Scaling Secure Development - Amazon S3...Scaling Secure Development by Changing the Software Culture...
Transcript of Scaling Secure Development - Amazon S3...Scaling Secure Development by Changing the Software Culture...
Scaling Secure Developmentby Changing the Software Culture CodeEric Baize - @ericbaize
Chairman, SAFECode - www.SAFECode.org
Vice President, Product Security - Dell EMC1
… When Security Was an Afterthought
3
IEN 149 J. Postel
RFC 765 ISI
June 1980
FILE TRANSFER PROTOCOL
INTRODUCTION
The objectives of FTP are
1) to promote sharing of
files (computer programs
and/or data), 2) to
Software Developers
Informed Software Developers have access to knowledge, practices and tools to build secure software
Software
Developers
Development Organizations
Mature Development Organizations understand that developing secure software is both an organization commitment and a holistic process
Development
Organizations
Technology Users
Sophisticated Technology Users have access to information about vendors’ software security processes to effectively manage risk
Technology
Users
The Vision
Changing culture among 3 stakeholder categories:
10
Software
Developers
Development
Organizations
Technology
Users
Culture Across Countries
“We need tough leaders who can silence the troublemakers and restore our traditional values.”
“My ancestors once lived in a golden age with glorious and beautiful achievements.”
“I can always trust the government to do what is right.”
“I believe in predestination - that all things have been divinely determined beforehand.”
(*) Source: Saucier, Gerard & … & Altschul, Carlos. (2015). Cross-Cultural Differences in a Global 'Survey of World Views'. Journal of Cross-Cultural Psychology.
Examples of Large Cross-Population Differences Between Countries (*)
10110110
011101000111010
1001110101010111000
01000111010011011101010
010101011101010100011001010
Today’s Software Culture Code
13
Software Developers: Culture Levers
• 18 million software developers across the globe
EducationTools &
Technology
• 45% have a Computer Science related undergraduate major (*)
• Consume online courses
• Heavily rely on software development tools and frameworks
(*) Stack Overflow 2017 Annual Developer Survey
Development Organizations: Culture Levers
• Leverage software to create applications, products or services that meet market needs
• May not know they have become a software company
MarketForces
QualityGovernance
• Employ and train software developers
• Govern the lifecycle and quality of their products, services or open source deliverables
HiringPractices
Technology Users: Culture Levers
ProcurementThreat
Landscape
• Buy or use products or services that address their business needs
• Have to comply with regulations
• Adapt technology strategy to the threat landscape
Make software security a mandatory component of any
software engineering curriculum
Security in Software Engineering Education
Education
Train technology executives on the impact of software vulnerabilities on
world affairs and corporate reputation
Security in Technology Executive Programs
Education
Explicitly demand knowledge ofsecure development in software
engineering job postings
Security in Recruitment
HiringPractices
Track and report secure development activities as required software
engineering tasks
Security in Project Management & Governance
QualityGovernance
Record critical security vulnerabilities as Severity 1 bugs in your defect
tracking system
Security in Quality Assurance
QualityGovernance
Ask your suppliers about theirsecure development process and
governance
Security in Procurement
Procurement
Make security a feature ofIntegrated Development
Environments
Security in Software Development Tools
Tools &Technology
Leverage Artificial Intelligence and Machine Learning to create a simple-
to-use threat modeling tool
Smarter Security Tools
Tools &Technology
Invent developer-friendly programming languages and run-time environments optimized for security
Security in Computer Science Research
Tools &Technology
We all Have a Role to Play
•Reach out outside our security community
•Have a conversation about software security
•Know that you have an impact in changing the culture
27
MarketForces
QualityGovernance
HiringPractices
EducationTools &
Technology
ProcurementThreat
Landscape
Technology Users
Development Organizations
Software Developers