1 00:00:03,790 --> 00:00:15,260 one again one so well they're just left 2 00:00:11,570 --> 00:00:17,240 I was gonna start by just saying that we 3 00:00:15,260 --> 00:00:19,880 make thank you to the organising 4 00:00:17,240 --> 00:00:22,310 committee and all the volunteers for for 5 00:00:19,880 --> 00:00:24,680 setting this up I'll be looking at the 6 00:00:22,310 --> 00:00:26,570 schedule and I'm blown away I don't know 7 00:00:24,680 --> 00:00:29,390 what tractor sitting I'm gonna probably 8 00:00:26,570 --> 00:00:32,000 be running between them much like I 9 00:00:29,390 --> 00:00:34,850 imagine quite a few of you as well so 10 00:00:32,000 --> 00:00:37,969 yeah I think thanks that and I think 11 00:00:34,850 --> 00:00:41,510 maybe we can speak so this is the first 12 00:00:37,969 --> 00:00:43,909 time I'm doing this particular talk so 13 00:00:41,510 --> 00:00:47,178 it completely interesting to see laughs 14 00:00:43,909 --> 00:00:47,960 so how many people have actually heard a 15 00:00:47,179 --> 00:00:51,800 synopsis 16 00:00:47,960 --> 00:00:54,010 oh that's impressive Oh excellent 17 00:00:51,800 --> 00:00:57,828 so about three years ago we were at 18 00:00:54,010 --> 00:00:59,870 thinking it was InfoSec in London and 19 00:00:57,829 --> 00:01:01,489 people literally have no idea why 20 00:00:59,870 --> 00:01:05,030 synopsis there who are you what are you 21 00:01:01,489 --> 00:01:07,100 doing here thank you and actually 22 00:01:05,030 --> 00:01:08,960 historically synopsis we're a hardware 23 00:01:07,100 --> 00:01:12,890 company so what does that mean well if 24 00:01:08,960 --> 00:01:14,389 you have my phone and iPad or any other 25 00:01:12,890 --> 00:01:16,820 kind of electronic device and it has 26 00:01:14,390 --> 00:01:22,219 like Bluetooth or USB or anything like 27 00:01:16,820 --> 00:01:24,258 that chances are that the that the 28 00:01:22,219 --> 00:01:26,538 vendor the creator of this device has 29 00:01:24,259 --> 00:01:28,729 either used snotter's tooling or 30 00:01:26,539 --> 00:01:30,350 software to create the designs and 31 00:01:28,729 --> 00:01:33,259 schematics no thing or they've even used 32 00:01:30,350 --> 00:01:35,600 some IP we have a bunch of patterns in 33 00:01:33,259 --> 00:01:37,429 hardware design and implementation and 34 00:01:35,600 --> 00:01:39,229 so that's where most of synopsis 35 00:01:37,429 --> 00:01:41,420 actually says there's about 10,000 36 00:01:39,229 --> 00:01:44,600 people of them on the company and we've 37 00:01:41,420 --> 00:01:46,670 got the fourth has a lot of people in 38 00:01:44,600 --> 00:01:48,350 the software and technical group now 39 00:01:46,670 --> 00:01:50,749 synopsis other down this software take a 40 00:01:48,350 --> 00:01:54,469 group a few years back essentially 41 00:01:50,749 --> 00:01:56,869 through about acquiring companies so 42 00:01:54,469 --> 00:01:59,809 it's not off with the medical Coverity 43 00:01:56,869 --> 00:02:01,790 many people have clarity people make 44 00:01:59,810 --> 00:02:05,750 sense of staff analysis tool when you 45 00:02:01,790 --> 00:02:08,570 C++ and then we wonder for your 46 00:02:05,750 --> 00:02:10,880 company's code nomicon fantastic bunch 47 00:02:08,570 --> 00:02:12,890 of guys finish setting up an older in 48 00:02:10,880 --> 00:02:14,230 northern Finland which pretty sure is 49 00:02:12,890 --> 00:02:15,850 about minus 20 degrees at the moment 50 00:02:14,230 --> 00:02:18,350 [Music] 51 00:02:15,850 --> 00:02:20,510 they came up with a while they label 52 00:02:18,350 --> 00:02:21,680 tool which is now called the fence X 53 00:02:20,510 --> 00:02:26,200 today was called something else at the 54 00:02:21,680 --> 00:02:28,880 time that they were once 2008 in TMS 55 00:02:26,200 --> 00:02:31,420 Stan n three years ago they're quite a 56 00:02:28,880 --> 00:02:36,500 complicated tool which is where I'm from 57 00:02:31,420 --> 00:02:39,560 as well as a few people come see us 58 00:02:36,500 --> 00:02:40,940 office we basically a suitable that 59 00:02:39,560 --> 00:02:42,950 benign for our twenty five years doing 60 00:02:40,940 --> 00:02:44,270 purely software security consulting so 61 00:02:42,950 --> 00:02:47,299 we are consultants we do lots of 62 00:02:44,270 --> 00:02:50,030 software's Qt stuff we don't have any 63 00:02:47,300 --> 00:02:51,530 products present but all the other bits 64 00:02:50,030 --> 00:02:54,530 they've got acquired what products as 65 00:02:51,530 --> 00:02:56,270 well and then my book which some of you 66 00:02:54,530 --> 00:02:58,280 might have heard of it's basically a 67 00:02:56,270 --> 00:03:00,709 tool that you points that source code 68 00:02:58,280 --> 00:03:03,920 where you pointed at a binary and it can 69 00:03:00,709 --> 00:03:04,280 tell you what open-source components are 70 00:03:03,920 --> 00:03:05,450 in there 71 00:03:04,280 --> 00:03:07,459 and so you know are you in trouble 72 00:03:05,450 --> 00:03:09,079 licensing wise or rather there are using 73 00:03:07,459 --> 00:03:14,000 our to make versions than that and stuff 74 00:03:09,080 --> 00:03:16,250 so from a consulting point of view we do 75 00:03:14,000 --> 00:03:19,100 more security activities we don't just 76 00:03:16,250 --> 00:03:21,830 be contestant and a bit about that in a 77 00:03:19,100 --> 00:03:23,989 second we are down in the Gold Sponsor 78 00:03:21,830 --> 00:03:27,350 area do come check us out speak to us 79 00:03:23,989 --> 00:03:30,500 all very nice people all most of us want 80 00:03:27,350 --> 00:03:33,290 to be there coffee this mean victory 81 00:03:30,500 --> 00:03:35,330 marketing slight worry elimination 82 00:03:33,290 --> 00:03:36,829 flowers specifically because you asked 83 00:03:35,330 --> 00:03:40,100 me to mention flowers because it is your 84 00:03:36,830 --> 00:03:42,050 favorite part about product platform so 85 00:03:40,100 --> 00:03:44,840 yet we have women do products as I said 86 00:03:42,050 --> 00:03:46,430 Coverity blacktop defense and so on I'm 87 00:03:44,840 --> 00:03:47,840 actually that were building a platform 88 00:03:46,430 --> 00:03:51,320 at them so we're putting more together 89 00:03:47,840 --> 00:03:52,790 as one unified thing on that we have a 90 00:03:51,320 --> 00:03:54,200 lot of services so you'll see we've got 91 00:03:52,790 --> 00:03:56,570 a bunch of sort of testing security 92 00:03:54,200 --> 00:03:58,750 testing services that we do which is 93 00:03:56,570 --> 00:04:00,010 what in my team do behind 94 00:03:58,750 --> 00:04:01,900 we have to do something what kind of 95 00:04:00,010 --> 00:04:04,810 strategic proactive software security 96 00:04:01,900 --> 00:04:07,570 things if you haven't heard of