Experience the Power of Pipeline Management App for Security

How to create outlook signature

foreign [Music] good morning take a minute to say hi to your neighbor please just say hi yes good to know each other isn't it yes hope you're having a wonderful day yeah um we're going to start off our session on absec security and I'm sure you guys have attended a lot of sessions on security in these three days isn't it yes anyone so in that case I wouldn't do a lot of talking I want us to do a lot of interactions as well because I know you have a lot of questions on developer security and how you can be able to integrate it within your organizations so we're going to make it a lot more interactive that's where how you learn a lot more as well isn't it so I'll start off by introducing myself my name is Jolene kirui I'm in Microsoft I'm a senior Cloud security Advocate I'm based out in Kenya I've been an ethical hacker for eight plus years So and I've worked in the security field for around okay for more than eight years as well so I worked with developers um in terms of finding security vulnerabilities and then pushing back to Developers and telling them to fix this how many of us don't like our security teams how many of us none so I know from previous experience like the way we used to do it in the Legacy Way the developers would develop an MVP a minimum viable product and then goes to a security team and then we find all these security vulnerabilities and then we would rate um let's say like a two-page Excel document and then give it back to the developers and they're like oh my what the hell is this yeah so in that case there's a lot of friction like um we get to see the security team as Gatekeepers and you don't have a very good interaction with them So today we're going to talk about death setups and how you can be able to integrate security throughout your software development life cycle and how you can be able to work with the security team as one instead of working as silos okay so part of the description of the session was um there are very many tools that you can use to automate application security within your CI CD so you're wondering how can you be able to choose which one is right for you and um how do you how are you able to mature your devsecops adoption as well um so there's very many questions around this so we're going to cover all this and how you can be able to automate security throughout your sort of development life cycle very easily as well so let's start with a bit of stats so we'll find that 52 percent of companies actually sacrifice cyber security for Speed you have two weeks to deliver a particular feature and then when it teaches about that Friday when you're supposed to deploy and then security says that they found this critical vulnerability that this product can go live what happened in such a case in most cases business will say We are continuing because they already shared with the shareholders uh stakeholders that this is going to go live 52 percent of Ops Team push back on security best practices you'll find that most of the security vulnerabilities will actually um require for you to build the solution up front or even for them to um use an updated software so this is a lot of pushback from optim and 44 percent of developers are not trained on coding securely how many of us are trained on secure code coding two of us you can imagine I don't know if I can ask you how you actually trained do you mind we have an online training So today we're going to have more interactions so at least you can learn from other people and as well as the penetration yeah such on online [Laughter] you have a secure code Warrior online training do you find it like it actually works it's okay but it can be done better isn't it and you know online trading online training um does your security team take time to train your developers okay do you have a security team okay okay wow that's an interesting one Okay so you'll find that 80 to 90 percent of the code that you actually incorporate in our software is borrowed code and you can imagine if you are borrowing code that's not tested well that is um that has vulnerabilities you're introducing open doors within your organization for them to even infiltrate your whole network so we have lateral movements as well as remote code executions that can be done all the way from the application to be able to compromise your own the whole your whole network and we have 570 times more developers than security resources and in his case it's let's say 40 to zero so you can imagine um if developers are pushing like a thousand lines of code then you have like one security Personnel they must miss something truth isn't it other sources of security vulnerabilities apart from the dependencies are employee error we are all human so we have exposed access s um code patterns that are unsafe and we still have that even if um the damage usually exponentially High when you disarmine the executive vulnerabilities in production than in development okay so what can you do in order to identify these security vulnerabilities early early on we have to always assume Bridge you have to have a security fast mindset throughout Michael Hayden said fundamentally if somebody wants to get in they're getting in accept that so what we tell clients is number one you're in the fight so whether you thought you were not or not number two you are always certainly penetrated any of us think you're 100 secure there's nothing like 100 secure and if you've never been breached most certainly you've been breached but you didn't know you're abridged so funny so the way I ended up into cyber security I was a software developer like most of you and then one time one of the systems that I built was actually compromised so there was a lot of blame going around and that's when I was like okay so there's much more that I can be able to do within my software development Journey I went uh and accessed all those online resources and learned how to build more secure code and that's how I got into this journey like how to train developers on secure coding because it's something that you don't talk a lot about and something you should be doing on a daily so first of all always assume Bridge by assuming Bridge uh we are we have two areas where we try to prevent bridge and assuming Bridge so when you're trying to prevent Bridge you have to have a threat model so a third model is whereby you are trying to um emulate what a hacker will be able to do to compromise the system you have all these vectors you have maybe an API endpoint that's public facing