AppSec evangelist, Tanya Janca, chats about security and developer education

Popular News Tags (5291)

  • Tanya Janca, an application security evangelist, chair of OWASP WIA (Women in AppSec) and co-leader of the OWASP Ottawa chapter, kindly chatted with Sync NI about security, developer education and her upcoming conference talk.

    I always get asked the same question: “when you do security testing, have you ever found any system to be completely secure?” - my answer is always the same – “No”. I always find something, and usually a lot of things. It’s not because I’m an extremely skilled hacker who’s been testing software for 20 years… it’s because I’m usually the first person who bothered to actually look.

    We all know the problem: everyone is getting ‘hacked’ every single day. This is serious stuff. The average cost of a data breach is $3.62 million (IBM) and in 2016 alone, 4 billion personal records were stolen (Risk Based Research). These kinds of expenditures, as well as the accompanying loss of confidence that security breaches cause, can put companies out of business. No one even knows what the full consequences will be of the NSA hacks being leaked onto the internet, and I’m sure you all know someone who has had their identity stolen. You may be surprised to learn that these issues are often caused by security flaws in software.

    Why is this happening in 2017?
    In my opinion, the System Development Life Cycle (the process used to develop software) is kind of broken. Security is too often something that is tacked on at the end of the process, like an accessory when buying a new car - rather than being incorporated throughout the development process.

    This can happen for a couple of reasons:

    1) Most security teams have very little application security knowledge, and they tend to concentrate on protecting the perimeter (which is also extremely important, but it’s not the only thing that is important)
    2) Developers aren't taught security in schools and if they are, they aren't taught enough. Many developers don’t even know what the CIA Triad is, which is the entire mandate for security.
    3) Business silos mean that security and development don’t talk very often, except when there’s a problem. This isn't the best way to build positive relationships.
    4) If a company or project does have cash for security, they often hire someone right at the end, when there’s not enough time to fix it before release. This also means late nights for developers…

    What exactly do you mean when you say that the SDLC is ‘kinda broken’?
    Let me tell you a story about Alice and Bob. Bob studied Computer Science in the early 2000’s, and graduated into a software development job. He was never taught application security (also known as AppSec) while in school, or on the job. His job allows him to take one (or less) course each year to keep up his skills, and with the hours he works, he doesn’t use his own time for learning very often. Bob has worked 8 months to create software XYZ, and is about to release version 1.0. He has worked very hard on XYZ, and is anxious for the release.

    In comes Alice, she has been hired to do security testing. She delivers bad news; Bob’s program has a lot of security problems. In this story, no one likes Alice very much. But it’s not Bob or Alice that are the problem, the problem is the system.

    How can we solve this?
    We can introduce security earlier into the SDLC, also known as “Pushing Left”.

    What is “Pushing Left”?
    If you look at the diagram, the further left you go, the earlier you are in the process. When security folks say they want to “push left”, they mean that they want to be invited to the party earlier. And when Application Security people (that’s me) say it, we mean that we especially want to be invited to the Development phase.



    The image above represents the System Development Life Cycle (SDLC). No matter what methodology is used to create the software, you always need five things: gathering requirements,design (a plan), development (coding), testing, and deployment.

    Unfortunately, security often comes at the end - usually as an afterthought. Practically, this usually means security testing is introduced during the QA phase - or even worse, after deployment because of a breach of some kind, instead of being integrated throughout the process!



    In order to start security earlier we need to start teaching the security team and the development team about application security - more precisely, that magical spot where the two specialties overlap. That’s where I live, in AppSec.

    But what about Alice and Bob? What can they do? The can both start by joining their local OWASP chapter. OWASP is a great resource for application developers and using their wiki to look up the most secure way to do things instead of relying on the first StackExchange link that Google serves up is an excellent first step.

    As much as I love OWASP, my favorite thing that helps me get involved and learn more about AppSec are conferences, conferences are awesome.

    Why are conferences so awesome exactly?
    - Whenever I attend a conference, the sheer number of new ideas and concepts I had never considered breaks my brain. I’m not kidding, it’s career altering. If you’ve never been before, get ready.
    - Conferences are generally significantly less expensive than multi-day in-person training, and sometimes they are even free!
    - This is a chance for you to network with people from all over the world who have come together to learn.
    - Conferences are immersive, social, and psychologically stimulating.
    - There will be a wide range of topics as well as angles/perspectives from all over industry instead of just what you hear in your office.
    - Once you've been introduced to a new topic, you can delve deeper with free or paid resources, either locally or online. You can even request that your local chapter of OWASP try to arrange a talk on that specific topic - they are usually looking for new topic ideas!

    Now, whenever someone asks me have you ever found any system to be completely secure? After I explain that I always find something, I make sure to tell them to:
    1) Join their local chapter of OWASP and
    2) Start attending conferences as often as possible. This is your best bet to start introducing security earlier, and by that, I mean: pushing left, like a boss.

    Tanya Janca will give her talk “Pushing Left, Like a Boss” at the Swiss Cyber Storm on October 18th, 2017 in Lucerne, Switzerland. To connect with Tanya, reach her on Twitter and Linkedin.

Share this story

Recommended News

Northern Ireland News

All Northern Ireland News

Trending News

All Trending News

Innovation News

All Innovation News

World News

All World News