about me
play

About Me CEO & Co-Founder at Snyk Find & Fix - PowerPoint PPT Presentation

Mar 09, 2024 •216 likes •1.41k views

Developer as a Malware Distribution Vehicle Guy Podjarny (@guypod) @guypod About Me CEO & Co-Founder at Snyk Find & Fix vulnerabilities in open source dependencies! Founder @Blaze, CTO @Akamai Security work since

  1. Why do developers make insecure decisions? • Di ff erent motivations • Our goal is improved functionality, security is just a constraint • Cognitive Limitations • We move fast, and sometimes break things - including security • Lack of Expertise • We often don’t understand the security implications of our decisions @guypod

  2. Developers are also 
 Over Confident @guypod

  3. 
 “I find training developers, actually to be much harder than regular employees” 
 Masha Sedova (@modMasha) @guypod https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/

  4. 
 “there's a certain amount of arrogance associated with, "I already know this,"or "I'm smarter than this." ” 
 Masha Sedova (@modMasha) @guypod https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/

  5. 
 “Most developers that I talk to, specifically, don't actually believe security is an issue that happens at their company” Masha Sedova (@modMasha) @guypod https://www.heavybit.com/library/podcasts/the-secure-developer/ep-16-security-training-with-elevates-masha-sedova/

  6. Security breaches 
 Can happen to You @guypod

  7. You are 
 Trustworthy 
 but Not Infallible @guypod

  8. How can we 
 Mitigate 
 this risk? @guypod

  9. Learn lessons from 
 Past Incidents @guypod

  10. Automate Security Controls • Apple : Malware detection in app store • npm : Malicious package detection in registry • FT : 2FA on SSO Page • Uber : 2FA on GitHub.com, then move to self hosted git @guypod

  11. Make it Easy to be Secure • Apple : Stand up fast local Xcode download mirrors • FT : “Reducing and removing privileges more aggressively” • Uber : Auto-expire AWS tokens • npm/PyPi/Docker : Flag/block malicious packages @guypod

  12. Developer Education • Apple : Encourage dev to validate Xcode Download • npm : Blog about malicious packages & typosquatting • FT : “set clearer expectations of security standards” • Angular : Require 2 expert reviewers for sensitive code @guypod

  13. Ease 
 Caring 
 of being secure about security @guypod

  14. Manage 
 Access 
 Like a 
 Tech Giant @guypod

  15. Google BeyondCorp @guypod https://cloud.google.com/beyondcorp/

  16. BeyondCorp in a nutshell • All access done via a corporate proxy Eliminates trusted network • • Proxy grants access per user & device No more static credentials • • Access is logged and monitored Anomalies can be detected during or after actions • @guypod https://www.slideshare.net/fortyfivan/beyondcorp-sf-meetup-closing-the-adherence-gap

  17. https://cloud.google.com/beyondcorp/ @guypod

  18. Microsoft 
 Privileged Access Workstations (PAW) @guypod

  19. PAWs in a nutshell • Access to production requires a secure machine With strict controls and no further internet access • • Your “Desktop” runs as a VM on the machine Running a secure VM in an insecure host isn’t enough • • Optionally a “Guarded Host” can host both VMs Allows more flexibility and routine updates to the PAW • @guypod https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/

  20. Detailed PAW Guidance 
 (windows centric) • PAW deployment guide • Why use shielded VM for PAW? • How to deploy VM template for PAW • Building VM template for PAW • Connect to VMs on PAW • Shielded VM local mode vs HGS mode • How to build the PAW host @guypod https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/

Recommend

More recommend