 I have a very strange accent when I speak English, but it's not my native language I'm German and I live in the Netherlands for more half of my life So you either have a Dutch or a German accent or might be maybe both. So let's try and figure out what it is As a RV said, I'm an almost for a very long time already and Who is in the information security? Are there any developers? That's really good Who is in the security work for more than two years? More than five years More than seven years Do you ever get frustrated? That was my problem. I get an annual security frustration and Actually, when I did I was upset you 2015 I told my wife, you know what I do this conference Then I'm done. I'm done with security. We buy a camping place. No security anymore open Wi-Fi Screw it. I'm done every year My wife looked at me said yeah, and she was right I still it was always when they're still in security and I try to Make it a better world. It's all the frustrations. I get annually, but I think it's a part of the work most likely So you wonder maybe about the cryptic title hippos It's all started when I had frustrations, you know the security combination world is always at a fear uncertainty and disorder the FUD And I promise my wife to take a vacation. I'm not really good at taking occasions because it kind of go away You know everything will collapse if I take vacation there will be disorder uncertainty everything will be breaking down And she convinced me to take a motorbike up to the North Cup Two weeks on a motorbike. No internet Was really great And I came back and you know what? The world was still turning Nothing really really bad happened. Yes, there was fraud. There was some hacks But it was not that bad the world keep turning. I still could do online banking. I still could go to my work I still had electricity So hey guys, what do you worry about? That was the first thing. I was relaxed two weeks. No incidents. No Anxious calls. I got back and I looked around and I said, what do we do right? What do we do wrong as a security community? And this talk is about how to engage how to think it's not a human factor than a technical factor You know four years ago five years ago. It was a lot talks about Thinking out of the box was a tears well in Israel. I was a box thinking Guess what? You cannot think out of the box The box is what you are the box is your history Experiences things you learned you read you encountered that is your box So yes, you can widen your box. You can enlarge your box by looking over the borders to other Areas you can invite in the box of your project team by having people from different experts different age different Channels in your project team But your box will be your box new thing as to why in the box and sometimes peak out of the box And let's see what our box are out there I'm really happy to see so many females in Western Europe with a problem We have if a conference of 500 people and we have four females. We are really excited. Wow That's really stupid Because being female you have different expectations and there's one thing I always Used to tease it wasn't actually a research but a day to ask lots of good questions to people Like what is two times two and What I saw is for males in general a smaller part of the brain work But the bigger females a bigger part of the brain more brain activity was there. Even there was a logical question and The wrong male answer would be yes, you see logical work is more tiring for females But the other side is Never why does go they look at different problems. We as males will focus a problem solve There are other things to look at things we would miss out and forget So one thing is to enlarge your box Have different age different genders and also look what others do And then in 2012 I had to watch a tech talk from NSO, Sierra Lea And it's about his workers his time as a worker. I Thought it's actually the quite the same problems. He's addressing as we have Because we the security people we want to help isn't it? You want to make the world better? We want to help develop a device secure code And he's telling about his time in the 70s when he was a young aid worker from Italy Going to Africa because the African West are thing Apparently Italians are good in growing vegetables. So they might better go there and tell them how to grow vegetables And they go there There's a river that's annually flooding the banks. So that's very full for a futile grounds They're growing Zucchinis and tomatoes in his very funny way. She says in Italy to ways I did Yeah, I'm a tomatoes were like that. They were really excited a good harvest and then guess what? The hippos came and ate all All the money all the time all the work was wasted I said the hippos Where do the hippos come from? I say from the river. That's why we don't grow vegetables here because the hippos will ate all That's how we address problems We hear problem miss our box our point of view we go there. Hey solve the problem. I know the solution We jump in we don't ask we don't understand the context We have to answer because we are very smart security guy, aren't we? Super smart we can break stuff But did we understand the context did we really help them? And then this is the only she really at least says at least he fed the hippos One thing good other people raised money time and effort not improving anything At least the hippos had a good time So I want to take the analogy for hippos For efforts be technology big time in money We can waste is not helping That's very easy in security to waste money and time and not really helping And problem is if you waste all the time money Worst thing is if you don't understand the context of those you want to help It's not only waste of time and money It's only very counterproductive and people will not talk to you anymore So not only time money is worse spent Lost also future work will be also lost will not improve So there are some security myths And we as security