PunkCoder
About Punkcoder
Chall Profiles
Developer
Canary
Blog Posts
- [Nov 30, 2021] Developer Security
- [Jul 5, 2021] DevSecOps is Broken
- [Jul 5, 2019] Fixing Firefox Proxy for Localhost
- [May 28, 2019] Some Small Updates
- [Dec 27, 2018] Closing out the New Year
- [Apr 9, 2018] Nebraska Code 2018
- [Mar 7, 2018] Pluralsight IQ
- [Dec 15, 2017] New Job and the Internet
- [Aug 21, 2017] Rebuild CentOS Environment
- [Aug 7, 2017] DEFCON 25 Wrap Up
- [Feb 24, 2017] Everyone Can Code
- [Dec 29, 2016] Negative work
- [Dec 1, 2016] Best Of Defcon 24 Villages
- [Nov 4, 2016] Follow Up From Prairie Code
- [Oct 12, 2016] 1o57 List of Things to Learn
- [Sep 23, 2016] Still after all these years...
- [Jul 28, 2016] How to make enemies with people who use TDD...
- [Jul 14, 2016] Technology and the Red Queen
- [Jun 9, 2016] Building Analytics with Data Lake
- [Jan 16, 2015] Migrating the site to umbraco.
- [Jan 15, 2015] Thinking about the Enterprise.
- [Jan 15, 2015] So... yeah were still talking about the DAL.
- [Nov 4, 2014] Database Table Discovery with Foreign Key Detection
- [Aug 5, 2014] Defending DNN... Examination of the Security Landscape.
- [Jul 22, 2014] Building Resilient Networks
- [Jan 29, 2014] The speed of reflection...
- [Nov 15, 2013] Your warranty will expire soon.
- [Nov 8, 2013] The dangers of supporting Legacy Browsers.
- [Jul 15, 2013] The challenges of working with Dot Net Nuke
- [Jun 1, 2013] Good News Everybody...
- [Aug 3, 2012] Agile development and database structures...
- [Feb 9, 2012] Tools for Visual Studio
- [Feb 8, 2012] I Love my Mac... but,
- [Jan 26, 2012] American Lobby for the Future of the Internet
- [Dec 23, 2011] Migrating the Website
- [Dec 21, 2011] Managing offshore work.
- [Dec 20, 2011] Encryptr
- [Dec 14, 2011] Source Control, seriously people...
- [Dec 2, 2011] No. No. No. No. No.
- [Jun 24, 2011] Things I Wish I Learned in College: Someone will be reading your code...
- [May 11, 2011] Guess where I will be next week
- [Dec 10, 2010] Why can't we all agree... VBA isn't the answer.
- [Dec 10, 2010] Stupid Developer Tricks : Proxy Settings
- [Dec 9, 2010] Review: Applied Architecture Patterns on the Microsoft Platform
- [Jun 2, 2010] The Upper Limit Number of Applications in BizTalk
- [May 15, 2010] Reflection on my own faith following a conversation with Paul
- [May 10, 2010] An interesting use for Skype
- [Feb 11, 2010] Parallel namespace in .NET 4.0
- [Feb 10, 2010] The joys of SPAM
- [Jan 5, 2010] The Introduction of the Reverend Rawk... (give me all your thoughts on god)
- [Jan 5, 2010] Redefinition of Religion
- [Jan 5, 2010] Another post from the couch.
- [Aug 14, 2009] Become the Media
- [Aug 13, 2009] The Bane of Developers Existance : Experts-Exchange
- [May 6, 2009] Breakdown of the Social Order
- [Apr 23, 2009] Fiber to the Home
- [Apr 22, 2009] Every once and a while...
- [Apr 22, 2009] Creating an iPhone Ringtone
- [Apr 22, 2009] Crazy people and public transit
- [Apr 22, 2009] A gem from the old site... the Modem Handshake ringtone.
- [Apr 21, 2009] Hold tight...
Developer Security
Published On: Nov 30, 2021
Developer security is a wholistic view of the applications security, it’s been something that I’ve been working on for several years. The problem with application security is that inherently it focuses on the product, the application. The alternative approach seems to be DevSecOps, where we make security part of the operations session, indeed shifting left from the application to the build process but really I think that this is still missing something. Since we are still focusing on the output of the process and not the process itself.
