 Okay, yeah. Hi, Rishwini here. Today I'm going to talk about the application security champion and first, I would like to know if how many of the developers are here so that I'll get an understanding of how deep I have to go about the development here. So it's just to understand about how many of the developers here. Okay, it's like half of them. Okay, first to start off with why do we need an AAC in a team or how is going to help the implement of the security for the development team. This is what we are going to talk about. I'm an application developer and a security interested guy. So okay, before going on a lot of nowadays, a lot of companies are going to implement security. But first of all, why do we need to implement the security is the one biggest question. And the companies are investing a lot of money in implementing the security. So before going into the security, I would like to say that all the companies are investing in security because of the data loss of you see the records in the past history, the data loss happens across the world for all the companies. So if you go into the details of how much of the data loss happens here by year, you can see 2014, 2015 and the latest of 2016. So this many millions of records has been lost from the companies. So that happens in two ways. Either the hackers can be hacked or it can be happened from the inside jobs. Inside in the sense, the people who work for the companies has all these things if you see that. So 2015 September Info Security magazine has released a statement saying that 43% of the data loss occurs due to the inside employees. So it might be either the known or unknown. So they might be knowing of how the data is getting lost or without knowing them like misconfigurations kind of a thing. So that is how the data is getting lost and the hackers can easily get into the servers and still the data. So that can happen either by implementing, not implementing the security within the internal application. So let's say a security or the hacker gets into one of the server by somehow and then he can use the internal tools or internal applications to get into the another servers kind of a thing. So that is how we have to or the developers has to think of how the internal applications has to be developed securely so that they defend themselves. So for that, let's say we have to build a security into a development lifecycle. So what is that going to do or how that going to help the development team or the company of implementing the security. If we talk about the security right now, how the teams are implementing, not going into the detail. So this was the SDLC saying that analysis, design, development and testing. So all these phases are part of SDLC. If you look at this button here, so as part of testing, security testing is minimal, minimal. You can see how much minimal it is in the part of SDLC. So what that going to cost is when the developers want to do the security testing, they might be implementing at the end of their SDLC phase. So what that means is they are not ready to spend some time on security testing. They might be hurrying in releases. So that takes into the, this remediation costs when they found the security issues in the last minute. So how much time it takes or how much cost it takes to implement or remediate those security issues. So how to solve this? So how can we make sure the security has been implemented across the SDLC and getting this cost flip flop. Right now if you see, we are not going to concentrate on security in analysis or design or in a development phase. So while testing, there will be a security team like a professional team, so who does any penetration testing or static code analysis or a dynamic testing here. So for them, if a development team engaged those security professionals in the last minute, they might have one week or two weeks of a time to test on the application and they might have found few issues and then they say, okay, these are the issues which has to be remediated. But in the last minute developers might not have a time to implement or to fix those issues and they will be releasing that into the production. Let us say, okay, major issues might have been fixed but not all of them can be fixed in the last minute. And it is equally proportional saying that, okay, in the last minute if you find anything, so it takes lot of time again and again to fix those security issues, it has to go from all the phases. Again, the development testing and again the releasing. So that is why the cost of remediating any security issues in the last minute takes lot of time. So to get that result, if we concentrate on how we can implement the security to avoid those things, it has to be horizontally implemented, not the vertical or at any end of the stage. So security has to be implemented in analysis, design, development and testing and the release phase. So that is how we start thinking of security from the initial stage to the end of thing. So it has to be implemented in across the SDLC so that whenever you develop any application, it goes on from design and the development and the testing and the maintenance mode. So if you see this security which has been implemented across SDLC, it takes lot of time and thinking to implement all these things. And then to implement this, we might need more security professionals as well so that there are not lot of security issues after releasing your application and which helps that to flip flop this from cone to a pyramid. So lot of security issues or anything has been identified in the initial stages and then fixed then and there before it goes to any other, the next phase of your SDLC. If you see here, this is analysis and design, development, testing and at the end it is the production or release and maintenance thing. So here it does not mean we do not find any issues at the last minute of your SDLC or in production. Of course, there will be lot of issues but lot of issues will be finding out here and the minimum of issues will be at the production ones. So to implement this, let us say we have 10 development teams. We might have one or two security professionals in the organization. Let us say we have 100 development teams. We might not find all the security professionals to be included in each team to implement from here to here. So that takes lot of cost to the company to hire lot of