come with community. We are actually the cause of that evil Because in the past what did we do? We tell people security is mean business Isn't it security is the most important thing in our life? We will do with security so security will over everything Highest priorities for project manager business everybody is security, isn't it? Guess what other people have other priorities It's not all about security security is expensive If you want to have good security you have to spend a lot of money Because all the tools are costing a lot of money all the external consultants cost a lot of money Security is expensive. We want the security right you have to spend money and the last not least security is complex Not everybody can do security you need a very high intellectual security consultant for a lot of money to do security, right? So guess what who is actually managing software projects? It's a software project manager What are the two major concerns of an over of a project manager? Staying in time and in budget So the two things he does not want is complexity Because time and he don't want something that's expensive just because it's budget So we actually have are very good in targeting on those two things. They don't want Like this for all they say hey security Expensive complex get out. Hey, we lost It's a really big problem so addressing this How should it be done and I really really Advise you to see the talk from essence or slowly and you will see the similarities First of all security guys Don't be the mean security guy It does not help I Have the fortune of unfortunate of being not the smallest six foot four I have a beer because I don't like to shave I Get more friendly face apparently now I get gray so my over my years I get a friend of your face I have long hair so people like who It's really pity You have to welcome other people with open arms and front in this kind of it's the same when you take a bus in the morning You get in you don't look at the bus driver You think next time you're late in the bus stop you run. He will stop for you Why should he you never looked at him? He never wished a good morning. That's very small things and accepting people Looking over the board be polite see others Recognize them. So don't be mean be happy be friendly Security has been known as the ministry of no Guess what saying no every time nobody will ask you in the future Don't upset people I don't see I'm phrase how easy it is. I see so many times a security report. Who does security testing? Who delivers a nice security report PDF listing all the issues smacking the fellow bus you stupid developers that what he did wrong, huh? And guess what? The fellas don't like them Because I get a report for all the issues. That's nothing how to fix them And it's a PDF report. It's worthless Because it does not leave in my context And I say hey, I broke your application How do you like me? not My first code review was back with them when I was a mechanic and there was an PLC program for robotics in injection molding industry and sometimes it happened that a robotic arm got scratched between the molds of the machines And I did my first code review not knowing what code review is. I just had a course of PLC programming I'd bring it out a lot of diagram. It was a very complex program of a lot of robots Arms are moving Guess what? I could find a problem It was very happy. I found the problem. I went next morning. I went up to the developer and said I found it You have a buck Was he happy? Of course not Because me the grease monkey the guy from the workflow. I touched his coat. I tell him he did it wrong. I Did not understand back then I Would never be able to write the same program because he was experienced and so much considerations time Things moving not hitting each other supply chain on everything, but I had only one focus. It's finding that one buck It's same for the security people How many of the security people have development background? That's really really good. I see the Netherlands More more security people have no different background and the development background and don't mean yes on a university I did code. I had a coding class that is not development That's hoppy Development is being in an enterprise project team with project managers with the time pressures all the considerations and then security It's candy then you understand the context of world for developers how to help how to address them and Don't hide I talked to a company customer And I talked and I talked with the CISO He says okay, we have to improve security for my life side because hey, that's not a compliance. We have to approve to Who more do you want to talk to? It's okay. I need developers. I need the functional testers Functional testers we forget about a reason for functional testers for security. They really can help but hey They're non-technical who they can help us, but they can They need the project managers the stakeholders and the guy was like oh side You want to talk to all of them? So what do you think? We cannot do security by ourselves. Do you have to go out there be visible having an open door and For the pen testers a lot of pen test being done Externally or when it's internal then you're on your your own room. So come in with your sunglasses you hoodie Yeah, all the security people have hoodies. I don't know why They're useful again for free So we all go in there. We don't talk to developers. We sit in our box. We do our security magic and out comes a report When you are there anyway Start to do the security testing with the developers Don't hide be out there. We're visible for signal developers. So they can't contact you Meet them Meet others understand them That's so important How many of you have security people have developers friends? You talk about them about development less because when we talk about them security Security yes, it's the compliance check the report we get PDF We talked about development That's the one