Inherently if we are looking to improve security we have to go to where the security issues get into code, the developer. To accomplish this most of the focus for the moving pattern is going to have to be placed on the education process and the management of the measuring where you are in the process. Education is pivotal because it is designed to change the mindset from our attackers are super elite hackers, to the majority of the attackers that we are seeing are people who simply have more time to dedicate to the focus of security (squirrels). In this way we have to figure out how to take all of the time that the attacker would focus towards attacking our site and focus it into the defense of the product that we building. This approach puts a heavy amount of thought and work into the developer, and what their workflow looks like. The goal of the process is to get the developer to focus in on what they are developing and ‘develop the attacker mindset’ (more on this in a moment).
Okay now on to the elephant in the room, developers aren’t attackers, and telling a developer to think like and attacker is like telling a developer to think like an elephant. Inherently they can’t do it, because it’s not their frame of reference. That’s okay, instead we want to shift their focus from thinking about security to thinking about resilience and safety, because on the Venn diagram of security those are the overlapping pieces that allow for a common mindset. Once we have that in place it’s a very small jump to the next level to make sure that we are accounting for the, ‘what can go wrong?'. Once we get to this mindset I think that we are in the sweet spot for moving forward.
So how is this going and what are some of the main things that we have been able to do to figure out where we are going and what we are doing as part of the process? Short answer is that so far things are going okay, it takes a long time to boil the ocean and there are a lot of tasks that we have to focus on as part of the process, there really isn’t anything that we can do to get around that. This is one of those ‘We do these things not because they are easy, but because they are hard’, it is the right thing to do.
DevSecOps is Broken
Published On: Jul 5, 2021
So lets start this blog post off being super inflammatory, DevSecOps is broken and there is nothing that the security community can do to fix it.
Now that we have that out of the way… Here’s what I am actually trying to say. There is a fundamental problem with DevSecOps that it seems like a large part of the community is attempting to ignore.
The problem that we are facing is that fundamentally the problem with cybersecurity and application development isn’t the application, it’s the developer.
The solution that we are taking to solving this is like saying that we would like a gallon of milk so we drive to the middle of a cow pasture, stick our heads out the window and hope that a gallon of milk hits us in the hand. The root of the issue is that fundamentally isn’t how it works. The problem isn’t with the software, application, or the IoT device. The problem is at the development team and product manager level. The problem is that there is a lack of desire to do what it takes to make software development a success in this space. So we dump huge amounts of money into trying to solve the issue through the use of software to try to fix software. As an industry we have gotten to the point where we are adding layer upon layer trying to solve an issue without addressing the underlying problem.
I see this more and more being compounded as I talk through some of the conferences, the conversations can usually be broken down into a hand full of different categories:
- We implemented tools, they were so loud so the just turned it off.
- We implemented tools, then white listed everything so now we are secure…
- We implemented tools, then struggled to the point where struggle became our normal mode of operation.
- We implemented tools, and made it someone elses issue.
But the interesting point of all of this is that the tools aren’t the problem and they really aren’t the solution. The base of the issue is that most of the development teams that I have interacted with do not have a fundamental understanding of what security is beyond the need to watchout for sql injection and cross site scripting. The problem is that they don’t know the why. Education is something that has to break through he static of the daily standup, there needs to be real integration of security as part of the development community and the conversations that spring out of that need to permeate to higher levels.
Part of this conversation goes back to my own frustration that I experienced working as a developer. The main problem that I would run into as a developer was the fact that I worked in complicated spaces, spaces where nuance matters. When you are dealing with a complex piece of code simplifying it will only get you so far before you start to destroy some of the value that is offered. There is a reason that complex business rules exist. Optimizations help recover something that’s lost.
So how do we turn this around? I think that the Infosec Color Wheel is a good start, because it places security and developers on a level playing field. It shows where they exist as part of the security community. The problem with the standard red and blue, is that when security starts talking about patching servers and adding firewalls, the development team checks out. Those aren’t part of their world for the most part. But from personal experience if you start talking to developers and developer management about resilience and code based issues you have far more involvement from the teams. Like I said before this isn’t something that the security community can solve, we have to get to the development teams and get them to the table, talk about relevant application based security, and get them thinking about topics like Threat Modeling.