Beeson go 97 00:04:04,810 --> 00:04:09,820 to be simcom it's a it's a science 98 00:04:07,570 --> 00:04:12,400 experiment that would have been crazy we 99 00:04:09,820 --> 00:04:14,410 we lost over 200 companies what they 100 00:04:12,400 --> 00:04:16,090 actually do as per the software skills 101 00:04:14,410 --> 00:04:18,459 program and we've built a kind of 102 00:04:16,089 --> 00:04:23,409 statistical model out of what we heard 103 00:04:18,459 --> 00:04:26,610 so anyway enough of the marketing oh my 104 00:04:23,410 --> 00:04:29,800 that's a really big version of my face 105 00:04:26,610 --> 00:04:31,450 so so I'm the head of the software 106 00:04:29,800 --> 00:04:33,820 security consulting the organization for 107 00:04:31,450 --> 00:04:36,310 the Nordics and Benelux in other words I 108 00:04:33,820 --> 00:04:39,130 focus on Scandinavia Belgium Netherlands 109 00:04:36,310 --> 00:04:40,780 Luxembourg that Canaria why do I have 110 00:04:39,130 --> 00:04:41,740 that region well I grew up in Norway in 111 00:04:40,780 --> 00:04:45,580 Bergen 112 00:04:41,740 --> 00:04:48,820 so I can speak Norwegian in theory at 113 00:04:45,580 --> 00:04:50,050 least that's that's you know that's one 114 00:04:48,820 --> 00:04:51,040 of those things you never currently when 115 00:04:50,050 --> 00:04:53,200 you see me that you're not willing to 116 00:04:51,040 --> 00:04:54,970 back up well yeah when we got a quiet 117 00:04:53,200 --> 00:04:57,370 way synopsis that they have a sales team 118 00:04:54,970 --> 00:04:58,900 already in the Nordics who were doing 119 00:04:57,370 --> 00:05:00,640 really well they got lots of customers 120 00:04:58,900 --> 00:05:02,020 and they got me the assessment services 121 00:05:00,640 --> 00:05:03,219 you know we would win an entirely 122 00:05:02,020 --> 00:05:04,990 different kind of thing to the portfolio 123 00:05:03,220 --> 00:05:07,990 so they were like Nick you speak the 124 00:05:04,990 --> 00:05:10,000 leeches yes okay you have to go with us 125 00:05:07,990 --> 00:05:11,830 to these meetings okay cool so I flew 126 00:05:10,000 --> 00:05:13,570 over to Norway and certainly much of 127 00:05:11,830 --> 00:05:15,400 customer meetings and the first customer 128 00:05:13,570 --> 00:05:17,650 meeting that I was in where they decided 129 00:05:15,400 --> 00:05:19,450 we have to do this in the region itself 130 00:05:17,650 --> 00:05:21,909 kind of early enteral spiel and then 131 00:05:19,450 --> 00:05:24,669 said Nick is gonna talk about Sean was 132 00:05:21,910 --> 00:05:26,110 guilty net of you and that's the point I 133 00:05:24,669 --> 00:05:28,359 remembered that I hadn't spoken in the 134 00:05:26,110 --> 00:05:30,660 region on a day-to-day basis for 19 135 00:05:28,360 --> 00:05:30,660 years 136 00:05:30,789 --> 00:05:38,229 and also how do you say static analysis 137 00:05:34,150 --> 00:05:39,188 security testing in The Witcher so that 138 00:05:38,229 --> 00:05:41,080 was fun meeting 139 00:05:39,189 --> 00:05:43,659 I've lived in Seattle in the US for a 140 00:05:41,080 --> 00:05:44,889 while I got a high my company almost 141 00:05:43,659 --> 00:05:46,629 straight out of university actually a 142 00:05:44,889 --> 00:05:48,900 chemical found stone which got acquired 143 00:05:46,629 --> 00:05:51,930 by McAfee which got acquired by Intel 144 00:05:48,900 --> 00:05:54,068 and I did a bunch of assessing for them 145 00:05:51,930 --> 00:05:57,669 it's over five years when I met my 146 00:05:54,069 --> 00:05:58,990 lovely wife and I went monden so yeah 147 00:05:57,669 --> 00:06:01,180 I've been a consultant for about 14 148 00:05:58,990 --> 00:06:04,090 years I started off in penetration 149 00:06:01,180 --> 00:06:07,930 testing all of it has so much fun broken 150 00:06:04,090 --> 00:06:10,239 country stuff learnt a lot and then 151 00:06:07,930 --> 00:06:12,969 having done that for a few years moved 152 00:06:10,240 --> 00:06:14,349 back to London still is about McAfee to 153 00:06:12,969 --> 00:06:16,659 help them build that consulting business 154 00:06:14,349 --> 00:06:19,300 in New York and I sort of got dragged 155 00:06:16,659 --> 00:06:22,090 into incident respond so much so he had 156 00:06:19,300 --> 00:06:24,099 a lot of customers in McAfee customers 157 00:06:22,090 --> 00:06:25,448 who kept getting hacked that's not a 158 00:06:24,099 --> 00:06:28,569 comment on the product it's just you 159 00:06:25,449 --> 00:06:30,400 know people get act and so we would sort 160 00:06:28,569 --> 00:06:31,750 of parachuted in and I was just meant to 161 00:06:30,400 --> 00:06:33,340 be a project manager and all of a sudden 162 00:06:31,750 --> 00:06:35,050 that was on a plane you know ten hours 163 00:06:33,340 --> 00:06:37,330 notice two women from countries in the 164 00:06:35,050 --> 00:06:39,520 Middle East saying hi honey 165 00:06:37,330 --> 00:06:41,080 yeah I'm off to a country in the Middle 166 00:06:39,520 --> 00:06:42,628 East yeah don't actually know how I'm 167 00:06:41,080 --> 00:06:47,279 coming back 168 00:06:42,629 --> 00:06:49,629 four weeks later it was my record so 169 00:06:47,279 --> 00:06:50,949 wasn't my favorite activity but it was 170 00:06:49,629 --> 00:06:53,020 really exciting really interesting 171 00:06:50,949 --> 00:06:55,419 another plot how much training and then 172 00:06:53,020 --> 00:06:57,279 when I got on bisexual about five years 173 00:06:55,419 --> 00:06:59,979 ago I got really into software security 174 00:06:57,279 --> 00:07:01,750 and that's where sort of love being here 175 00:06:59,979 --> 00:07:03,159 since go a bachelor's in computer 176 00:07:01,750 --> 00:07:04,569 science from Exeter University 177 00:07:03,159 --> 00:07:07,089 I've got master's in information 178 00:07:04,569 --> 00:07:09,729 security from Huawei anyone heard of 179 00:07:07,089 --> 00:07:13,900 that program and one big to that program 180 00:07:09,729 --> 00:07:17,919 oh okay one thing one thing they don't 181 00:07:13,900 --> 00:07:19,359 have is this which is fantastic you know 182 00:07:17,919 --> 00:07:22,258 if they could organize a conference than 183 00:07:19,360 --> 00:07:25,360 the body they couldn't do this off so 184 00:07:22,259 --> 00:07:26,469 kudos to us yeah there's my email 185 00:07:25,360 --> 00:07:28,430 address if you wanna follow me on 186 00:07:26,469 --> 00:07:31,310 Twitter and I usually just remount about 187 00:07:28,430 --> 00:07:33,670 cycling so but sometimes I post about 188 00:07:31,310 --> 00:07:36,050 security 189 00:07:33,670 --> 00:07:37,970 okay so let's first talking about 190 00:07:36,050 --> 00:07:40,880 history so I'm going to sort of talking 191 00:07:37,970 --> 00:07:45,980 about