thing that catches developers because it's the blood tears and sweat. That's what it really keep awake of So call to them and pay attention listen to their problems Even actually can help them when you go there and not like being the bully on the school plane and kick them But be the child doctor who looks at their child their software that cold when they are appreciate they will The software is their passion. We just help them to improve what they're building a plus hours a day Then you help them to improve that child and then you are friends While you smack them in the face. They are you look at your child three arms one leg Ha ha, but when I kick this one leg it falls over. Oh, it's on the floor That's not worth To pay attention listen understand their context We have all the security tools all the nice because I want to don't want to blame the Fitness because they're really good. We need them tools But we have to integrate them in their context and in their world I've been a developer and I really miss the floating sensation when you're developing you are in your code It's this situation. I cannot describe time space are gone and you're hacking away One time I stopped because my wife my girlfriend back then called me like hey, you know the guests are at home Come back to this world guests what guests it's your birthday today I'm coding This sensation is so great But now where you do it's like hey developer. Do your great job refloating and By the way every hour check the security report Or the security dashboard for this tool from another tool you have to correlate and then think in your code how to solve it Will not work So we have to deliver the security issues in their context in their environment on the way they can understand When I look in the ASVS, who knows the OWASP ISVS It's application security fabrication standard. It's a really really good list of security measures But actually when you look at them for a developer point of view almost normal At rest developers But we say hey, that's a really good tool for developers developers who is responsible for Decision of a two-factor authentication Nobody it's not the developers decision. It's a patient. It's a risk decision and the developer has to implement it So go to the developers like to forget the authentication Yes, but then what how to do it? That's how we should address it We go near and can address them on the right way if we understand that context the technology Again, who is doing secure code review and of those how many people have developed background Because that's what you need You cannot refue code if you don't know the technology Because you cannot sit down with the developers and talk about their code if you can't read the code and can't write Yourself because that's soft you cannot imagine So talk to them on the same eye level You can be the crowbar to help them to improve the code. I had a customer where the developer said I Looked at the code. There's so many as development depth. It was really dramatic. I said guys. What are you doing? Have you never heard about refactoring? Clean code stuff like that and I like yes, we know but the business does not give us money and time to Clean up the code. They say what? The business says we want new functionality. We don't pay for refactoring It's like saying somebody who paints your house. Yes, I want new paint, but I don't pay for scrubbing off the old paint Don't expect them to call us to stick for years But that happens in the Netherlands. You are a new junior developer for my maybe six months I don't know how it's here. How long are you junior developer? Three years. That's really really good. I wasn't agree. It's the same what they said, but the Netherlands is half a year When we got my previous company we got developers from the high of the university First thing we did took them internally and really taught them about development because the university they're leaking behind to do the best But the fail Three years is really good because they have a really good base, but the Netherlands is a half year than your media So how long do you stay media developer? Another three years So at least you have six years experience when you become a senior developer Now imagine when you are a project manager and the average age in the Netherlands are 35 40 45 The average developer is between 25 and 30 So only for maturity level when they talk about what has to be done There is this human difference as 25 27 year old to talk up to somebody who's almost 40 So it's not equal That's really really weird and then you are senior developer you have six years seven years experience 80 experience and then what is the next step in your career? Management yes, so we have somebody who's really really good and trained experience in development what we do We take him away from what is good in a position. He can't Because he's a developer with a good fellow, but they're not really good in talking to people. We make him a manager What could possibly go wrong? So be supportive Developers care about that code and you can help them to improve the quality of the code I Had many times in it every time and I do this security check or a dentist or a code review I always talk to the team When you have a good team, they already know what's wrong with that code They know what's wrong with the application, but they just have not a time to don't get a time to fix it and You are the external grow bar that can help them to improve the cold quality That's why I stopped talking to them about security dinners course many years had Said makes security invisible for developers and I didn't but then believe that but now I'm all on why is I have to say yes They're right Security people do not care about security because we passion for many years But talk about them by the quality Help them with open source tools coding quality tools coding standard tools Then to increase security by maturity of coding And you are the grow bar to