Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by empowering teams and automating open source security risk management throughout the Software Development Lifecycle (SDLC).
5. • Phishing attacks cost global organizations billions every year
• One out of 5 fraudulent transactions originate in the mobile channel
• More than 90% of mobile apps contain basic vulnerabilities
Our problem: A global authentication pandemic
LinkedIn suffers data breach
NEWS
Zeus Botnet Eurograbber Steals
$47 Million
Don’t bank on your phone – it could
be hacked by Zeus ‘trojan horse’
New vulnerabilities
reported on a weekly
basis
Successful attacks
not even making
headlines anymore
6. • Founded in 2008 by 5 engineering students
• One of the founders’ mother defrauded
• They wanted to do something that matters
• Not daunted by current failings of security solutions
• A novel approach with existing tech
A solution: Entersekt’s story
7. Going live in 2012: Nedbank as a case study
0
10
20
30
40
50
60
70
80
30-Jan…
03-Feb
07-Feb
11-Feb
15-Feb
19-Feb
23-Feb
27-Feb…
02-Mar
06-Mar
10-Mar
14-Mar
18-Mar
22-Mar
26-Mar…
30-Mar
03-Apr
07-Apr
11-Apr
15-Apr
19-Apr
23-Apr…
27-Apr
01-May
05-May
09-May
13-May
17-May
21-May…
25-May
29-May
02-Jun
06-Jun
10-Jun
14-Jun
18-Jun…
22-Jun
26-Jun
30-Jun
Attempts Fraud
Entersekt go-
live
Nedbank does not even appear on
SARS e-filing phishing site!!
8. A growing global footprint
Johannesbur
g
Mauritius
Atlanta
Beirut
Dubai
Lago
s
Minneapoli
s
Sydney
Amsterda
m
Cape Town
Zurich
Palo Alto
16. 1. Risk management
• Approved open source?
• How secure?
• Can we be diligent and agile?
2. Ability to identify open source licenses
3. Scaling
• Manual vulnerability assessment process
• Getting behind with updates
Our open source challenges
17. “Black Duck met Entersekt’s checklist of what we needed
in an open source vulnerability management solution
better than any other vendor.”
The obvious choice was...
18. 1. Seamless integration and ease of
use
2. Relevant feedback
3. Earlier in the SDLC
4. Real-time and continuous monitoring
5. Automated notifications
Black Duck Hub checks the boxes
19. 6. Easy-to-digest reports with minimal
false positives
7. Jenkins support and secure scanning
8. Code doesn’t leave intranet
9. Identify open source licenses
Black Duck Hub checks the boxes (cont.)
21. 1. Urgent vs important
2. Build pipeline challenges
• Jenkins jobs differ in each team/project
• Black Duck sometimes executed manually
3. No best practice/standard
4. Maintenance owner
Lessons learned
24. 1. Phased roll-out in teams
• Phase 1: Education
• Phase 2: Implement a standard pipeline
framework
• Phase 3: Hardening cycle
• Phase 4: Policy Management and Jira
integration
2. Team agreements
Empowering the development teams (cont.)
Description:
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by empowering teams and automating open source security risk management throughout the Software Development Lifecycle (SDLC)
Key Takeaway (s): Who, why and what
Who am I:
Philip - I work for a company called Entersekt - a software product company and our mission is to make the internet a safer place
Presented at Flight Amsterdam – shared some of the challenges we had and lessons we learned a fast growing organization.
Why am I talking about Black Duck Hub:
Since our mission is to make the internet a safer place and we leverage Open Source technologies it would be quite unfortunate if we introduce vulnerabilities into a customer’s operations.
What will I tell people:
I believe that tools only as valuable to the organization as the people that use it and how they use it.
At Entersekt we trust and entrust our people with a lot of responsibility and it has resulted in a highly engaged and high performing culture
Our Software Engineering team haven’t had a single resignation in 26 months and counting and clients only report 1 bug for every 10 releases (and we do about 20 releases a month)
I’d like to share some of our ideas with everyone here how we organize and empower our teams in an agile environment especially with a powerful tool like the Black Duck Hub and my hope is that you may take home some thoughts or ideas on how to get the most out of the Hub and your people
OR even give me some of thoughts or ideas.
But before I do I just want to set the stage by telling you a little bit about myself and the company that I work for.
Key takeaway: Studied & worked in Chicago
Originally from South Africa, but lived in Chicago for 10 years were I studied Computer Engineering & Business then worked for CSC a large consulting firm for 4 years.