that and that's an Avenue that can be used to compromise the systems you have let's say an HTTP endpoint as well they have using database you probably use have it deployed publicly that's also flow so you always have to do thread modeling see what Vector can be used within your organization within your network to compromise the organization you have to do code review all organisms should have like at least a list of things that all developers should follow um in terms of secure coding standards code review pair programming peer reviews as well security testing and security development life cycle but always assume Bridge you have to identify the attack surfaces that can be used by that you have to know okay so um I have this whole architecture what Vector can be used to compromise this whole system you have to have a strategy to protect your customer data so when you're talking about security we have the CIA Triad we have confidentiality integrity and availability so everything we do around security lands on those three pillars so we have to make sure that whatever we are integrating whatever input we're getting from the from the user is secure how it's being transmitted to the to the server to the database is secure how it stored in the database is secure everything is secure so you might be wanting so is security really um my work as a developer is indeed the work for the security team I will be putting too much button on the developer if you are adding a lot more Security checks on them we'll answer that so um I want someone to show me um let's do a simple exercise what's wrong with this code no password mm-hmm good so this one accepts empty passwords is it it so you'll find that people are still doing this um these workers start talking about that seconds the importance of Shifting security left so shifting secured left within your cicd pipeline in order to embed security because it finds that we have 80 reduction in Secure incidents when we extend security to the development life cycle um it's 60 times cheaper to fix security vulnerabilities from developmental through before production and as we said earliest two percent of Enterprise security into the development phase so within the whole devops you have all these tools I'm sure most of these tools are familiar to you isn't it how many of us have used um let's say Dropbox Jenkins uh this blank here we have data dog how many reverses have used in your face you guys find it so confusing like you have so many tools to bring on so many things like your gifts gets like everything's just in one place anyone so you can also Imagine now we have um bringing security into this whole picture um so we have the pre-commit in the whole the secure development this the whole software development life cycle we have the pre-commit and then you go to the commit then deploy then operate so in the pre-commit you have to integrate security softwares to check for all those IDE security plugins and then in the commit you have to check all this so we'll go through all of that as well so you can imagine we have tools for everything so how much information overload do we have can we make it simpler so during the pre-commit we want to make sure that you have threat vectors identified and you'll be able to fix those security vulnerabilities IDE security plugin is where you come in and make sure that you have um let me show you So within your IDE a you should be able to identify let me increase this within your IDE on a day-to-day you should be able to integrate extensions that should be able to help you within your daily um day-to-day code review so when you go to extensions within your IDE and you search for let's say security you'll find all these security extensions that can be used if you've attended some of your sessions by sneak you can be able to use it and it finds security vulnerabilities as you go so whenever you're coding it's always scrolling to find any security vulnerabilities you have very many extensions that you can be able to use so first of all um for developer you should be able to use this on the onset to identify security vulnerabilities and then what I've all tells after that you have to do threat modeling um every two weeks whenever you are integrating a new feature make sure you do some search modeling trading for newt New vectors are being introduced you have to use pre-commit hooks so before you actually commit your application or you're pushing anything you if you have security Secrets Incorporated it prevents you from pushing um to your repo you have to also have peer review notice we have um copilot as well which can be able to help you build as a peer program as well and then in the commit we're looking at static application security testing sust so sust looks at security variability within the code that you've actually built not borrowed code and then you look at security new tests and dependency management what you call software composition analysis so this is what we are looking at the 80 to 90 percent of borrowed code open source vulnerabilities um and third party dependencies we also look at credential scanning and then in the deploy this is where we look at whatever infrastructure that you're spinning up you have to make sure that it's secure by default and we have to look at Dynamic security scanning as well so whenever your application is already deployed let's say in a staging environment we have scanning tools that can be able to go in and crawl and try and fast um into all your inputs to see the reaction of your application and then you also have Cloud configuration checks just to make sure that your infrastructure is pinned up um be clicks the Azure AWS is already secure and then you have to do lastly security acceptance just to make sure that all these have passed before you go in and operator monitor you always have to have continuous monitoring such intelligence and nameless post more terms just to make sure that everything is finished up securely the reason why we have continuous monitoring is because you have zero day vulnerabilities so every day we have hundreds of new security vulnerabilities that are targeting your applications so you have to go in and make sure that everything is secure so let's go in and just check um practically how you can be able to do it so the first thing as a developer um should be able to um you should be able to identify Security variabilities on the handset so you can't be able to do this using GitHub Advanced security so GitHub Advanced security does code scanning secret scanning and as well as dependency management um this is