give them time and money to improve the code and security You are the ones they want to talk to if you help them don't make them teach me tricks at Something every time I talk to the security people how they set up a security for my life cycle. I like We are in a technology loving time So business believes if I have a tool it will solve my problems Have a fancy new secure coach that if you analysis tool It will all be magically safe codes and then I have to watch up 10 security check, isn't it? I have a green bar. So a green bar means I'm secure Before you start implementing whatever tool of process The most important thing is acceptance So security people we have false positives false negatives False positive is you look for security issues or false positive is a tool says this is an issue But it's known the first negative. It's like this code is good, but it's not good What do you think what is more dangerous false positive or false negatives? Who thinks false positives are more dangerous? Who thinks false negatives are more dangerous? It's depending who looks at a code false negative for security people. It's really weird because we have no idea There is some park or floor and we don't know But we talked to the filibus false positives cost them time and money, but they are not paid to review your outcome of your tool So again address Findings and fill the findings depending on who is reviewing them When you are developer and you paid for developing And then you have a list of hundreds of findings We are 30% untrue acceptance of the tool will be really low Because it's not helping them Then secure sorry agile develop and continuous delivery continuous deployment, you know that here developers agile security DevOps So we have this to continue to develop and train isn't cool. We build code with hit the button it complies It does test it packages its deploys to test Then comes the first code the security toll gate secure code review so they Stop Then three weeks later they get the findings They're already to release further We found an issue. No, it's toll gate. It's too late The next thing is an another button another compiler build everything and deploy to acceptance Now we do penetration test What is the time you can start with and secure code analysis? The moment you set up your build tools Because you don't need a line of code to integrate it You can already in your build process can find a small box the low-hanging fruit with your code quality tools PMT checks out a fine box your secure code analyzing tool from whatever vendor very very in the beginning Not waiting for tests When you develop it Every morning have some results when they develop a best is integrated in their IDE So when they're writing code that get already the feedback what you should do and you need acceptance because in the Exceptions are done. They will try to code is not detected by a tool and not being by default better And you can write in use the integration is dynamic code review to already the moment you set up your server The moment I have a target system I can start penetration of scan this Don't wait for acceptance That's the months behind development time months too late. So very early the more you set it up The target you set up the validation in the scanning and start appreciating Whatever job you have whatever work you do if you won't be appreciated in what you're doing You won't do your best When you come to customer Instead of being accepted and welcome and you will put in a small room with a broken chair. I had that one time There's a sign. They don't want to have you there The same is when you are going to a public restroom and the woman is appreciated by the workers and she will keep it clean Make the work. They are concerned when you go to a restaurant or your office can team and The cook or ever waits you you address them. They will be happy and look at you Guess what the same for developers When you appreciate them when they encourage them to improve their code When you encourage them to learn and strive for better code quality They will do better jobs The Netherlands has developed but you have always the same pains Business is always you are too expensive It takes too much time And it's always the threat of being outsourced Joe your young developer your careers developing you really like the code and they say yes, but might outsource your department in two years They really encourage you to do the work, isn't it? So encourage my appreciation Help them to build secure code. Don't be in the ministry of know. It's very important You are there to help them Ministry of know when you always say no, you want to get help so be open-minded and listen to them Security is not about saying no security is about making functionality possible on a responsible way Data will be exchanged trans actually will be executed And you are the guys the developer can help can help developers to make on a responsible way and not a wild west When you go to them when you talk to them That's how I want to include this Take the advice when this is really see down with them the most important thing don't start about your mind Fresh start with shut up and listen. Thank you Any questions? I'm about 40. So you have to speak up Did yeah, so the question is ask about it In the action is the development team So if there will be in the future more part-time security specialist than full-time we do need security specialist security is not easy It definitely means comes on subjects, but we make they have to make them security aware By coding so yes, I'm more interaction more open door But more understanding on both sides. I see more security people in the past I came from either functional testing or they come from compliance and now we need more people with technique background to understand that So from the development team the mind change on a mean like a proxy interaction More questions maybe later on better coffee. Thank you Shut up and listen my wife