Duo Tech Talk: Building a Modern Security Engineering Organization
Did you miss our latest Duo Tech Talk featuring Signal Sciences’ Founder and Chief Security Officer (CSO) Zane Lackey? In case you did, we have a video recording available below! He presented Building a Modern Security Engineering Organization at the Duo Ann Arbor office last week to a full crowd. Prior to Signal Sciences, Zane built and led the security team at Etsy, a global online marketplace for handmade and vintage goods.
This talk covered continuous deployment (nearly instantaneous code deployment) and DevOps philosophy, and how security adapts effectively to these changes as they affect business operations. It also included:
- Practical advice for building and scaling modern AppSec and NetSec programs
- Lessons learned for organizations seeking to launch a bug bounty program
- How to run realistic attack simulations and learn the signals of compromise in your environment
When it comes to near-instantaneous code deployment, Zane compared the change from code in production for 18 months, to Etsy’s push to production 30 times a day, on average. Other features include feature flags (blocks of code associated with one feature), ramp-ups (ability to roll out parts of code to certain users), and A/B testing (multiple types of features in order to test which ones your user likes).
However, the rapid rate of change with continuous deployment doesn’t necessarily mean things are more insecure - vulnerabilities occur in all types of development methodologies. What makes continuous deployment safe? With continuous deployment comes continuous monitoring, which means someone is more likely to catch an anomaly, particularly important with an ecommerce site.
Zane also pointed out an example of security when it comes to SSH access to production systems. The security policy goal here should be to eliminate unneeded access to production systems. Developers may need to access production systems in order, for example, to view error logs. One way to deal with the need in a secure way is to build an alternative approach to the need - try sending logs to a centralized logging service (like Splunk or Elasticsearch).
In addition to setting up centralized logging, ensure that you are publicizing it to the rest of the organization, especially to the developers that are logging into production systems. Then, after the transition, alert on logins to the production systems by non-sysops (system operators, or admins).
Zane goes on to discuss bug bounty programs and attack simulations. With bug bounty programs, there are typically concerns about budgets and the risk of inviting attacks on your systems. The ultimate goals of the program should be to incentivize people to report issues to you initially; drive up the cost of vulnerability discovery and exploitation for attackers; and provide external validation of whether or not your security program is working. He discusses how to realistically manage a bug bounty program, as well as how to conduct effective attack simulations.
Watch the video to learn more!
Zane Lackey, Founder & CSO, Signal Sciences
Zane Lackey is the Founder/CSO at Signal Sciences and serves on the Advisory Boards of the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund. Prior to Signal Sciences, Zane was the Director of Security Engineering at Etsy and a Senior Security Consultant at iSEC Partners.
He has been featured in notable media outlets such as the BBC, Associated Press, Forbes, Wired, CNET, Network World, and SC Magazine. A frequent speaker at top industry conferences, he has presented at BlackHat, RSA, USENIX, Velocity, Microsoft BlueHat, SANS, OWASP, QCon, and has given invited lectures at Facebook, Goldman Sachs, New York University, and Reykjavik University.
He is a contributing author of Mobile Application Security (McGraw-Hill), a co-author of Hacking Exposed: Web 2.0 (McGraw-Hill), and a contributing author/technical editor of Hacking VoIP (No Starch Press). He holds a Bachelor of Arts in Economics with a minor in Computer Science from the University of California, Davis.
October Duo Tech Talk
Join Duo’s Tech Talk Meetup group and don’t miss our next tech talk scheduled for late October, featuring Peiter Zatko (“Mudge”) as he presents A Behind the Scenes Look at Creating DARPA's Cyber Analytic Framework, detailing his work as Program Manager at DARPA (Defense Advanced Research Projects Agency).
Abstract: While at DARPA, Mudge created the Analytic Framework for Cyber. DARPA used (and still uses) this framework to evaluate and determine the areas of research they should pursue in computer and network security and exploitation.
Peiter C. Zatko
Peiter C. Zatko, better known as Mudge, was a member of the high profile hacker think tank the L0pht as well as the long-lived computer and culture hacking cooperative the Cult of the Dead Cow. In 2010, Mudge accepted a position as a program manager at DARPA where he oversaw cyber security research. Mudge now works for Google in their Advanced Technology & Projects division.