to promote a strong secure development life cycle and foster a security conscious community, then we to need to put aside our differences and be friends (or at least pretend to be).

So as the unofficial speaker for application security, I would like to say we’re sorry, development teams, for hacking into your applications and probably ruining a few of your weekends.

But in all seriousness, it’s our job as cyber security professionals to help educate those we work with. We can point out 100+ cross site scripting vulnerabilities, but it doesn’t do us any good as a team if we don’t provide the tools and knowledge to help prevent these same errors in the future.

img_0753
So what would we like to accomplish in this post?

  • Apologize for being the Joker to their Batman
  • Methods of build a strong relationship with development teams through cyber security education
  • Tools we can provide for development teams to help prepare them for our assessments

Building a Relationship That Lasts

Our main goal is to build a relationship with development teams.  Even though we have a tendency to make each others’ lives hell every now and then, remember… the enemy of my enemy is my friend.  Right now, the enemy is the script kiddie poking around your company’s web application trying to make all of us look bad.  The ability to have a constructive open-dialogue makes everything much easier.

So how do we go about starting?  I’ve found that the best way to create a strong foundation is through interactive education.  It’s one thing to see a picture of an alert box popping up, but it’s another to actually execute a cross-site scripting attack.  Reports are long and boring, live demos are fun and interesting.  I know, we all have busy schedules, but this is an investment.  The knowledge that they learn in that meeting will be used in the future and most likely in other applications that you will be assessing later.  More knowledge = less vulnerabilities.

Delivery of the material depends on you and your situation.  You should take into consideration how many developers work in your company, if their management will also be participating, and if they’re local or remote.  For my situation, I found that live webinars worked best.  Whether it’s online or in-person, you’re accomplishing a couple of critical things here:

  1. You’re no longer just an email address. They can put a face to a name.
  2. You’re opening a more casual dialogue which will lead to easier, more relaxed discussions in the future.

I chose to do several webinars throughout the month covering different topics and then repeated them each month, adjusting each webinar to cover some new material and incorporate feedback.  This way everyone could pick and choose what they wanted to learn.  The turnout was great and we established some good relationships throughout the company.

If you plan on doing something similar, there are a few things I would definitely recommend:

  • Do not make it a requirement.  Suddenly it becomes an obligation, which we ideally would like to avoid.  We want to keep the dialogue casual and open, which might be lost if people are forced to attend.
  • Always leave plenty of time for questions.  You’ll definitely have plenty to answer, so take the time to answer as many as possible.  If you run out of time, give them some way to contact you.
  • Keep it as interactive as possible. Slide shows are boring.  Live demonstrations, or even having them do the walk through along with you is much more interesting.  I would recommend having some one to help you manage questions/problems.

Investing In That Relationship

I know you probably cringed at the word “investment”. Money is tight, I know, but spending a bit on a few tools for your development teams could save you much more over time.  Plus… A data breach is probably just a bit more expensive.

There are plenty of tools out there designed specifically for developers. My favorite is Codiscope Secure Assist.  If you haven’t heard of it, definitely do some research and see if it’s right for your needs. CSA is an Eclipse/Visual Studio plugin that does static code analysis as the code is being written. It has a very intuitive UI that runs in the IDE and even provides immediate guidance for each vulnerability identified.

It also includes a portal that you and your users can view and manage their projects. Vulnerabilities can be tracked through this portal by the development teams management and the cyber security team can pull reports for analysis (this is especially helpful when trying to justify the cost). You can view which teams are actively remediating issues and determine which teams need a little extra help.

Another tool I would highly suggest introducing is Burp Suite.  I do a monthly training on Burp Suite for development teams because I believe it’s important for them to understand what is happening as we do our assessment. I always hear good things back, they love the tool. And the best part is that it’s free. WhiteHat Security showed in their annual website security report that development teams who perform basic adversarial test tend to have fewer open vulnerabilities and higher remediation rates. Burp Suite will allow them to do this testing.

There are plenty of other softwares and tools out there. I’d highly suggest researching them and finding one that fits into your process.

Thanks for reading!

Advertisements

Join the conversation! 1 Comment

  1. […] you haven’t read the previous post by Matt SDLC: A Strained Relationship, then you should. Don’t start shooting the messengers but instead let them know you will have […]

    Like

    Reply

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Jean Fleury

Naval officer, privateer, cyber security professional. Traded in my five-ship squadron for a computer and Burp Suite license.

Category

Information Security Profession