software development and security 192 00:07:40,880 --> 00:07:48,170 and how for a very long time now they've 193 00:07:45,980 --> 00:07:50,240 sort of not been very good friends they 194 00:07:48,170 --> 00:07:52,060 haven't played well together and so I'm 195 00:07:50,240 --> 00:07:54,740 gonna talk a bit about what's happened 196 00:07:52,060 --> 00:07:56,630 what's happening and what compare what 197 00:07:54,740 --> 00:07:57,950 I'm sort of seeing what we're seeing 198 00:07:56,630 --> 00:08:01,130 kind of happening with a lot of 199 00:07:57,950 --> 00:08:02,780 customers and sort of I've got some I 200 00:08:01,130 --> 00:08:04,610 call them career suggestions but in 201 00:08:02,780 --> 00:08:07,880 other word they were like humble 202 00:08:04,610 --> 00:08:11,180 requests to come join us in in helping 203 00:08:07,880 --> 00:08:12,560 companies develop our software so in the 204 00:08:11,180 --> 00:08:14,180 beginning this is kind of how software 205 00:08:12,560 --> 00:08:16,310 that what happens it's a really boring 206 00:08:14,180 --> 00:08:18,200 slide it's meant to be you know 207 00:08:16,310 --> 00:08:20,120 whichever kind of development process 208 00:08:18,200 --> 00:08:23,870 you you follow this usually these kind 209 00:08:20,120 --> 00:08:25,340 of find five steps may be complex or 210 00:08:23,870 --> 00:08:27,140 depending so you've got unit 211 00:08:25,340 --> 00:08:28,640 requirements analysis you build a big 212 00:08:27,140 --> 00:08:31,400 list of everything you want the software 213 00:08:28,640 --> 00:08:33,799 to do and then once you've got that you 214 00:08:31,400 --> 00:08:35,840 go into design mode we design the 215 00:08:33,799 --> 00:08:37,370 software to figure out okay plaid to to 216 00:08:35,840 --> 00:08:39,460 make it do all those things needed to 217 00:08:37,370 --> 00:08:43,280 look like this then you write the code 218 00:08:39,460 --> 00:08:44,810 and then you test the code and then you 219 00:08:43,280 --> 00:08:47,480 know in theory everything works we ship 220 00:08:44,810 --> 00:08:49,099 it now what I've just described is 221 00:08:47,480 --> 00:08:52,520 essentially the old classic waterfall 222 00:08:49,100 --> 00:08:54,380 it's very linear you do all your 223 00:08:52,520 --> 00:08:55,430 requirements analysis you draw a line 224 00:08:54,380 --> 00:08:57,050 under it 225 00:08:55,430 --> 00:08:59,239 there you go quite an hour working in 226 00:08:57,050 --> 00:09:01,630 design and you can't change the 227 00:08:59,240 --> 00:09:04,610 requirements in theory but you have to 228 00:09:01,630 --> 00:09:06,260 and then you fight their families a 229 00:09:04,610 --> 00:09:07,670 design you draw a line under it and then 230 00:09:06,260 --> 00:09:09,470 you start implementing and you can't 231 00:09:07,670 --> 00:09:11,810 change the design in theory but you have 232 00:09:09,470 --> 00:09:14,420 to because you're about halfway through 233 00:09:11,810 --> 00:09:16,520 writing the software and you realize oh 234 00:09:14,420 --> 00:09:19,370 we forgot about the requirement about 235 00:09:16,520 --> 00:09:20,600 usually security or something so now 236 00:09:19,370 --> 00:09:21,920 we're going to go back to a cornice 237 00:09:20,600 --> 00:09:23,270 analysis well how do we do that in a 238 00:09:21,920 --> 00:09:26,240 linear process it's really expensive 239 00:09:23,270 --> 00:09:28,270 it's really hard and so what of all 240 00:09:26,240 --> 00:09:31,640 wasn't the best kind of model for this 241 00:09:28,270 --> 00:09:33,380 at least one skill point of view so 242 00:09:31,640 --> 00:09:33,990 there are more modern ways of 243 00:09:33,380 --> 00:09:35,700 approaching this 244 00:09:33,990 --> 00:09:37,230 that pretty much nobody uses pure 245 00:09:35,700 --> 00:09:39,810 waterfall these days when they do 246 00:09:37,230 --> 00:09:43,800 software buttons usually some agile and 247 00:09:39,810 --> 00:09:45,959 scrum some CI city some demos and 248 00:09:43,800 --> 00:09:49,199 wonderful things so they basically all 249 00:09:45,959 --> 00:09:51,329 have the same components but they happen 250 00:09:49,200 --> 00:09:53,550 in a different way so you let the scrum 251 00:09:51,330 --> 00:09:55,260 also a sprint is usually a two-week 252 00:09:53,550 --> 00:09:57,359 sprinter or something like that and so 253 00:09:55,260 --> 00:09:59,760 you can't do all this you can't build an 254 00:09:57,360 --> 00:10:01,529 entire per 2 weeks way to fly but when 255 00:09:59,760 --> 00:10:03,240 you do is you pick a few the clients of 256 00:10:01,529 --> 00:10:05,610 you user stories you try to limit that 257 00:10:03,240 --> 00:10:07,680 as you're weeks and then the next two 258 00:10:05,610 --> 00:10:09,839 weeks you repeat twice knowledge because 259 00:10:07,680 --> 00:10:12,089 there's different ways of doing it each 260 00:10:09,839 --> 00:10:13,500 rating these things but fundamentally 261 00:10:12,089 --> 00:10:17,339 you're dealing with the same kind of 262 00:10:13,500 --> 00:10:22,440 activities so yeah fixing problems 263 00:10:17,339 --> 00:10:24,950 coming expensive still is so something 264 00:10:22,440 --> 00:10:28,860 happened with the line that sees 265 00:10:24,950 --> 00:10:29,570 everyone you know smashing a stack for 266 00:10:28,860 --> 00:10:31,950 fun and profit 267 00:10:29,570 --> 00:10:34,890 yeah excellent okay if you had already 268 00:10:31,950 --> 00:10:36,690 got rid of it it is from 96 269 00:10:34,890 --> 00:10:38,490 I think remember it's just been outdated 270 00:10:36,690 --> 00:10:40,800 but the concepts are really well 271 00:10:38,490 --> 00:10:45,180 explained really straightforward they're 272 00:10:40,800 --> 00:10:49,709 talking by this guy called a loved one 273 00:10:45,180 --> 00:10:51,420 or a Eli Levy and basically he's 274 00:10:49,709 --> 00:10:53,760 describing you know in a seed program 275 00:10:51,420 --> 00:10:55,620 you've got memory space and the 276 00:10:53,760 --> 00:10:57,149 development is expected to only put 277 00:10:55,620 --> 00:11:00,600 stuff into the memory space it's kind of 278 00:10:57,149 --> 00:11:02,279 fitting well what if I put more in what 279 00:11:00,600 --> 00:11:04,500 if I try pill more into that memory 280 00:11:02,279 --> 00:11:07,339 space then the developer expected to 281 00:11:04,500 --> 00:11:10,350 well things happen fun things happen so 282 00:11:07,339 --> 00:11:12,959 the developers have had this inherent 283 00:11:10,350 --> 00:11:16,290 assumption that people and systems etc 284 00:11:12,959 --> 00:11:19,170 will use my software on my system the 285 00:11:16,290 --> 00:11:22,649 way I intended to be used it turns out 286 00:11:19,170 --> 