security professionals and then engage them into the team and that professional has to have a product or a domain knowledge of that team which the product is been developed for. So to solve that, let one some few guys have thought that we have a development teams, multiple teams. To implement that SDLC, we might not have a security professional for each and every team. So how to resolve that is identifying a developer or a manager who knows about the domain and the product and little bit of a development knowledge. So they will be nominated as a security champions. What they does is they take care of security issues from all the phases. So they will be trained and so this security champions will be trained by this security teams. So already an organization might have a professional security teams who knows from end to end. So and the developers who doesn't know who have a minimum knowledge of a security. So this security team will be trained for one of them. Why not all of them? It takes a lot of time and not all of them might be interested in the security. So each one of the member will be trained nominated as a security champion and he or she will be trained in the security things. So what's the usage of that? So that ASC will be the first line of defense for your products or for your team. So he will be remediating all the security issues within the products and he will be engaging security and architectures and all the development teams and the post releases things. So he will be engaging from end to end in the SDSA. So he will be doing some few code reviews in the development. So when there is a code reviews he will be identifying okay there is a SQL injection or cross-site scripting. So those things will be identified as part of code review. So and he will be engaging this product to be going through all the scannings and then issues will be identified and remediate. We have an ASC now and then how can he implement all of them within the products? So when and what has to be implemented? So like I said before security has to be implemented horizontally not in a few part of a SDLC. It has to be horizontal. So analysis and design what has to be done and development and testing and post production releases. So there are a few tools which help ASCs or security teams to identify if there are any issues in your code or bugs anything. So let's talk about analysis and design. If we say okay before I develop any product how can I know if there are any security issues or not. So how will a development team or someone who is building a product knows what has to be implemented as part of security. Now before developing architecture guys might be known of their product what has to be implemented at least in the product or the domain knowledge not about the security but at least. So these are the few tools which help in implementing it. So SD elements is one of the tool which gives you the security requirements. These SD elements take you have to fill up 30 minutes question it ask for questions like okay which which which platform are you using to build your product like Java dot net or any other language and it says is your application a web application or Windows application. They have a web services or a Windows services or do you have a web API is implementing in your product. So once you fill up all those questions it gives you a report or analysis saying that okay these are the things which you have to be taken care of let's say authentication have you implemented any authentication in your project or authorizations kind of a thing. So all these things will be part of SD elements reports or analysis. So once you see this okay then the architectures and the ASCs might be knowing of okay before starting my product they will be knowing of what has to be implemented as part of security. So that is how these tools helps there are a lot of tools but here I have used minimum of only few of them which I can explain. So that is how analysis and design security will be taken care of that phase. If we move on to the development and testing phases okay now we have a requirements of we have a security requirements. Once we have a security requirements developers will be developing their product. So like I said okay once the product has been moved to production or a testing phase it's very hard to get it back to fix all the issues. So there are few plugins which helps as part of your development. So as soon as you write a code and save it it says okay within your code you have few issues okay how to fix your issues and what are the why that line of a code is an issue. So there is a secure assist plugin which that plugin supports Visual Studio and Eclipse as well. So once you save it says if there are any issues in your code and there is a sonar cube. So this is an open source project which helps to identify all the rules has been met within your development sorry within your code. Once your code commits to any SVN so there are a lot of there are plugins which can be included integrated with Jenkins for sonar cube and once you commit the code to SVN it has rules defined in it in the servers or wherever the configuration location. So it takes care of that rule sets and it applies to your code and it says okay this line of a code violates this rule and then that will be after the development once you commit the code. So as soon as you commit the code you know what are the issues with your code and this takes care of the standards and you can implement after that. So before it goes to testing this tools helps you identify few issues and then it can be fixed it and there are few other other tools like HP 45 vera code or IBM apps can. So these are the static and dynamic analysis tools which it should be going through your code. Let's say if we take care of if we talk about the static analysis it's like identifying the issues so HP 45 or vera code which helps it goes through all your code without an execution without executing of the any of your code. So without executing it identifies all of your issues and let's say there is some SQL injection in your code or your XML files which has to be configured or web.config kind of a thing. So all your configurations if it has any connection strings and your connection strings might have a password which which has not been encrypted. So that issues also will be identified as part of the static scan and it