free as well for public repos so if you have your repo yeah maybe open right now you can go to this security tab and make sure that you enable the security policy you enable code scanning and depend about a lot as well and if you go to settings and you go to code security and Analysis you should be able to um to enable Defender boards and code scanning as well so code scanning it will look it will use a tool called codeql analysis and then it will scan through find security vulnerabilities in your code base but you can be able to go in and explore the various tools that are available in the marketplace as well just the same way we did in Visual Studio code we have all these security tools that you can be able to incorporate as well I can see sneak API scan Dev scheme as well which can be able to go in and do um your Security reviews with we also have more SF for those mobile developers that you have can be able to go in and do mobile app review using this open source tool So today we're going to cover um we have the max of Defender for devops so which incorporates all these security tools into one in order for you to be able to ident to integrate it into your software development life cycle so um the reason why I was pointing out all those developer tools that you have that have bring all those noise bring all those false positives so you have to integrate all of them and then um they bring all that noise within a centralized location so what happens if we have one solution that brings all of those tools into one so um in this case we'll be using bin scheme I will be using GitHub Advanced security for code review uh we'll be using bin scheme for checking your binaries for security vulnerabilities will be using ear slings for your JavaScript and then template analyze if you have amp templates even apis can be checked using the template analyzer and then Terra scan is used for infrastructure as code um checks and then you have 3v which checks your containers and your file systems engage repositories for security vulnerabilities this is quite useful actually all of these are open source tools you should be able to go in and play around with them and see if uh what's equity vulnerabilities they give so the way you do it um on GitHub is you go into your workflow and you create a new workflow specifically for Defender for devops this can also be found within the workflow I'll also share the link to my reports at least can go in and do it step by step by yourselves um once you have this deployed you can see it has the run Microsoft security devops analysis so it will crawl through your whole um application and software and checks for um all those security vulnerabilities and the good thing is this is that for developers we also have um PR annotation so before you you push any changes and you find the insecurity vulnerabilities to the main branch you can be able it will give you all the security vulnerabilities and you've passed them and then if all the checks finish and it's successful it's now merged to the main branch it's very simple right right okay so um in Azure devops as well it's very simple we have the marketplace so the same case with Visual Studio code um in GitHub as well which is so if you scan for security you'll find all these extensions as well which you can be able to use in our case for the Microsoft Defender for devops you'll be able to use the Microsoft security devops and you make sure that you just say get it for free so I already have it um installed so I can go to my organization and then once you're in your organization you go to [Music] um you can create a new pipeline you select your repo you can use a starter pipeline and then you just use the show assistant so once you have the extension installed you just search for it and then you click on it and then you can just add it as is so it will just add this task which will check all those security features within your infrastructure and give you the security vulnerabilities and then you see save and run uh so once you say seven run it will take a few minutes and then you're able to go into your pipelines and see the security vulnerabilities here when you go to scans remember I mentioned all those tools so it will take against software development secure software development life cycle and then create scan it is create scan for security vulnerabilities for credentials that are hard-coded or exposed within your code um to this Terra scan for your infrastructures code in this case it gives you the recommendations for your Docker file and then it also has the template and Laser to check for your arm templates and 2v for your container security so it gives you an overall view of what you need to be able to fix and then for the security managers as well you can be able to go to your Azure portal and within Microsoft Defender for cloud um you can have add the environment settings so if your repository is sitting within GitHub um let's say uh we have um AWS gcp GitHub and Azure devops you can have that visibility of all your code bases within different environments and different Pipelines so you can be able to add these different environments there and then we also have workbooks which will give you an overall view of executed poster from Secrets exposed within all your repos within all your code bases within your open source vulnerabilities and as well as infrastructure as code and give you as a huge posture of everything within your environment and the threats that are involved there as well in my opinion it's very simple so I think we'll just go back to uh what you're talking about so apart from having um these tools embedded remember death setup is not about tooling It's All About Us shift of your mentality in terms of security we all have to know that security is everyone's responsibility you have a key Stick in this journey because developers actually the first line of defense you usually know whenever you're deploying something that's insecure true or false true or false yes and then you go with it as well so it's all a journey so whenever it's time for you to choose an application or a tool within your devsecops you have to look at if that tool um fits within a particular timeline by that I mean if it takes more than 10 minutes for it to scan your code within your cicd that's too long you have to choose you have to have always do pocs for all these applications that you are all these softwares that you are incorporating within your environment and make sure it meets your need make sure that um it takes yeah with less than 10 minutes and it has very few false positives and