00:11:25,860 you had hackers crackers fakers the RAND 287 00:11:22,649 --> 00:11:28,350 Corporation military they all thought a 288 00:11:25,860 --> 00:11:30,060 little bit differently they thought no 289 00:11:28,350 --> 00:11:31,950 what can I make the software do on the 290 00:11:30,060 --> 00:11:34,560 system do that it wasn't intended to do 291 00:11:31,950 --> 00:11:35,870 how can I break it well how can I make 292 00:11:34,560 --> 00:11:38,930 it 293 00:11:35,870 --> 00:11:41,270 other things than what the girl expected 294 00:11:38,930 --> 00:11:43,189 now this didn't come up in the nineties 295 00:11:41,270 --> 00:11:45,140 like hacking penetration testing actual 296 00:11:43,190 --> 00:11:47,839 penetration testing started its life in 297 00:11:45,140 --> 00:11:50,300 the like the 1960s but something else 298 00:11:47,839 --> 00:11:55,240 changed in the nineties so you know 299 00:11:50,300 --> 00:12:01,459 stuff like frack got published and also 300 00:11:55,240 --> 00:12:02,750 the internet happened so 395 issue not 301 00:12:01,460 --> 00:12:07,339 all people on the internet you know 302 00:12:02,750 --> 00:12:09,560 polish on the dial up modem this is a 303 00:12:07,339 --> 00:12:12,800 see some way here in the audience you 304 00:12:09,560 --> 00:12:13,790 you had the dial-up modems so a few 305 00:12:12,800 --> 00:12:17,000 things happen you know the incident 306 00:12:13,790 --> 00:12:19,010 became a really democratizing force not 307 00:12:17,000 --> 00:12:21,290 just for your consumers but also clear 308 00:12:19,010 --> 00:12:22,970 hackers and people who want to kind of 309 00:12:21,290 --> 00:12:25,219 mess with systems so you have more 310 00:12:22,970 --> 00:12:27,620 people messing with more systems so you 311 00:12:25,220 --> 00:12:28,910 have more attackers even more tax 312 00:12:27,620 --> 00:12:30,770 happening and you had a bigger attack 313 00:12:28,910 --> 00:12:33,010 surface a lot of systems that were never 314 00:12:30,770 --> 00:12:36,110 designed to speak to the outside world 315 00:12:33,010 --> 00:12:39,860 speaking to the outside world by the 316 00:12:36,110 --> 00:12:42,260 internet and yes but there was a lot of 317 00:12:39,860 --> 00:12:44,690 kind of new new challenges for 318 00:12:42,260 --> 00:12:46,810 developers the problems from developers 319 00:12:44,690 --> 00:12:50,810 was they ten people you have less money 320 00:12:46,810 --> 00:12:52,099 they were more shorter timelines and two 321 00:12:50,810 --> 00:12:56,119 certainly something like in key skills 322 00:12:52,100 --> 00:12:58,850 as well especially the security so 323 00:12:56,120 --> 00:13:01,010 you've got the you've got this dichotomy 324 00:12:58,850 --> 00:13:03,410 of lots more people looking at your 325 00:13:01,010 --> 00:13:06,470 systems and you've got less time to 326 00:13:03,410 --> 00:13:08,810 secure so you got this race between the 327 00:13:06,470 --> 00:13:10,940 makers and the workers the developers 328 00:13:08,810 --> 00:13:14,479 they're trying to cope with a scary new 329 00:13:10,940 --> 00:13:17,570 world and you go ahead from that hackers 330 00:13:14,480 --> 00:13:19,339 penetration testers etc you know 331 00:13:17,570 --> 00:13:22,430 developing new capabilities new tools 332 00:13:19,339 --> 00:13:26,000 new attack methodologies or methods new 333 00:13:22,430 --> 00:13:28,670 pen testing methodologies we even have 334 00:13:26,000 --> 00:13:32,740 delicious now we have that people have 335 00:13:28,670 --> 00:13:34,699 to take it seriously and ID security 336 00:13:32,740 --> 00:13:37,069 traditionally many network by the 337 00:13:34,700 --> 00:13:38,959 infrastructure oriented 338 00:13:37,069 --> 00:13:42,560 their response was very much along the 339 00:13:38,959 --> 00:13:43,250 lines of it's okay we've got fire it's 340 00:13:42,560 --> 00:13:47,899 fine 341 00:13:43,250 --> 00:13:50,690 nothing bad will happen so a good 342 00:13:47,899 --> 00:13:52,910 example of that was yeah well back when 343 00:13:50,690 --> 00:13:55,389 I was doing instant response I got 344 00:13:52,910 --> 00:13:59,149 dragged into one case where a company 345 00:13:55,389 --> 00:14:01,790 clearly bleeding they've got but people 346 00:13:59,149 --> 00:14:02,930 on the inside of the network and so the 347 00:14:01,790 --> 00:14:05,029 first thing we did was we stopped the 348 00:14:02,930 --> 00:14:08,269 bleeding we figured out okay have plug 349 00:14:05,029 --> 00:14:10,850 the holes okay what happened let's look 350 00:14:08,269 --> 00:14:12,829 at your a firewall Odyssey intrusion 351 00:14:10,850 --> 00:14:14,269 detection logs and so on oh yeah 352 00:14:12,829 --> 00:14:16,008 actually intrusion detection labs 353 00:14:14,269 --> 00:14:17,509 they've got this alert this thing keeps 354 00:14:16,009 --> 00:14:18,709 yelling at us about this thing but it 355 00:14:17,509 --> 00:14:21,439 must be a false positive it can't 356 00:14:18,709 --> 00:14:25,699 possibly be so why kind of be real well 357 00:14:21,439 --> 00:14:26,959 because in with the the signatures in 358 00:14:25,699 --> 00:14:28,878 the intrusion detection system you know 359 00:14:26,959 --> 00:14:30,529 that the rules they were written at some 360 00:14:28,879 --> 00:14:32,149 point in the rule will be time stamped 361 00:14:30,529 --> 00:14:34,579 when it was written and this particular 362 00:14:32,149 --> 00:14:37,759 rule that was in their system was within 363 00:14:34,579 --> 00:14:39,589 ten years ago so can't possibly reveal 364 00:14:37,759 --> 00:14:41,389 because they are me up today all the 365 00:14:39,589 --> 00:14:43,220 windows patches so you know really old 366 00:14:41,389 --> 00:14:45,759 rule triggering it must be a false 367 00:14:43,220 --> 00:14:52,009 positive as I look at which rule is this 368 00:14:45,759 --> 00:14:54,110 it's called a sequel injection right 369 00:14:52,009 --> 00:14:55,850 okay so someone's been hammering your 370 00:14:54,110 --> 00:14:57,949 front and website with sequel injection 371 00:14:55,850 --> 00:15:00,380 that your intrusion detection system is 372 00:14:57,949 --> 00:15:01,099 being young at you but you thought it 373 00:15:00,380 --> 00:15:05,810 was a false positive 374 00:15:01,100 --> 00:15:07,880 yeah okay turns out it wasn't a false 375 00:15:05,810 --> 00:15:10,069 positive and what the family clean up 376 00:15:07,880 --> 00:15:11,269 now these guys were really good at their 377 00:15:10,069 --> 00:15:12,829 jobs they would have an Operations 378 00:15:11,269 --> 00:15:14,569 Center people they were very good at 379 00:15:12,829 --> 00:15:16,790 maintaining a secure Network and 380 00:15:14,569 --> 00:15:18,380 patching