gives you the reports such that those reports can be sent to your management and say okay these many issues are there and then these issues need this much time to implement them and then you can prioritize and actually that tool helps you prioritize whether the issues are high critical or a medium or a low. So once the tool helps you to identify whether it is a critical or medium it helps the management to take a decision on okay at least I need this critical issues has to be resolved as part of first release and later we take care of medium and look and it also gives these tools also helps you give a remediation code samples as well okay this is an issue why it has been an issue and where that issue has come from let's say we have an input fields which takes care which doesn't have a validation it's a it accepts a string and you can enter any star percentage so that which goes to at the end of SQL and then it fetches all the records which which doesn't need which the application don't impact. So those kind of issues will be identified as part of this static and dynamic scan and this dynamic scanning when we say that these tools will deliberately put lot of malicious data into your the into the input fields let's say your web application has been moved to UAT once the application has been moved to UAT this dynamic testing tools dynamic scanning tools will put that will validate from each and every fields and then it gives again the same results for you. So so all all these things will be applied as part of testing and here if we talk about this this tool helps as part of your development and the SonarCube after you commit the code to your SVN and this static and dynamic tools will be part will be helping you after your code commits to SVN and then the static scanning happens let's say for all these things you are the one who is developing the code and the development team let's say you don't have a development code or you might be using third party libraries I say you might not be having a code for them so how do you scan or how do you implement your security for those part of things you might be thinking okay I'm using only one part of only one library of which third party but that library might be using another library which automatically downloads into your code so that developers might not be known of that so how do security how do you scan with those open source libraries which you don't have a code of so few tools like black duck scanning like that this tool helps with all those third party libraries as well so this maps issues from third party or any any DLLs or anything any products from its own vulnerability issue so it maps all of them and it gives you the report saying that okay this open source open source tools or the or the products have these many issues so once the code has been scanned by black duck it gives all your reports so with that you can see okay this many softwares which I am using have this many issues so at the time you might be taking care you might be taking a decision saying that okay whether I have to use this open source or not so the so these tools helps to take that decisions and then it gives so there are few other tools like metasploit so these are used for penetration testing so we have seen here okay the security requirements which we consider here and as part of development we will be using them and here static and dynamic scanning and here a third party libraries or open source code so once the application moves out of testing it goes to production or pre production to production so these tools will be used by actually penetration testing team or security professionals so all these tools might not be used by the security champion so he might be the only one in your team one or two guys so there will be a professional team except who has already trained this security champion within the team so they will be doing the penetration testing and then they will be sending your reports for the team and okay once we have implemented all these from from from design or analysis to the release so are we done yet no actually it's not so this process has to be repeated every time every time you start let's say if now agile sprint starts from two weeks so from the first to end you have to again repeat all the process all of them you have to scan all your code and then you have to whatever the issues has been identified it has to be fixed as part of the next sprint so that is how you resolve so before it goes to the production there will be multiple sprints or multiple cycles which your code goes through so that is how we can implement the security horizontally okay coming to that a security champion will be the one person in the team so can he help implement all of them or all the security issues can be fixed no he might not be so that is how he has to build a culture like saying that okay when in my absence or I might not be the one who fixing all the issues so I need a help from the team so he will be he should be training the all all the members in the development team what what he has gained the knowledge of so that all the developers are aware of the security issues and then they know how to remediate those security issues so that it goes on and goes on so that so that is how the slides and so I am going through the summary of what the problem is here the data loss across the applications and the organizations and how to implement that so a security team and the development team comes to an agreement and then nominates a security champion and then he will be trained for he will be trained and he helps other members in the team to implement all those security issues and then bring awareness within the team that that that ends the presentation here are any questions those tools helps those tools are designed for multiple languages like dotnet java or php or asp classic asp kind of there each tool might not be supporting all the languages but major languages has been they will support the major languages okay right now we have angular jas so they might not be supporting a new technologies like angular jas though it has been in the market from last two years but but few of them like javascript dotnet java they support them and you have plugins which can be integrated to Jenkins so that you have a rule set you can apply it with whatever the language you have anybody else Sini I just want to apart from