The road goes ever on and on by Ciaran Conliffe at DevSecCon Boston 2017

1. Join the conversation #DevSecCon
BY CIARAN CONLIFFE
THE ROAD GOES EVER ON AND
ON: OUR JOURNEY TO AND
THROUGH SECURE
DEVELOPMENT

2. • Develop specialist and enterprise
scale applications for Liberty
Mutual.
• Based in Belfast and Dublin
• Design and implement innovative
solutions using both existing and
emerging technologies.
• Technologist and engineer
• Focus on software solutions to
security problems
• Fascinated with history and the
deep causes of events

3. Back in the day…
2.2250738585072011e-308

4. The Vicious Cycle
Explain
application
and
architecture
Discuss
proposed
changes
Start to go
through
security
aspects
Run out of
time in
meeting
Wait two
weeks for
next
calendar slot

5. Breaking The Cycle

6. The Threat Modelling Process

7. Developer Education

8. Shifting the Focus
Original course breakdown
Introduction to threat
Producing threat
Mitigating threat
Revised course breakdown
Introduction to threat
Producing threat
Mitigating threat

9. Security Champions
• Implement and champion secure development best practices
throughout the project lifecycle
• Support and advise on security related matters
• Facilitate threat modelling exercises
• Update threat models throughout project phases and releases
• Ensure any team security innovations are recorded
• Maintain and update the central security knowledge resources

10. Architecture Driven Threat Models

11. Process Driven Threat Models

12. Testing Your Mitigations

13. Developer Security Testing
• Autocomplete
• Browser Caching
• Cross-Frame Scripting
• DOM Data Exposure
• Error Messages & Logging
• File Upload Restrictions
• Logout Functionality
• Privilege Escalation
• Session Cookie Handling
• Session Timeout
• SQL Injection
• Transport Layer Security
• XSS Injection

14. New Challenges

15. Making People Responsible Builders

16. Security as a Community of Practice

17. Security And Testing

18. Exploratory Testing
• A different approach to testing
– not just a technique
• Investigating, not confirming
• Structured and disciplined
• Uses heuristics and time boxing
to encapsulate process
• Solid up-front specification and
focus in charter for test gives
testers freedom to explore

19. Security Guilds

20. DevSecOps & Security Guilds

21. The Journey Continues

22. Join the conversation #DevSecCon
@shinyemptyhead
LinkedIn
@Liberty_IT
@technicalread