 Hey, everybody, welcome to the last session of the first day of Cloud Native SecurityCon. I expected around a plosh for that. Yeah, I expected there. You got the right idea. Yeah, I know it's the last session of the day. Thank you all for coming. There's just too many of it. There's like three less people. I just go around and we just have a conversation instead of doing this talk. But there's just enough of y'all do the talk. I do have stickers up here. So if you want this logo sticker, the shiny one, or one that says get guardian. Come up and get them afterward. Take as many as you want because I got to haul them back with me if I don't get rid of them. But let's jump in. So I'm Dwayne. I live in Chicago. I flew out here for this. I've been a developer advocate since about 2016. I used to work for a company called Pantheon. That guy over there did as well. This guy's just walking in. Hit me up on Twitter or Mastodon and MC Dwayne. I'm on Mastodon and social. But if you look at my Twitter, it directs you to the Mastodon social. Happy to talk about anything tech, but I'll also talk about improv and punk rock, rock and roll in general, karaoke. If anybody wants to do karaoke later, let me know. I work for a company called Get Guardian. Anybody here know Get Guardian? Awesome. We are secret management, our secret detection and remediation primarily. So if people hard coded their secrets, that's what we're helping people with. But we're also a platform helping people do other things like Icy vulnerability. Later this year you'll see more and more stuff from our platform around static code analysis. But I'm not here to talk about any of that. I'm here to talk to you about something that actually I'm passionate about. I'm not that deep into security. You've seen and heard from a lot of experts here today. A lot of people have been doing security for 20 plus years. That's not me. Instead, I got a crash course in this stuff over the last six months of my life and that's what inspired this talk. So what does good security actually look like? I think it looks like this. Yeah, absolutely. This is, I'm not worried the alarms are gonna go off at three in the morning. I'm not worried my perimeter's been breached. Good security means I can go camping and not worry about the house burning down. It means I go to my favorite concerts and not have to leave before the main act or the encore because alarm bell went off. And ultimately I get to spend time with people I love doing something that I wanna do. Look at look on those kids' faces. They are so happy to have their parents home. That's what good security looks like to me. Because all technology has a human cost associated. Whether we admit it or not, we can talk about S bombs till the cows come home. We can talk about automation. But at the end of the day, it is human beings doing this stuff. So what does bad security look like if good security looks like that? Well, I'll invoke Tolstoy here. All happy families are alike, but each unhappy family is unhappy in its own way. But there are some commonalities. We've all lived through Apache vlog for Shell. I won't beat this up anymore. It's very old at this point, 2021. But Uber from last year, who remembers this? It was a 19 year old kid in the lapsus group. Pwned Uber just cause he could. He got another Slack channel even bragged, hey, I own this thing now because you left your passwords in PowerShell scripts. They didn't believe him. So he went to the New York Times and that's how we found out about it. Just kid causing trouble. And then who fell victim to this? Who has circle CI in their infrastructure somewhere? Probably not anymore. Waking up on January 12th to have all your tokens just revoked. I don't know, fourth was when the revoke happened. Like that affected my company. All of a sudden the system just wasn't there anymore because there wasn't able to access it because hey, we got compromised. We just had to rotate this stuff. Still ongoing investigation. The full scope of this still isn't known. Who all has affected what customers with circles that have been affected? Still a mystery. But we can all agree, there's a pretty unhappy people overall because they're dealing with this. And these are 24 hour shifts of figuring out what to do and dealing with really, really unhappy customers. And security teams are really outnumbered out there. Alec Trice said it very succinctly. In the best of organizations, developers outnumber security teams 100 to one. That is 100 developers to one little security alarm over there. Just put in that perspective what that actually looks like. Again, this is the best of organizations. So what do we do? We just shift left. Let's make everyone wear the security hat. That's I think the fear of shifting left. Like what shifting left is supposed to mean is a little bit different than how I think a lot of people interpret it, especially from the gut reaction of developers who are like, okay, it's one more thing on my plate. You're okay, I got to do one more thing to implement. One more API to worry about. One more dashboard. One more, and I'm already fighting Kubernetes full time because man, everybody loves Kubernetes. It's only seven hours in the day. So from the dev perspective, like I can't just focus on that. And from the business perspective, who's paying for this stuff? Business perspective I think looks like this to security. I think it's getting better as more executives and more boards know what like S-bombs are thanks to presidential executive order. But security is simply looks like that. Hey, we got breach. Let's focus on security. Hey, everything else slowed down. Let's speed it back up. And let's go through that vicious cycle until, well, that's where we're at. And sure, there's a tool for that somewhere. One of these does something. We're on there somewhere, I think. And this is what I think it feels like