these tools and all what about trainings like if you want to change a culture in your development team and if you want to train your developer in the secure coding and all so how you implement the training culture in your team from your experience okay let's say once AAC has been nominated within a team so he will be a developer who who has a domain knowledge so let's say if a security professional has been assigned for this team without any AAC process he might not be knowing of this product so let's say he identifies a major issue that might be part of this domain so these developers say oh this is not an issue so that is how AAC will be trained by this security team saying that okay these are the things which have which you have to take care and he will go through the training let's say 30 hours of the training so that might that might give him a basic knowledge of security and he already has a he is already working on the on the product so he knows the domain knowledge so he is the one who judges okay whether this is a security issue or it can go with this issue or this is a minimum one which has to be fixed later kind of a thing so he takes care of those decisions and he helps the team to take a decisions in the security perspective and okay once he has to pass on to the knowledge it's up to him so he has to build that culture it's not a mandatory or anything he might be keeping his knowledge but like Stephen he has presented very first presentation and he said these things has to be considered as a culture not as a responsible or a role it shouldn't be taken as a role it has to be a culture so that depends on person to person so he has to pass on the knowledge so that he gains more and then it it pass on to the team it might not be like he might not be giving another training to the team he might be saying okay when the code review happens he can explain okay this is how the issue happens I'll give an example last week I was reviewing a code where okay it was supposed to give a name or the list of the users with his last name search of a last name so it has been how it has been implemented is okay you give a last name it fetches and whatever the matches it it brings for all the users from the list so I gave a I gave a SQL injection like okay codes one equals to one it bought all of them so that is how we explain okay how this issue how this how this is an issue a security issue and how this can be fixed so that team knows okay this is an issue so that is one one part and other part you can train okay minimum things let's say okay how sd sd elements can be used as part of one training and another time you might have a time so you give a training of other tools which has been implemented as part of so that is how you train one by one one by one one security team finds a gives a report to the management specifically product on the side mostly they just don't give a priority to the security issues yes because it's coming from security team you have to explain the why it has to be prioritized but as from your experience as an application security champion when you talk about those issues with your management with your product owner or is the master how they take in terms of this how is your their response when you present the same issues you know i am from a security background i know how it it has with our experience like when we go to the management of product owners or is the master they say or we have a release thing and all all but since you have a domain domain knowledge of your product and then you have a security knowledge when you go with those product how is your response the response in terms of experience in terms of response from a product owners or is the is the master okay let's say a security issue has come from a professional security team they might have already put in a list saying that okay these are the high issues these are the medium issues and AAC might have already have his own set of issues with his static analysis or dynamic analysis he might have his own but when it goes to the security professionals they will give so this security champion will all gather all the security issues and then creates okay these are the high issues in that high these three are mandatory it has to be implemented with the next release it it shouldn't go without these things fixed so then he will he has to explain to the project product owner saying that your product will not go without these issues fixed so he has to come they has to come to an agreement there should be a negotiation saying that okay these issues can be stay later this can implement later but these things it has to go so that is how you negotiate with the product owner you can't implement all of them together he might not be interested in implementing all of them together that's his job or that his role so he will not approve all of them but you have to negotiate how many you can implement within that sprint or yeah it depends on company to company or organization to organization you can have like 10 people you might have one security champion and it also depends on how many applications your team handles let's say a team of five people are developing like five products so that might lead to one person handling all the five products along with his development it takes a lot of his time so there you might nominate two people saying that okay for analysis and design let's say a security requirements I'll nominate another person and another phase I'll nominate another person so these two guys will take care of each phases and and multiple applications as well not actually if we don't if we don't nominate a ASC now you have to hire a lot of security professionals and engage them with individual teams so at that time it takes a lot of security resources like let's say 20% like you said but you already have a development team you will be nominating one of them so you already have a resource but you will be he will be trained in the security so you are not actually bringing in you guys you already have a resource these are two irons they work separately with each other not actually he engages with all the architectures security teams and and the developers the context behind what I asked is security is constantly evolving also yeah so and if you have AS how does the ASC itself get trained that is one point of where we're looking at and there how is these two