This year's AppSec USA was fun. I presented about PayPal's home-grown security product called SCORE Bot (Secure COde REview Bot) along with my team mate, Vidhu.
The abstract is here:
In today’s DevSecOps world, “shift to the left” is not a new mantra for AppSec practitioners. It is imperative to notify developers about potential security issues as early as possible.
While heavy-weight static and dynamic analysis tools and fuzzers exist to find generic technical security flaws, finding custom security issues that are specific to an organization’s proprietary frameworks, APIs, libraries, etc. is often tricky, time-consuming and expensive to capture and maintain as “custom rules” in those tools. IDE plug-ins are often messy to deploy and maintain at scale in the real-world when you are dealing with highly diverse programming languages/frameworks and thus various versions of different IDE products.
Secure COde REview Bot (SCORE Bot) fills that gap and provides real-time, in-context security-oriented code review that focusses on org-specific security issues. It does that by automatically hooking into the GitHub Pull Request (PR) process and posts PR comments with not only the details about the identified security vulnerabilities but also remediation advice so that developers have actionable guidance to fix those security issues.
Driven by insights from behavioral science and experimentation (A/B testing), SCORE Bot became our reliable eyes-and-ears of the code being written at PayPal and a trusted security peer reviewer for our developers. In this talk, we’ll share the lessons-learned from rolling out SCORE Bot at PayPal with details on what worked, what proved challenging with some real-world metrics from our deployment that scaled to cater to diverse programming languages, frameworks and CI/CD pipelines. The recording of the talk is here:
I spoke @ RSA Conference DevSecOps back in February.
The idea for the talk stemmed from the ton of follow-up questions focussed on one area from my RSA talk last year - automating generation of "security stories" and making them equal citizens to "user stories".
It was a great experience overall coupled with interesting hallway conversations from other AppSec practitioners trying to get upfront security requirements into the hands of their developers.
"PayPal started its Waterfall to Agile transformation journey two years ago. That meant that the software security program had to morph as well. The Field of Dreams question of “if you build it, will they come?” was no longer a valid question! Come hear about real-world insights about integrating security into Agile—approaches, processes and tools put in place and the results from them."
Just finished reading "Thing Explainer" by Randall Munroe (yes, the xkcd dude!).
One of my favorite topics was "Shape Checker".
"This machine checks whether you have a piece of metal with a certain shape. If you do, it lets go of whatever it’s holding on to. People put these machines on boxes, doors, and cars to try to control who can open or use them. What’s interesting about these machines isn’t really the machine itself. There are lots of different kinds that work in different ways, but they’re all the same in one way: They try to put people into groups. By checking whether someone has a piece of metal that’s the right shape, this machine is really a way to try to tell whether people are who they say they are. It’s an idea—about which people should be allowed to do something—brought to life in metal."
Following Microsoft, Apple, Evernote and others, LinkedIn has now enabled two-step verification.
Their iOS mobile app experience could be better (for now: you have to login with your password, get the one-time sms code, then concatenate it with your password for you to complete your login) . I'm sure future updates to the app will fix that...
Good to see multi-factor authentication take off in a big way. I hope that FIDO gains good adoption in the months and years to follow ...
If you are attending the Security Development Conference next week, please be sure to check out the talk titled "Tales from the Trenches: Rollout of Static Analysis Tools for Large Enterprises".
My colleague, Rick Marvin and I will be the co-speakers at this talk. While security relies on multiple practices of SDL, we mostly focus on one practice: Static Analysis. From real-life experience, we discuss what worked, what proved challenging and provide actionable rollout tips for security practitioners.
I had the opportunity to participate in a roundtable discussion on static analysis tools, for the IEEE Security and Privacy magazine. The roundtable was organized by Brian Chess, the founder of Fortify software. Bill Pugh, Kris Britton, Chris Eng, Jacob West and myself took part in the discussion. A partial transcript of the discussion appeared in the current edition of the magazine.