systems but they didn't really 381 00:15:16,790 --> 00:15:20,029 know much about application security so 382 00:15:18,380 --> 00:15:23,089 they didn't know what sequel injection 383 00:15:20,029 --> 00:15:25,880 was so you know it's fine we have a 384 00:15:23,089 --> 00:15:28,160 firewall they it's not fine 385 00:15:25,880 --> 00:15:31,250 meanwhile they've barely to thousands a 386 00:15:28,160 --> 00:15:34,149 few things happened around what kind of 387 00:15:31,250 --> 00:15:38,269 software security the kind of thing so 388 00:15:34,149 --> 00:15:39,280 Bill Gates and Microsoft puts out a memo 389 00:15:38,269 --> 00:15:40,800 I think every year 390 00:15:39,280 --> 00:15:44,140 used to put out in that way every year 391 00:15:40,800 --> 00:15:46,449 in one year that means met the tidal 392 00:15:44,140 --> 00:15:49,180 wave I think was called then one year in 393 00:15:46,450 --> 00:15:51,930 2002 it was trustworthy computing not 394 00:15:49,180 --> 00:15:55,449 totally they hear very much these days 395 00:15:51,930 --> 00:15:57,069 at the time who's the new thing from 396 00:15:55,450 --> 00:15:58,590 exomes and they'll spit out this thing 397 00:15:57,070 --> 00:16:01,570 called the secure about the lifecycle 398 00:15:58,590 --> 00:16:04,180 they published a book and it's basically 399 00:16:01,570 --> 00:16:07,480 how Microsoft wanted to do software 400 00:16:04,180 --> 00:16:08,890 development with security baked in and 401 00:16:07,480 --> 00:16:12,550 to some extent they did that for some 402 00:16:08,890 --> 00:16:14,020 things and lots of other companies about 403 00:16:12,550 --> 00:16:15,160 the book thought all this is brilliant 404 00:16:14,020 --> 00:16:19,590 there are so many good ideas in here 405 00:16:15,160 --> 00:16:21,850 let's use it at the same time or some 406 00:16:19,590 --> 00:16:25,380 some clever guys there's a company 407 00:16:21,850 --> 00:16:31,030 called suit all published a book called 408 00:16:25,380 --> 00:16:34,810 software security and then there we 409 00:16:31,030 --> 00:16:36,370 about the authors Gary Micco sending 410 00:16:34,810 --> 00:16:41,319 Biggers and John Stevens and a few 411 00:16:36,370 --> 00:16:42,850 others how did you yeah Pat go pack up 412 00:16:41,320 --> 00:16:44,440 with some content in this as well if he 413 00:16:42,850 --> 00:16:47,560 if you hadn't met Paco Paco used to be 414 00:16:44,440 --> 00:16:51,250 as digital have a chat with him at some 415 00:16:47,560 --> 00:16:53,829 point he left us the traitor he's now at 416 00:16:51,250 --> 00:16:58,000 AWS but he's doing fantastic work there 417 00:16:53,830 --> 00:16:59,470 well anyway so we put into the console 418 00:16:58,000 --> 00:17:01,660 movies touch points you know in Salford 419 00:16:59,470 --> 00:17:03,460 well that you have these activities well 420 00:17:01,660 --> 00:17:05,829 for each of these kind of stages no 421 00:17:03,460 --> 00:17:07,900 qualms analysis design etc there's 422 00:17:05,829 --> 00:17:10,030 things you've the security things we can 423 00:17:07,900 --> 00:17:11,530 do for each of them so that's that's 424 00:17:10,030 --> 00:17:13,770 come up these touch points where we talk 425 00:17:11,530 --> 00:17:17,349 about reaching these stages well to do 426 00:17:13,770 --> 00:17:20,260 almost kind of thing around about them 427 00:17:17,349 --> 00:17:22,480 as well and has now attended to it won't 428 00:17:20,260 --> 00:17:23,829 be nearby fantastic organization with a 429 00:17:22,480 --> 00:17:26,770 lot company a lot some really good 430 00:17:23,829 --> 00:17:29,020 material you know if you're into you 431 00:17:26,770 --> 00:17:31,210 know they're not just web start now and 432 00:17:29,020 --> 00:17:33,790 they've got they've got mobile stuff etc 433 00:17:31,210 --> 00:17:35,170 and I content for both you know if you 434 00:17:33,790 --> 00:17:37,540 doing security testing how to do it 435 00:17:35,170 --> 00:17:39,910 really good if you're a developer also 436 00:17:37,540 --> 00:17:41,170 what's the problem with it sequel 437 00:17:39,910 --> 00:17:42,880 injection cross-site scripting and so on 438 00:17:41,170 --> 00:17:48,190 they got some really good video in there 439 00:17:42,880 --> 00:17:51,520 as well okay so 440 00:17:48,190 --> 00:17:54,610 so we had some few different ideas about 441 00:17:51,520 --> 00:17:58,590 how to introduce security into software 442 00:17:54,610 --> 00:18:00,699 development what did that look like well 443 00:17:58,590 --> 00:18:01,689 everyone started with penetration 444 00:18:00,700 --> 00:18:03,220 testing because everyone knew what it 445 00:18:01,690 --> 00:18:05,800 was it was a it was a pretty cool effect 446 00:18:03,220 --> 00:18:08,290 so we've got a bunch of applications 447 00:18:05,800 --> 00:18:11,200 there how to live in the in the great 448 00:18:08,290 --> 00:18:13,450 big world what can we do to them well we 449 00:18:11,200 --> 00:18:16,300 can do a penetration test okay let's go 450 00:18:13,450 --> 00:18:19,420 can test our systems or applications wow 451 00:18:16,300 --> 00:18:21,790 that is a lot of bugs well I guess we 452 00:18:19,420 --> 00:18:24,490 add those to the backlog so we had a 453 00:18:21,790 --> 00:18:25,629 pile of security issues that we ended up 454 00:18:24,490 --> 00:18:26,950 with but the problem is that these 455 00:18:25,630 --> 00:18:29,760 applications were already like they're 456 00:18:26,950 --> 00:18:33,550 already in production that's a bad date 457 00:18:29,760 --> 00:18:36,490 we know that the holes and so how do we 458 00:18:33,550 --> 00:18:38,320 fix them so okay how can we make sure 459 00:18:36,490 --> 00:18:42,000 that we find these bugs before it goes 460 00:18:38,320 --> 00:18:42,000 into production well let's let's do 461 00:18:43,260 --> 00:18:49,990 let's do penetration testing before it 462 00:18:45,700 --> 00:18:51,910 goes into production in a lot of 463 00:18:49,990 --> 00:18:55,360 organizations what ended up happening 464 00:18:51,910 --> 00:18:57,010 was you did penetration testing about 465 00:18:55,360 --> 00:18:58,659 two weeks before you meant to go into 466 00:18:57,010 --> 00:19:01,020 production thing is the penetration test 467 00:18:58,660 --> 00:19:04,570 takes a week or two weeks all depending 468 00:19:01,020 --> 00:19:05,830 you find some problems and then the 469 00:19:04,570 --> 00:19:10,570 developer fixes them magically overnight 470 00:19:05,830 --> 00:19:11,710 by just before at least that's yeah that 471 00:19:10,570 --> 00:19:13,210 didn't really happen so what you ended 472 00:19:11,710 --> 00:19:17,110 up with was we ended up with more a 473 00:19:13,210 --> 00:19:18,660 bigger bug pile