linked to each other because there needs to be a point where the ASC also has to continuously work with the security team otherwise he's going to be with state information and thought process the first thing how ASC is getting trained you already organizations organizations already have a professional security team which they will be trained they will be training these nominated guys let's say like I explained 30 hours of the training or 40 hours how much time it takes so they have to train them it's it's mandatory or you have to get external resources to get it trained or unless until you train they are not going to know about the security so once you train you'll not he might not be getting end to end of the security so you have to be again there the negotiation happens okay how much of the load can AC take so like static scanning till the dynamic scanning he might be taking care of but apart from that there are penetration testing he might not be knowing of the knowledge of the penetration testing so AC will take care of till static scanning and this professional security team might have okay dynamic scanning and penetration testing so till this phase AC will be having the continuous integration setup so security professionals will provide a rule sets saying that okay these are the rule sets which has to be followed so they will apply they will apply that rule set with the code which has been developed and then the reports are generated so the AC helps the development team implement the rule sets which has been given by the security professionals and after the static scanning the web the product goes to the security professionals actually and then they take care of dynamic testing and the penetration testing let's say so the security guy has to engage the professionals to go through the process right then only it can go to the post production or the other production so it's essentially shifting the activities from the very right to the very left you don't need my two security professionals yeah he said she gives them the same tools to the inspector on right to get the feedback from the vulnerabilities back to the development team early on so they can fix it while they're still working with the code as opposed to having shipped the release or get it to the testers and are done out of the zone then again order the cells and implement them again so it's just much more efficient that they can actually skate this and do it with the same tools that the security people are using they can understand Hi my name is Dal, I just work for a television municipality for quite a time so we've been working all with all the schools and all the security security classes and we have big issues with security changes security changes with each these tools give you like vulnerabilities but not best practices best practices are always are known like all the time changing changing once you give some power to the security champion he will guide you probably not the best practice solution so you're getting us a very good thing all champions like in everything then everything is good but then the champion thinks that he has the answers once he has the answers he gives the answers to the development team but then the development team thinks this that the security okay I didn't get this order what's happening here so it's getting to the release with the security issues and there's a big big big mistake in the status giving some kind of people that are not security security but hard to call but very professional was giving some power and understanding security so as we saw we took this power from these people no more security champions in anywhere I'm the security champion so and the second one is the quantified vulnerabilities and giving time these tools give you checkmarks and every all the tools give you hundreds and hundreds of vulnerabilities you cannot quantify time there's no way to quantify time and giving you to the manager saying okay this will give you like 20 to 30 minutes 30 hours of work this is not possible this is not possible as it said in the agile probably it will take a few SQL injections okay it depends what type of layers you have for the SQL injection so it's also getting and the third thing that I wanted to share with you is that I have this very big issue saying that this type of spread uh process is is having the best practices against the vulnerabilities so sometimes you get into okay you see all this in the development team this prospect calls back everywhere the prospect everywhere so we say okay this is the best practice it's not the best practice and it's probably we'll see you you will see some security issues in this type of practice in like in not maybe now but the next few months so you it's sometimes that you don't really know how to approach this are you going are you approaching the best practices as the coding are you going or are you looking actually for the vulnerability so you have to look for vulnerability and show the developers there is a vulnerability now fix it but then you're getting frustrated as you are like you're working this is very bad practice like how do you deal with this type of features yeah people you're working with bad practice but with might be having one of the real issues but you don't really have the time looking for that yeah they give you like 10 hours but you know the hacker has 30 50 hours and you know for sure if you were going to explore it you probably said and this is like the big thing about another one coming to your first point that you said acs has been handed over the security has been handed over to the acs so that is a wrong prescription okay how how it should have been there is acs are not not the ones who take care of every security issues so he's he's not taking a decision to release a product into the production that will be part of a professional security team he helps the team to identify the issues and fix as early as possible but at the end if it goes if the product has to go to production it has to go to the professional security team it has to go through their gateway then they know okay this application has been implemented to ci or this has these many issues this has been fixed this will be fixed as part of another sprint but all the mandatory ones are been fixed so that decision taking has to be the security professionals not the ac he helps the team not not