in security overall, especially if you're a developer at a smaller shop, especially if you are feeling by yourself, you're isolated, especially if you're remote. Who has ever read Through the Looking Glass? If you haven't read Alice Wonderland and Through the Looking Glass, read them, they're tremendously good books. A brain cleanser, they're just nonsense. It's wonderful, wonderful, mathematic nonsense. But it's true. We have to run as fast as we can just to stay where we are at. And anywhere else, we gotta run twice that fast. That's exhausting. And that's why I think the industry has such crazy high turnover. That's why everyone's like 90% of people in America are looking for another job right now. This is why, I think, in part. And I think everyone that just saw all of that and was processing it, is thinking in their head, well, would it be nice if there was just a group of really nice people that just would help me with all of this? Well, there is. It's called OWASP. Who here is a member of OWASP? Yay! You probably didn't even need to come to this talk. Who here is familiar with OWASP? Yeah, more hands. Who here could explain OWASP to an audience? Well, that's what I'm doing, literally, so that I hope I can do it. OWASP stands for the Open Web Application Security Project. Started over 20 years ago. In fact, this is the 20th year. 21st year, depending on when you count dates and how all that. But anyway, there are a nice group of people that do nice things. They have a mission no more insecure software. But as we saw from one of the keynotes, there's no such thing as secure software. All softwares insecure. But if you set out the mission of like, hey, we gotta stop insecure software, that's a good mission. Cause that is a non-stop mission. And why not get there? It's a journey, not a, hey, we'll one day reach a peak. If you go read their mission statement, it's really well thought out. They argued a lot in meetings over this, I'm sure, for years, but they got to this. I'm not gonna read it out loud. It's pretty long. But you read this, you go to their website, you find this, and then I think everyone I've talked to that has hit their website says this. Yeah, but what do I do with this? This is a great website and all. How do I navigate this thing? Even Mark, Julie Chowley, give me just a second. Mark Chirpre, Cherfies, Mark Cherfies, sorry about that. Said in an interview last year, he was one of the founders of OWASP. Said, the organization has become a Byzantine labyrinth that new people cannot navigate. And that's one of the reasons he stepped away. I don't think it's that bad. I think it breaks down to like, hey, they do these five things. And all these five things are really, really deep. And that's like why I think people get confused. So I'm gonna break these down and then talk about how to get started from where you're sitting. So first is projects. This is the thing they're known for. The big one they're known for is their top 10. We'll get to that in a bit. But basically a project is just an open source repo you can contribute to or go pull code from or go look at, go examine. Volunteers built it. Some of those people are experts. Been doing this for 20 some years. New stuff comes in all the time. I just updated this and I'm not 100% sure these numbers are right. But I just updated this yesterday or Monday. 250 total projects in any conceivable state. And 157 in a usable state. What do I mean by usable? They're in one of these states. Flagship projects, production projects, there's no production projects right now. But that's something they invented in October of 2021. I don't know, October 2022. Say nobody knows what flagship means. So we're gonna make a whole new category called production ready projects, production projects. And we'll move flagship projects over there once they qualify in. We're in January of 2023. So far nothing's qualified in because it's the crazy giant list of things you have to check off. And even top 10 doesn't qualify at the moment. A Zap doesn't qualify because of all the bugs. But we'll get to that later. Lab projects. And then incubator projects. Then there's a whole bunch of others that don't qualify on anything like that. So there's 18 flagship projects currently. These have some kind of serious strategic value. If you're gonna start anywhere, start with these flagship projects. Just roll through them and say, hey, could I use this? But that's still putting a lot of weight on you. We'll get to that later. 34 lab projects. Labs aren't quite flagships. They're being worked on. They have a website. They got a bunch of stuff in their repos. But they're not quite ready for me like, this is what OWASP is known for. But they still have a lot of value. But some of these are very specific to languages like Python and whatnot. Then you have incubators. These are on the way to be in lab. A lot more of them. If you're gonna go make an impact in an open source organization, this is where I would direct you first. All of these have pull requests that are waiting to happen. All of these have beginner friendly. They need documentation like crazy. Developments underway. And then there's a whole bunch that just don't fit in there. So that's the first way that they organize them is by projects. Or categories, I should say. Categories. Then they also organize them by types. So you can go and say, hey, I wanna work on a tool or I need a tool or I don't look at documentation. And they laundry list it this way as well without much explanation. And you might notice, fun fact, these numbers add up to more than 157. And remember I said earlier there's 157 in the usable state. Why is that? I don't know. I wish someone could explain that to me. If you know the answer to that, please have a conversation with me afterward. But this is the state of OASP right now. But they said, hey, I recognize this is a problem. We need