BruCON 0x0E

Between Agile, DevOps, and infrastructure as code, development is happening faster than ever. As a security team, it can be tough to keep up. How can you help empower your engineering counterparts to ship software quickly and securely?

An increasingly popular answer is secure defaults - make it easy to do the secure thing, and hard to do the insecure thing, whether that’s parsing XML files, interacting with the database, authorization, or any other security-relevant functionality.

Done properly, secure defaults (also called “guardrails” or building a “paved path”) can effectively eliminate classes of vulnerabilities from ever occurring in the first place, effectively scaling your security team. The power of secure defaults have been praised by established companies like Netflix, Google, Facebook, and Microsoft as well as rapidly growing mid-sized companies and even start-ups.

Security maturity frameworks such as BSIMM, OWASP SAMM and NIST SSDF indicate that the most mature and efficient security programs will tailor these secure defaults to their organization. Many security tools allow such customization, but they are not all created equally. With Semgrep creating custom rules is done in a simple YAML format and the first rule can be written within several minutes.

This workshop will teach you:
• Why the current approach to software security is not working to reduce vulnerabilities
• Why developers should be considered early and often in the SDLC
• How a paved security path for developers can create a higher standard of secure code, without compromising speed of delivery
• How to enforce security best practices unique to your organization (for the workshop we will be using the open source static analysis tool Semgrep)

This workshop will be part big picture ideas and best practices, and a lot of hands on examples and demos. You’ll leave with some insights, open source tools, and actionable tips to get started immediately.