raises yeah if he is the one who takes care of everything then that that's the wrong way of implementing the ac that shouldn't have been there is not any reaction php at one point of time used to have something called a magic codes which was a security feature but the abuse of it was so bad that php decided to take it out that's the problem i actually agree with this what would happen is the thought process thinks that hey you did it so you should be fine and that's where the problem is where it it might be you might actually put in a system which is very good from a thought process but when the abuse happens how do you handle it and that's where we really want to think of i'm not saying the system is wrong i'm only thinking about how do you handle the abuse where people make use of the system and then what do you see if an issue has been identified by any of the tools saying that okay this like you said that issue has been uh alerted and this security champion on whoever this guy says okay without fixing this issue it has to go to the product it can go to the production then he should be giving a reason to you a security professional saying that okay why i why he can go without fixing that issue and then once you say okay i accept with the reason he gave me then only you will be allowing it like i said before for him he should be he should not be taking a decision of releasing it to production identify the situation is there situations where there are false negatives where an identification is not even happened and we're assuming it's clean it is an assumption and we are assuming it's clean and passing it to production that's where the problems get started and we've taken a problem to production adding to your second point how to quantify the effort yeah actually it's a big problem so initially how it works you have to reach a point where you decide on implemented system let's say you find a security issue you pass it to jira right a lot between jira so jira has a very good thing or any bug tracking system the issue when it's logged and when issue it's closed or when it's verified it's closed right so there you can calculate a mean time to limit it right so initially for the first year or coming for the next when you start a security program for first or second year you won't have the mean time to limitation but after two years when you have like at least the one category of issues like SQL injection or cross-excaptain or any other issues which has been fixed by the development in the last two years then you have a data to calculate or decide what is the mean time to limit it for a particular category of issues and that's where once you have the data then you can implement the mean time to limit it and then in the project management specifically I'm talking about in the terms of project management then you can give a data to the project management team hey guys you have 10 number of accesses issues and as for our past record it takes this much of time to limit this so make a plan to limit these issues this much of effort of time will take in this split so that's how you calculate. This is a huge organization once you have the small organization it's very hard to get this information and people don't gather this information too much. I'm adding to this point and it doesn't know it doesn't not make you to be only security right. A product owner has he will be or his job would be implementing all the stories that within the small time or within that split at that time like a spam master or a developer say okay this we can't implement all of them we can only implement these things. You have to negotiate with your product owner these are the managers which has to work right now so that is how you negotiate with your product owner and this you have to implement how to implement solutions for this and this for accesses. Once you give a reason to them to the management say that okay security at the end security which the actual security team doesn't allow your product to go to production without fixing this then he doesn't have any option I want to interrupt over here I want to interrupt you know what I do a lot of this sort of work. I think we should have a session where you actually describe this so we'll all understand how to do it better in fact I'm serious at an upcoming event Stefan's got a workshop on this very topic on you know how to make sure it is rolled out the right way. I think we should actually discuss this. Can you please just take the last question I had about the best practices again both abilities with the development team how do you approach this development procedure it's back practice or I don't know. No one thing I would like to say is we shouldn't be forcing anyone to implement anything. Once you force they'll be going into a defensive mode saying that no I'm not going to implement this. If you have to try to say that okay you you can implement this way or this if implement this way our product doesn't go through the security group if you have to implement this way if you find a time you can implement this way okay. So it depends on person to person how he takes when you say saying that okay this has to be implemented he might take it as a positive or he might take it as an improvement. Yeah I guess we can have a more discussion on this topic. So it's important actually. It's just a managing perspective. Yeah. I'm also curious to see who of you has heard about the terms security champion before this talk today. Okay quite a few. So I think that actually the benefit is one scalability and two culture because you're almost somebody comes from a security team that maybe does no application when it tells you what to do you will always be like immediately a different kind of communication but this can have somebody in that team that cares about security not everybody does you will be able to have like a very different conversation about the same topics that is more like together in the DevOps way if you will as opposed to you have to do this now etc. So I think there's definitely a value in having security champions especially they're not enough security gurus out there just came throughout the world it's just not going to happen. We have to start somewhere and I think by getting security champions into the mix and start at least somewhere it's really going to make a difference in the long term. Okay. Thank you.