to make it more usable for everyone at home. So this is the software development lifecycle in their opinion. If you go look at it, it's a nice map, interactive. You can say, all right, I am at the design phase. Those four projects might help me out. I'll go investigate there first. This is on their website. You can go play around with it. Along the way of building this, they invented the CRE, the common requirement enumeration. OASP CRE became a project into itself like everything else. Open CRE.org. If you don't visit any other website after this, put this like third on your list. But it's a way to very quickly see, hey, I have a high level concern, a high level topic I need to drill into, quick way to see INST and CWEs and all the other acronyms. They strung it together in one nice resource for you. So that's the first way. I think you can start thinking about OASP as projects. It's a lot of them. There's a lot there. But it's a good way in. Maybe the better way in is getting involved in the community. And don't worry about the global history, 20-year history of projects. And just go talk to people. Chapter's all over the world. And just like we're here in Seattle, you can just go hang out with people. This is what it looks like in Paris. Back in October, this was in the GetGuardian offices. GetGuardians based in Paris. But this is the OASP meetup in Paris. Who here lives in Seattle? One person. Yeah, you got lunch and lunch. Coming up on this coming Wednesday. It's online, so everyone in the room can join in. In fact, a lot of the community meetups are online. Or some of them are, I should say. It used to be a lot more, but then they've slowly been transitioning. I was going to the Ottawa chapters for a while, but then they stopped doing them online. But it's people you can go talk to about security stuff. Just other security nerds. They also hold events. The big global events, APSEC days, which are smaller events, and then partner events where they don't actually run the event, but hey, if you're an OASP member, you get a discount or something nice happens. Next big one is in Dublin in two weeks. A whole bunch of training, but the APSEC day is in, the next big APSEC day, I should say, is in Ireland. Education or training? You can just Google or DuckDuckGo or U.gov or whatever you want to use. Search for OASP education or training. You're going to run into a list like this and you're going to find, wow, there's a lot of resources because every good-hearted soul who I wish more people knew about this probably started a project at one time and started trying to train people on that specific topic. But there's one word they partner with and I'm not here to sell you on them. But Secure Flag is awesome. Just flat-out stated. They have a partnership with OASP. OASP membership is really cheap. It's 500 bucks for a lifetime or 50 bucks a year to be a full-blown member of OASP. And if you're a member of OASP, you have full unlimited use of this platform. And you can go take dozens, I think 100, I forget the exact number, it's over 100 types of trainings on here. Like full-on capture of the flag events, the whole community exists around this alone. So if you wanna go meet other cool people that are doing cool stuff, another way in. But along the way, you learn all about how to cryptography in Java or secure authentication in Java. I don't know why I picked Java when I made this, but I think Java was on my mind. They also make a lot of publications and resources out there. A lot of these cross over with projects and that's where they come from. But there are also our physical books you can buy. Are they up to date? I don't know how time works. So maybe, yeah, so they do a lot. And you're probably still thinking, like, all right, what do I do with this? I could go spend four hours of my life digging through the projects, hoping to hit on something. I think there are four ways in that are really, really simple and actually practical day to day. First is top 10. Who here knows or heard of or even looked up ever or saw a reference somewhere, they all lost top 10. Every hand in the room. Almost every hand in the room. Some people are asleep, that's fine. It's the end of the day. 10 types of attacks going on in the world. Vulnerabilities out in the world. I say type 10 types of attacks. They don't say that, that's me. But that's a good way to think about it. Like, all right, I'm worried about my app being secure. What are the top ways I know I should secure it? Well, it's top 10 list. Every year it changes. They haven't come out with the 2022 list yet. Coming out later this year. I'm actually really curious to where cryptographic failures will fall this year if it goes up. It's gone up every year. It's been on the list. Broken access control. It's gonna probably stay at the top. But this is gonna be me saying this. The top eight are based on industry data. The last two are based on surveys of members. Saying, hey, what should else be on this list? So server side request forgery isn't by data, one of the biggest threats in the world, but all the members said, hey, this should be on the list. People should know about this. So it's not just a list and like, hey, good luck. It's a project. There's a repo for this. It goes really deep. I think the most important part of it is this one. How to prevent. There's a whole section. So if you're building an application and you're thinking, hey, how do I secure this thing? Go to the top 10. Go to how to prevent for every single one. Run through it. May just make a checklist. I'm a big believer that the best security tool ever invented is Excel spreadsheets because you can make a checklist. Real easy. Did we do it or not? Is the box checked? Make a big check box. It's probably somebody already did that with this. Probably just Google that. So that's top 10. Won't spend any more time on that. Cheat sheets. Man, I love