false negatives what do you mean by false positives so false positives are it gives you issues that are actually not issues and also have false negatives so false negatives in my opinion are a lot worse because you think that you have like 10 security vulnerabilities but in reality you have 30 security vulnerabilities okay always make sure that at least whatever tools are being deployed in your organization is actually being used I've seen scenarios whereby you have all those tools um Incorporated but developers are not using it so we have to make sure that it's a developer first um setting whereby I didn't face security vulnerabilities all the way from the IDE and all the way until continuous monitoring okay remember always assume bridge and for us we have to be lucky all the time has to be lucky only one time for them to compromise the system so this is actually a cyber warfare uh we are being attacked every single day and we all have a second making this world secure one code at a time okay so um this time I want us to just um bring some like maybe questions that you have in terms of um developer security so at least you can all learn from all of us experiences and maybe you have a developed a security question I'm happy to answer so at least all of us learn yes yes sorry earlier you said something about proof of Concepts yes did you mean creating proof of concepts of any features or of any issues that might be identified so by proof of concept if you want to integrate like a security tool um you always have to know what do I want from this security tool um does it meet the requirements so that's your proof of concept thank you foreign thank you for the talks so I have a question that may be a bit precise but I was wondering if you have any uh if how you feel about the tool Vera code because I know that it's the scans are extremely long to run and are you saying that you recommend like 10 minutes at most so I don't know how you feel about this tool um so it all comes down to your maturity model so in depth checkups yes you can take the tool as is so that's what you call Dev circles maturity level one so in such a case that their scans take a lot longer and you find also a lot of false positives so that's why you have to go in and tweak those tools be it vertical bit sneak to make them work for your particular environment so in that such a case once you have customized it it should take a lot lesser yeah of course you've identified maybe your organization uses maybe Java python only you only um scan using those languages only okay thanks thank you um when you mentioned something about false negative yes um how can we figure out figure out we have a false negative um so should we run more than one uh Plugin or should more security tool or how can I know that is that's an interesting question um so that's why we don't always just um do automated Security checks that's why also the security team needs to come in and also do manual Security checks okay so uh during the manual review that's when you're able to identify a lot more security vulnerabilities so the way we do um this system where hackers do we do um automated checks to find security vulnerabilities so by security valuable because you mean like cve CVS are known vulnerabilities but we also have unknown vulnerabilities as well so with the CV is um we later go on and try to exploit those vulnerabilities so once we explore that vulnerabilities we see that yes it's actually an exploitable vulnerability so we have to First Step initially record license reconnaissance by we try and see okay so what ports are open what has the developer um laid out there for um the world to see I'll do review of the code to try and understand okay so what are the thought processes of the developer is there a weak link within that particular code can I be able to compromise it and then after that after doing some enumeration um we've done some reconnaissance you've identified that we have all these um endpoints that are publicly accessible and then now you go in to do enumeration so can you be able to attack all those endpoints all those databases from even publicly and then now you go in and exploit them so yeah it's a whole process to do the manual pension testing but it gets a lot more security vulnerabilities thank you yeah yeah could you recommend one tool that you can run on your laptop desktop to sort of pre to check for security before you get anywhere in there pushing your code um we have many um so you're same within your IDE within your IDE yeah a plug-in yeah plug-in um Okay so I personally um okay this is a very like it's a personal um solution because remember whatever plug-in you use has to be in line also with the programming language that you use not all of them scan all programming languages okay so if you're using um Java um like you can be able to even use the lack of snakes even um contrast security like it depends with you but also for GitHub Advanced security you have the GitHub pull request extension which also attaches the GitHub Advanced security so whenever you're coding at least it finds you executive vulnerabilities and you can't be able to close them before pushing it to public people okay but that one take time to identify which extension works for you or you can play around with them so you can find that one found like 20 security vulnerabilities and then the other one found like 15 security vulnerabilities so and then you'll find the one that found 20 security vulnerabilities actually had a lot of informative um security vulnerabilities which you would do without you without so it's all about finding a balance yeah so I hope we will all have a hand in terms of finding our integrating the security extensions and also within your cicd to find um total mid security findings as early on as possible okay any other question we're all good how many of us are now secure Developers yeah so I'm happy to have any questions um if you want to um to know a lot more about the security features that are available how you can be able to incorporate them but let me share with you some resources which can use so you can access a care to Ms um slash devsecop solution to find all the resources that can be able to incorporate within your pipeline and then okay and then um some of other resources that you can be able to use I can take a photo of that as well and that's it you can find me on Twitter or LinkedIn I'm happy to answer anything developer security and also I'll be here for a couple more minutes uh thank you you've been awesome and have a great rest of your conference foreign [Music]