you need to have had but 474 00:19:17,110 --> 00:19:21,040 it was still another production because 475 00:19:18,660 --> 00:19:25,330 you have to mr. sesame oh well we can't 476 00:19:21,040 --> 00:19:28,300 stop the release so big a pile still 477 00:19:25,330 --> 00:19:30,129 doing pen testing okay well how can we 478 00:19:28,300 --> 00:19:31,659 do things earlier let's do code than you 479 00:19:30,130 --> 00:19:33,970 so let's look at the actual source code 480 00:19:31,660 --> 00:19:39,130 and see if we can identify as security 481 00:19:33,970 --> 00:19:41,610 bugs cool this is really boring to do 482 00:19:39,130 --> 00:19:43,960 manually so the people invented tools 483 00:19:41,610 --> 00:19:47,649 one of the first tools there for 484 00:19:43,960 --> 00:19:48,360 security was called 80s for which was 485 00:19:47,650 --> 00:19:51,600 development 486 00:19:48,360 --> 00:19:55,229 one guy's assistants a while back it's 487 00:19:51,600 --> 00:19:56,760 kind of a concept and if I know my 488 00:19:55,230 --> 00:19:58,559 history correctly basically it's kind of 489 00:19:56,760 --> 00:19:59,879 the case so well we're not going to do 490 00:19:58,559 --> 00:20:01,110 much with it but it's a really cool 491 00:19:59,880 --> 00:20:02,460 concept let's give it some venture 492 00:20:01,110 --> 00:20:04,139 capitalists and they'll turn it into 493 00:20:02,460 --> 00:20:06,210 something and they turn it into this 494 00:20:04,140 --> 00:20:09,750 thing called fortify which became quite 495 00:20:06,210 --> 00:20:11,460 big and I'm sure someone in our company 496 00:20:09,750 --> 00:20:12,990 was kicking themselves a bit for you 497 00:20:11,460 --> 00:20:16,380 know letting someone else one with it 498 00:20:12,990 --> 00:20:19,529 because we probably could have you know 499 00:20:16,380 --> 00:20:20,789 made it kind of a success as well but 500 00:20:19,529 --> 00:20:24,779 yeah lots of tools out there looking for 501 00:20:20,789 --> 00:20:27,570 bugs in your source code so we're adding 502 00:20:24,779 --> 00:20:29,490 into the bug bottle we're still not 503 00:20:27,570 --> 00:20:31,049 addressing okay well when are we gonna 504 00:20:29,490 --> 00:20:36,120 fix it and how it must stop increasing 505 00:20:31,049 --> 00:20:38,309 the book part so this is kind of what 506 00:20:36,120 --> 00:20:40,739 maybe some organizations would consider 507 00:20:38,309 --> 00:20:42,320 so they a secure software lifecycle 508 00:20:40,740 --> 00:20:45,360 you're doing a bunch of different things 509 00:20:42,320 --> 00:20:46,860 throughout the lifecycle so when you're 510 00:20:45,360 --> 00:20:48,000 doing the climate analysis you make sure 511 00:20:46,860 --> 00:20:52,709 that you come up with your securing 512 00:20:48,000 --> 00:20:54,539 comments you come up with abuse cases or 513 00:20:52,710 --> 00:20:56,429 tax stories or whatever you want to call 514 00:20:54,539 --> 00:21:00,658 them and you do some sort of risk 515 00:20:56,429 --> 00:21:01,799 analysis we know okay well these you 516 00:21:00,659 --> 00:21:03,120 know in this application I'm going to 517 00:21:01,799 --> 00:21:04,289 talk to the internet and it's gonna be 518 00:21:03,120 --> 00:21:07,590 handling credit card data 519 00:21:04,289 --> 00:21:09,990 okay well that in bolsillo risks so 520 00:21:07,590 --> 00:21:11,549 let's let's address those early so let's 521 00:21:09,990 --> 00:21:14,399 come up with some Aquinas to try and 522 00:21:11,549 --> 00:21:15,840 mitigate those risks then when we're 523 00:21:14,399 --> 00:21:20,149 doing architecture design we if ever 524 00:21:15,840 --> 00:21:21,480 blame any people different mine okay 525 00:21:20,149 --> 00:21:23,610 fantastic 526 00:21:21,480 --> 00:21:26,039 so you'd essentially you look at the 527 00:21:23,610 --> 00:21:30,168 design the application and you say great 528 00:21:26,039 --> 00:21:32,970 now as an attacker I want to get to the 529 00:21:30,169 --> 00:21:34,110 crown jewels within the system how can I 530 00:21:32,970 --> 00:21:36,990 get to them 531 00:21:34,110 --> 00:21:38,399 perspective are there other security 532 00:21:36,990 --> 00:21:39,900 controls are missing or are there 533 00:21:38,400 --> 00:21:42,679 security controls that aren't up to 534 00:21:39,900 --> 00:21:45,390 scratch can I get around them somehow 535 00:21:42,679 --> 00:21:49,110 and then we do risk analysis on what we 536 00:21:45,390 --> 00:21:52,049 find as we make sure we prioritize what 537 00:21:49,110 --> 00:21:53,639 we need to implement early and talk 538 00:21:52,049 --> 00:21:55,170 about code review again we would 539 00:21:53,640 --> 00:21:58,340 penetration testing that's kind of just 540 00:21:55,170 --> 00:22:00,210 a given and then once again production 541 00:21:58,340 --> 00:22:02,610 will have some sort of security 542 00:22:00,210 --> 00:22:05,130 operations center making sure that the 543 00:22:02,610 --> 00:22:08,010 application states you know what his 544 00:22:05,130 --> 00:22:12,900 knees on their tablets and then the bug 545 00:22:08,010 --> 00:22:14,990 bounties fit in somewhere here that's 546 00:22:12,900 --> 00:22:16,740 that's an entirely different talk 547 00:22:14,990 --> 00:22:18,419 although I do feel like I should mention 548 00:22:16,740 --> 00:22:20,370 one thing so we organized a conference 549 00:22:18,419 --> 00:22:23,250 over here for all the companies applying 550 00:22:20,370 --> 00:22:25,260 Beeson leveling security in maturity 551 00:22:23,250 --> 00:22:28,590 model that I mentioned earlier and we 552 00:22:25,260 --> 00:22:31,530 had met some come and give a talk one 553 00:22:28,590 --> 00:22:32,730 year about bug bounties and it was 554 00:22:31,530 --> 00:22:34,530 really interested in seeing basically 555 00:22:32,730 --> 00:22:37,470 half the room for bug bounties were the 556 00:22:34,530 --> 00:22:39,240 coolest thing ever and the other part of 557 00:22:37,470 --> 00:22:42,059 the room thought is the dumbest idea 558 00:22:39,240 --> 00:22:44,480 ever and the truth is problem solving 559 00:22:42,059 --> 00:22:44,480 riddles 560 00:22:44,990 --> 00:22:53,700 okay so hacking is fun penetration 561 00:22:52,080 --> 00:22:57,299 testing is really good fun breaking 562 00:22:53,700 --> 00:22:58,230 stuff is fun I I certainly enjoy doing 563 00:22:57,299 --> 00:23:01,290 it 564 00:22:58,230 --> 00:23:04,620 there were one of my earliest pen 565 00:23:01,290 --> 00:23:06,149 testers I actually I just covered the 566 00:23:04,620 --> 00:23:08,389 banner cookie and there seemed to be 567 00:23:06,150 --> 00:23:11,130 something encrypted data in the cookie 568 00:23:08,390 --> 00:23:12,870 and I ended up like because I