cheat sheets. Cheat sheet series at OWASP.org. This is the one you should definitely visit if you don't visit anything else. Because you want to be an expert in 10 minutes on any subject good enough for your CIO, CISO, or your CIO? This is a website for you that can walk in and say, hey, tell me about Kubernetes security. And while you're talking to them, you can slowly Google or get to the OWASP cheat sheet and then a quick scan over the page like, OK, I understand how this works now. It's a bare bones, like as fast as you can go, as fast as you can read it, overview of all the issues known. Is it complete and 100% thorough? No. Is it good enough to make you sound like an expert in 10 minutes? Yes. Should you do this on the regular? Probably not, but this is a good way to start. If you've just taken a course in something and like, all right, I need a cheat sheet to hang out with me to remind me of the key things. They already wrote one for you. That's my point. So cheat sheets, definitely look them up. The goats, the goats are great. Goats are not the greatest of all time. Maybe they are, but deliberately insecure applications. You wanna go see how not to build an application? There you did it. There's a bunch of them. Pie, goat, lab projects, wrong secrets is awesome. I'm a very big fan of that one. We've done a whole webinar with them, with the maintainer. And it's how not to store your secrets. How specifically not to do it. There's a project to show you how to do it. But the greatest of all time of all of the goats is Juice Shop. Who here knows Juice Shop? You're gonna love Juice Shop. This is the one to download. This is the one I got running a Docker container right now. I'll show you in a second. But Juice Shop is a fully functional, bug-free application that's completely insecure, according to the last pop 10. Super well documented, tons of articles about it. One of my favorite talks I've seen in the last year is on YouTube from Bjorn, that breaks down how to use it. So Juice Shop looks like this. This is around my local. And yeah, it's just a, it's a Juice Shop. But it can, do I still have my cross scripting in here? No, I don't. But if you go to, and this is like the secret, this is the thing like you probe it up, like I don't know what I'm doing. It's a built-in CFT, or Capture the Flag CTF built in. So if you go to Scoreboard, yeah, it's a full on tutorial on how to hack a website that tracks your progress as you go, with tips and training as you go. Not just how not to build a website, but how to attack a website. All in one awesome thing you can run in a Docker container that you get up in seconds that scales. It's amazing. So Juice Shop, go check it out. Definitely should have it running. Zap, who's ever run the ZetaTax Proxy? Cool, got one in the back. Yes, yes. Zap is a tool you should be running, or at least run occasionally. Only against things that you control, that you own. You have permission to attack. Don't just go randomly attack websites with this. Please don't. You could, but don't. It's an automated scan that literally goes and attacks down the list, and tries every dirty trick currently on the top 10 list. And then builds a nice report on what went wrong. So yeah, there's only nine alerts, but like, cross domain can misconfiguration, there's 40 in instances that. Oh, this is against Juice Shop, by the way. This is how insecure Juice Shop is. So yeah, cross site scripting, session ID, URL rewrites. There are a lot of known bugs with Zap, and that's why it's not in the production-ready camp right now, previous conversations is like, well, this tool isn't built for the enterprise, but at the same time, it is built for the enterprise. Anyway, oh, Zap is awesome. Download it, run it. These are the four ways in. But, all right, I'm gonna wrap up. It's dangerous out there. There is a group of people that wanna help you. They're called OASP, they've been around for a long time. It's a Byzantine labyrinth to get through. But, if you go talk to the people involved, they're all nice. They all wanna share their knowledge. They all want you to succeed. They all want you to sleep better tonight, and have better security, and stop writing insecure apps. And I would start here. Before last week, I probably wouldn't have said start with JuShop, but JuShop is just fun. I've had to have a lot of fun with it lately. When you get to the advanced things, it's like, wow, I've never even thought of that for application security. Zap is a much quicker way to get to like, how do I make my application secure? Not how do I learn how to not write bad applications? But that's it. And if you don't know the top 10, that's one you should bookmark. And every time you think of building your application or changing your application, just go to review the list. Anyway, I've been doing, I'm a developer advocate, have been for a few years, hit me up on Twitter about anything, rock and roll, B-Sides tech. I gotta fix that. But I do love B-Sides, they're awesome organization. And that's my talk. Any questions? Back there. When I say the bug list, I mean the issue queue, and it's still there. That's the conversation, literally the same conversation I had in West Virginia about Zap. Is an enterprise ready? According to them, yeah, can you automate it? Ooh, there's problems with that. And there's issues, known issues with it, unfortunately. But they do accept pull requests, and they are open source. So if you can make it work, you can make it work. But that's not a great answer. But I'm actually, you know what? I've got enough time. Let's just, this is like, automate. I haven't seen this before. This must be fairly new. No, there's a path. There we go. 90% of what I know, I just Google or look up on DuckDuckGo. Any other questions that I can help other people with? Well, enjoy the rest of the event, and thank you very much for coming out to my talk.