Baseball quiz - Scott Podsednik – walk-off home run in 9th inning of Game 2 of the 2005 World Series (White Sox vs Houston Astros)
There was also a grandslam home run by Paul Konerko in the 7th
Reference: https://en.wikipedia.org/wiki/2005_World_Series#Game_4
**Houston Astros won 2017
Key takeaway: Moved back to South Africa in 2010
Joined Entersekt in 2014 (Situated in Stellenbosch – heart of the Cape Winelands)
As the Engineering Excellence Manager my responsibilities include software quality, hiring the right people, making sure they are trained and equip to build excellent software.
[joke] Hopefully the origins of my somewhat confused accent make sense.
Key takeaway: Phishing is a global problem – results in lack of trust in mobile channel
Phishing is still a huge problem today costing companies billions every year
20% of transaction fraud occur in the mobile channel
Most mobile apps are compromised (making app, esp banking app security crucial)
NET: This results in a lot of fear from bank customers to adopt the online and mobile banking channels. Many still prefer to go into a branch or just limit the type of services
References:
http://www.techrepublic.com/article/report-90-of-mobile-health-and-finance-apps-vulnerable-to-critical-security-risks/
http://bgr.com/2014/01/14/mobile-banking-apps-security-vulnerabilities/
https://www.mobilepaymentstoday.com/articles/the-merchants-role-in-mobile-fraud/
http://blogs.rsa.com/2017-global-fraud-cybercrime-forecast/
Key takeaway: Entersekt’s journey started with family falling for a phishing scam
Founded by 5 Engineering students from Stellenbosch University
Desired to start their own company and make an impact in the world
Christiaan’s mother lost money due to online fraud (or phishing)
They realized that current online security solutions were failing and decided to solve the problem
They created a solution that creates a fully encrypted channel between end user and bank using their mobile phone & digital certificates
**Christiaan now Product Manager of Identity & Security at Google
Key takeaway: This is how effective OOB2FA is with end-to-end encryption
Our first customer went live in 2012
Immediately saw a 99% reduction in fraud caused by phishing
Nedbank not even listed on the warning page of South Africa’s tax collection agency
Nedbank had to repurpose an entire department
Key takeaway: The demand for our solution is growing
5 years on from our first live customer we are in over 40 countries
Include our strategic partners & resellers
Lots of opportunity in the gray areas
Not bad for a company with just over a hundred employees
Note: Run through this kinda quickly
Key takeaway: This is what makes our product really cool
Use the Mobile phone because we always have it with us
User experience must not be cumbersome
Secure all attach vectors from mobile app integrity (Jailbreak and keystore compromise detection, code obfuscation)
We don’t story any sensitive user data so we are PCI-DSS and GDPR compliant
Key takeaway: OTPs does not provide adequate second factor authentication
Examples of OTP: SMS, email & hardware token
Walk-thru steps 1 thru 7
Key takeaway: Out-of-band authentication allows user to authenticate each transaction
Instead of entering OTP in the compromised channel, user responds back directly to bank.
The mobile app is enrolled with bank and identified with a unique digital certificate
Authentication can be set for sensitive transactions such as adding beneficiaries, doing transfers, payments, etc
Key takeaway: The components necessary to make this end-to-end encrypted channel possible
Mention mobile SDKs, EMR & TSG
Lots of open source libraries (e.g. openSSL, ZeroMQ, Docker, Tomcat, node.js, Cassandra, etc) combined with proprietary cryptography protocol stack
From a code and technology perspective these are our risk areas
Key takeaway: Entersekt ahead of it’s time
Solution we came up with in 2008 will 12 years later become a standard/best practice
We about 2 years ahead of our competition per Gartner
Key takeaway: Why we need a tool to automate open source risk management
In an Agile environment I ask my team:
Does the build contain only approved open source components
How secure is build? Does it have any security vulnerabilities
Can we add diligence and remain agile?
Ability to identify open source licenses (Need to make sure what we are using is legal because as a small company we are dependent on funding. Black Duck give us the power to know what we are using and if it is exposing us.)
As a small but fast growing company our success is based on worker smarter not harder
Keeping an eye out for news on big vulnerabilities not going to scale
We are on three platforms, need to support our banks who don’t upgrade a lot, we have to keep clients working. Maintain backward compatibility when you don’t have control over upgrades - you will break upgrade paths. Need long enough support. So we choose our versions more intentional bc we will have to support it and can’t just change to new tech.
Key takeaway: Why we need a tool to automate open source risk management
Completed two trials with two SAST vendors. We didn’t feel either had an adequate solution for open source security management
Our research identified Black Duck as a market leader in that field, and we had Black Duck provide us with a trial of their solution.