was fairly 569 00:23:11,130 --> 00:23:15,419 fresh out of my master's course I was 570 00:23:12,870 --> 00:23:16,469 like I'm gonna crypto harm Isis so it's 571 00:23:15,419 --> 00:23:18,330 something you know statistical else 572 00:23:16,470 --> 00:23:20,190 aside some differential analysis on it 573 00:23:18,330 --> 00:23:23,668 and I figured out aha 574 00:23:20,190 --> 00:23:27,840 it's that's super crypto algorithm cold 575 00:23:23,669 --> 00:23:29,429 Caesar shift with some bells and 576 00:23:27,840 --> 00:23:30,600 whistles going on to it and so amazing a 577 00:23:29,429 --> 00:23:32,790 sample of the pen paper 578 00:23:30,600 --> 00:23:35,010 cracked this encryption code 579 00:23:32,790 --> 00:23:37,260 flower I loved it it was so much fun 580 00:23:35,010 --> 00:23:39,060 especially like explaining it to the 581 00:23:37,260 --> 00:23:42,210 developers you know this is why they 582 00:23:39,060 --> 00:23:52,230 don't like that they just blown away by 583 00:23:42,210 --> 00:23:55,740 how could you do that it's rewarding as 584 00:23:52,230 --> 00:23:59,940 well I mean anyone who do internal 585 00:23:55,740 --> 00:24:02,760 network pen testing yeah first time I've 586 00:23:59,940 --> 00:24:05,430 got two main happen that was such an 587 00:24:02,760 --> 00:24:07,260 adrenaline rush it was so fun it was my 588 00:24:05,430 --> 00:24:09,540 first ever internal pen test it was 589 00:24:07,260 --> 00:24:11,220 really embarrassing because in found 590 00:24:09,540 --> 00:24:13,020 stone we basically had to come an 591 00:24:11,220 --> 00:24:15,720 unofficial leader board with regards to 592 00:24:13,020 --> 00:24:19,170 how quickly from plugging in to getting 593 00:24:15,720 --> 00:24:20,850 to main admin can you guess and I think 594 00:24:19,170 --> 00:24:22,650 the record at the time was my boss 595 00:24:20,850 --> 00:24:26,990 character Lee I think eaten in something 596 00:24:22,650 --> 00:24:29,700 like 18 minutes like plug in when Ivan 597 00:24:26,990 --> 00:24:33,150 and then what do you do the rest of the 598 00:24:29,700 --> 00:24:35,910 week so you know who's first internal 599 00:24:33,150 --> 00:24:37,110 men's s only plugged in mark I need to 600 00:24:35,910 --> 00:24:39,900 get to make that I need to get to main 601 00:24:37,110 --> 00:24:43,409 happen and it took me slightly 602 00:24:39,900 --> 00:24:46,080 embarrassing a long time to do it had my 603 00:24:43,410 --> 00:24:49,320 boss or like Skype messaging me like 604 00:24:46,080 --> 00:24:52,800 over 20 misspoke dude I'm gonna go to 605 00:24:49,320 --> 00:24:54,629 Manhattan yet so I finally got it felt 606 00:24:52,800 --> 00:24:57,930 so good but we need so they were 607 00:24:54,630 --> 00:25:00,030 personally rewarded about their fort at 608 00:24:57,930 --> 00:25:01,950 making stuff is useful as well I mean it 609 00:25:00,030 --> 00:25:05,250 with was shining a light on on the 610 00:25:01,950 --> 00:25:07,200 issues where the developers had never 611 00:25:05,250 --> 00:25:09,750 expected us to try and do this to their 612 00:25:07,200 --> 00:25:12,260 system and you know how else were they 613 00:25:09,750 --> 00:25:12,260 going to find it 614 00:25:14,840 --> 00:25:21,659 slight problem breaking stuff does not 615 00:25:18,420 --> 00:25:26,700 magically fix the stuff we still 616 00:25:21,660 --> 00:25:28,770 something we have to do so and this this 617 00:25:26,700 --> 00:25:31,110 can cause some animosity so if you're 618 00:25:28,770 --> 00:25:33,980 the if you're the security guy and we're 619 00:25:31,110 --> 00:25:39,060 talking to the developers and you're 620 00:25:33,980 --> 00:25:41,179 breaking their stuff sometimes this will 621 00:25:39,060 --> 00:25:45,109 come across as you walk into and 622 00:25:41,179 --> 00:25:45,999 developers your baby is ugly and then 623 00:25:45,109 --> 00:25:48,559 walk away 624 00:25:45,999 --> 00:25:50,149 so something its independently 625 00:25:48,559 --> 00:25:55,070 organization this isn't gonna go well 626 00:25:50,149 --> 00:25:57,168 sometimes in fact one company I was at a 627 00:25:55,070 --> 00:25:58,668 first day on site doing a weather pen 628 00:25:57,169 --> 00:26:00,409 test I had to go outside to do it 629 00:25:58,669 --> 00:26:02,539 security guy takes me down the hallway 630 00:26:00,409 --> 00:26:04,759 walks me into this room full of 631 00:26:02,539 --> 00:26:07,519 developers in fact the developers for 632 00:26:04,759 --> 00:26:13,279 the system and they say and he says hey 633 00:26:07,519 --> 00:26:14,899 guys this is me he's a ranger stuff how 634 00:26:13,279 --> 00:26:22,789 much help did I get for those developers 635 00:26:14,899 --> 00:26:25,218 that week so yeah actual quotes we we 636 00:26:22,789 --> 00:26:26,509 can talk a bit amount as most of you 637 00:26:25,219 --> 00:26:28,969 talk about penetration testing kind of 638 00:26:26,509 --> 00:26:33,710 being a badass auditor in a sense it 639 00:26:28,969 --> 00:26:38,320 easily useful but let's say you have a 640 00:26:33,710 --> 00:26:40,279 pen tester go in and spend five days and 641 00:26:38,320 --> 00:26:44,178 he comes back and gives you a report 642 00:26:40,279 --> 00:26:45,919 saying I found these four problems what 643 00:26:44,179 --> 00:26:50,779 do we know about the application base 644 00:26:45,919 --> 00:26:55,099 tested but yeah I was gonna say more 645 00:26:50,779 --> 00:26:57,200 politely but yes we know there are at 646 00:26:55,099 --> 00:26:58,968 least four issues what if the pen tester 647 00:26:57,200 --> 00:27:00,219 comes back and says I didn't find 648 00:26:58,969 --> 00:27:04,969 anything 649 00:27:00,219 --> 00:27:07,029 he's in a secure system look we don't 650 00:27:04,969 --> 00:27:09,979 know essentially so yes you know we 651 00:27:07,029 --> 00:27:13,969 don't know and we know we have some 652 00:27:09,979 --> 00:27:16,519 problems so extra back in the sixties 653 00:27:13,969 --> 00:27:19,669 you said this about testing software 654 00:27:16,519 --> 00:27:22,969 testing we we can use testing to show 655 00:27:19,669 --> 00:27:29,960 the presence of bugs but we can't prove 656 00:27:22,969 --> 00:27:31,969 the absence of them I thought I'd talk a 657 00:27:29,960 --> 00:27:35,539 bit about DevOps because it's the new 658 00:27:31,969 --> 00:27:38,779 sexy thing what actually is last year's 659 00:27:35,539 --> 00:27:40,399 thing is now at this point also big 660 00:27:38,779 --> 00:27:44,149 shout out to the marketing department a 661 00:27:40,399 --> 00:27:46,758 synopsis I gave them a really like bland 662 00:27:44,149 --> 00:27:47,679 set of slides and they just like they 663 00:27:46,759 --> 00:27:51,130 went 664 