Key takeaway: What we need from Black Duck Hub
The set-up process was straightforward, and the feedback from Black Duck demonstrably helped improve our product’s quality.
The report output was clear and provided solutions on how to mitigate the risks discovered.
The responsiveness and support from both its customer success and technical support teams also led us to make the business decision to select Black Duck
Key takeaway: What we need from Black Duck Hub
Key takeaway: Initially we struggled to get the most out of the tool
Everything is urgent in a fast growing company
Symptoms of capacity challenges:
Build pipeline challenges:
Engineering teams all implementing CI pipelines a bit differently because the range from mobile, cloud to server architecture
Black Duck is part of build phase and sometimes executed manually
Everyone used tool differently in terms of how often to run scans, how and when to do triage when issues were found, who was involved.
Getting to update and maintain the server was often a pain or after thought
Key takeaway: We don’t want silos in our development organization
How do we support and empower our development teams without creating silos?
How do we not suffocate our high performing and highly engaged culture by too much beaurrocracy?
We haven’t had a single resignation in 26 months now
The law is based on the reasoning that in order for a software module to function, multiple authors must communicate frequently with each other. Therefore, the software interface structure of a system will reflect the social boundaries of the organization(s) that produced it, across which communication is more difficult.
https://en.wikipedia.org/wiki/Conway%27s_law
Key takeaway: We created cross functional and agile teams (w/ Automation Engineer)
Our Software Engineering structure based on Spotify model - Cross functional & agile teams
We have 7 teams (between 4 to 6 team members) all in one city
Have the rights skills and knowledge in each team Avoid silos or dependencies on other departments or teams
Empowered through tools and privileges (Examples roles in the Hub)
Automation Engineer in each team
Part DevOps, part test automation, 100% developer
In-house test automation framework built on open source tech (node.js, cucumber, gherkin, appium, etc)
Have a passion for software quality and efficiency
Their mandate is to serve their team – implement build pipelines that will kick of Black Duck Scans
Architect Evangelist position (part of the tribe)
Sits in planning and grooming meetings
Coach teams on technical design decisions
Bridge gap in-between dev teams and also between dev teams and Product Owners
Security Evangelist not DevSecOps (https://www.entersekt.com/all-careers/software-security-evangelist)
Lot like Architect evangelist
Coach/support teams on secure design & implementation
Will do pen testing & keen interest in Black Duck reports
Lead general education and mindshares of security issues & topics
Toolsmith Maintains & updates Portus, Jenkins, ESXi resources
A bit like in-house infrastructure/sys admin person but that can also code if needed.
Not needed in every team
https://www.entersekt.com/all-careers/toolsmith
Key takeaway: How we got back on track
Tools only as valuable to the organization as the people that use it and how they use it. Thus important to support and empower teams as much as possible.
Phased roll-out:
Black Duck Academy & Security Evangelist
Automation Engineers implement a standard pipeline framework. This include a CI/pipeline template and shared tools, workers and dashboard.
Pipeline template version controlled in Git for new projects. Save weeks of effort.
Teams had to plan and dedicate time to review all existing projects and clean/fix all issues found by Black Duck.
Once projects good state enabled policy management to fail builds and create tickets via Jira
Team agrees on standard
This is not an enforced internal compliance policy enforced by a Security or Risk Officers but rather self imposed by teams
When to fail builds (will inform Policy Management rules)
How to triage results (comments & ignore)
Do reporting, etc
Key takeaway: Automation Engineers are responsible for this process in each of the teams
The Jenkins phases (in yellow) occur twice:
Pull request --> automated once reviews complete
Merge to Master Manual
Key takeaway: Explain concept of build pipeline template
The Jenkins phases (in yellow) occur twice:
Pull request --> automated once reviews complete
Merge to Master Manual
Infrastructure as code
Key takeaway: Explain concept of build pipeline template
Key takeaway: Key ingredients
Trust your people to do the right thing
Support them with the necessary resources and tools
They need to way-in before they buy-in and that is how they will demonstrate ownership
Clarity of expectations and what success looks like (i.e. security and due diligence)
CLOSING: I sincerely hope the story of our journey so far was informative and perhaps gave you some good ideas for your own context. I thank you for your time and listening to me and I’m happy to answers any questions if you have any. Thanks.
References:
https://blackducksoftware.atlassian.net/wiki/spaces/INTDOCS/pages/49843511/Hub+SonarQube
https://blackducksoftware.wistia.com/medias/dbpsb3xszr