00:27:47,680 --> 00:27:51,850 Shutterstock there's a really cool stuff 665 00:27:51,130 --> 00:27:54,010 in it 666 00:27:51,850 --> 00:27:58,689 I sound like tone it down slightly it's 667 00:27:54,010 --> 00:28:00,310 yeah so okay so tell us what is it well 668 00:27:58,690 --> 00:28:02,380 let's talk a bit about terminology now 669 00:28:00,310 --> 00:28:05,560 people have different definitions of 670 00:28:02,380 --> 00:28:08,140 other stuff so these are our kind of 671 00:28:05,560 --> 00:28:10,659 definitions your mileage may vary but 672 00:28:08,140 --> 00:28:13,450 essentially agile it's all about 673 00:28:10,660 --> 00:28:14,890 processes so agile processes are common 674 00:28:13,450 --> 00:28:17,770 in relatively four different kind of 675 00:28:14,890 --> 00:28:21,520 development processes typically you're 676 00:28:17,770 --> 00:28:23,800 focusing on on changing while making 677 00:28:21,520 --> 00:28:27,040 changes to the functionality of the 678 00:28:23,800 --> 00:28:28,360 application and so on and here we're 679 00:28:27,040 --> 00:28:30,550 trying to optimize delivery so you're 680 00:28:28,360 --> 00:28:33,610 trying to figure out how can we in an 681 00:28:30,550 --> 00:28:36,760 agile manner make a change for software 682 00:28:33,610 --> 00:28:39,399 quickly and then we have this thing 683 00:28:36,760 --> 00:28:40,810 called continuous integration or 684 00:28:39,400 --> 00:28:45,790 continues to live we call continuous 685 00:28:40,810 --> 00:28:48,159 deployment CICE now that's more what 686 00:28:45,790 --> 00:28:51,340 kind of tool focused it's basically how 687 00:28:48,160 --> 00:28:53,080 can we define software drama life cycles 688 00:28:51,340 --> 00:28:55,959 using software so we have a soft a 689 00:28:53,080 --> 00:28:59,439 defined lifecycle essentially things 690 00:28:55,960 --> 00:29:02,410 like bamboo so CI jenkins these kind of 691 00:28:59,440 --> 00:29:04,930 tools fit in the other the ideas if 692 00:29:02,410 --> 00:29:07,900 there's a task let's say compiling the 693 00:29:04,930 --> 00:29:10,390 app that we can do with that having to 694 00:29:07,900 --> 00:29:12,010 manually type something out let's find a 695 00:29:10,390 --> 00:29:13,720 way of doing it automatically and that's 696 00:29:12,010 --> 00:29:16,900 what build pipelines are etcetera 697 00:29:13,720 --> 00:29:18,550 if we can test the app in some automated 698 00:29:16,900 --> 00:29:20,830 fashion let's do that as part of our 699 00:29:18,550 --> 00:29:23,700 Jenkins pipeline as well 700 00:29:20,830 --> 00:29:26,740 and so yeah the focuses on automation 701 00:29:23,700 --> 00:29:30,630 and then this DevOps been so DevOps 702 00:29:26,740 --> 00:29:33,940 development and operations historically 703 00:29:30,630 --> 00:29:34,750 development to over there operations 704 00:29:33,940 --> 00:29:36,490 were over there 705 00:29:34,750 --> 00:29:42,100 and security was done with the back 706 00:29:36,490 --> 00:29:45,040 yelling just inane things and none of 707 00:29:42,100 --> 00:29:46,270 them are talked together so if I was a 708 00:29:45,040 --> 00:29:49,270 developer I was not allowed to touch 709 00:29:46,270 --> 00:29:51,010 anything in operational interaction if I 710 00:29:49,270 --> 00:29:52,930 wanted to make a change deduction I to 711 00:29:51,010 --> 00:29:54,480 go to an Operations team and probably 712 00:29:52,930 --> 00:29:56,700 open a ticket 713 00:29:54,480 --> 00:29:58,650 and beg them pretty please coming here 714 00:29:56,700 --> 00:30:00,420 can you make this change of me as the 715 00:29:58,650 --> 00:30:03,000 vaults were very split off the idea 716 00:30:00,420 --> 00:30:06,030 point DevOps is your one team where 717 00:30:03,000 --> 00:30:09,780 development operations everything is in 718 00:30:06,030 --> 00:30:11,220 one and so you're just redefining the 719 00:30:09,780 --> 00:30:13,500 balls you need to find in the culture in 720 00:30:11,220 --> 00:30:15,180 the organization and making more 721 00:30:13,500 --> 00:30:17,910 responses so you've got one team those 722 00:30:15,180 --> 00:30:21,060 responsible for the software all the 723 00:30:17,910 --> 00:30:23,070 ways food development and in corruption 724 00:30:21,060 --> 00:30:24,690 so you know the code I push out in 725 00:30:23,070 --> 00:30:26,340 production is these microvilli 726 00:30:24,690 --> 00:30:28,490 responsible for what happens when it 727 00:30:26,340 --> 00:30:32,090 goes into production I have to respond 728 00:30:28,490 --> 00:30:34,200 what we as if you have to respond so 729 00:30:32,090 --> 00:30:35,939 this is what software levels are doing 730 00:30:34,200 --> 00:30:39,840 you know they kind of gone than the 731 00:30:35,940 --> 00:30:41,940 devil's food some of them some of them 732 00:30:39,840 --> 00:30:42,510 very come to me in the cutting edge of 733 00:30:41,940 --> 00:30:44,460 space 734 00:30:42,510 --> 00:30:46,830 some of them March find their well some 735 00:30:44,460 --> 00:30:49,050 of them have gone full DevOps a lot of 736 00:30:46,830 --> 00:30:51,500 people like summer in the middle and 737 00:30:49,050 --> 00:30:56,190 security kind of sitting on that going 738 00:30:51,500 --> 00:30:57,960 once taps especially more security more 739 00:30:56,190 --> 00:30:59,010 traditional security teams so you know 740 00:30:57,960 --> 00:31:01,050 if you think back to like the more 741 00:30:59,010 --> 00:31:02,850 formal approach that the linear approach 742 00:31:01,050 --> 00:31:05,250 was really comfortable for security 743 00:31:02,850 --> 00:31:09,719 because you know requirements analysis 744 00:31:05,250 --> 00:31:10,560 and then security can come and go you're 745 00:31:09,720 --> 00:31:13,650 gonna have a couple of security 746 00:31:10,560 --> 00:31:15,270 requirements and cool we've signed up on 747 00:31:13,650 --> 00:31:17,970 the crime so then the same thing happens 748 00:31:15,270 --> 00:31:19,139 to design so you know the developers and 749 00:31:17,970 --> 00:31:20,430 the architects they draw a nice design 750 00:31:19,140 --> 00:31:24,330 and say this is what does not look like 751 00:31:20,430 --> 00:31:27,510 you guys come in and go yeah okay we we 752 00:31:24,330 --> 00:31:30,020 anoint this we accept it and so on and 753 00:31:27,510 --> 00:31:32,070 all these activities were taking weeks 754 00:31:30,020 --> 00:31:33,150 so a code review will take a couple of 755 00:31:32,070 --> 00:31:35,040 weeks a pen test would take a couple 756 00:31:33,150 --> 00:31:36,570 weeks it's up and so on spec model we 757 00:31:35,040 --> 00:31:39,450 take a couple weeks 758 00:31:36,570 --> 00:31:41,820 can't we do that in an environment where 759 00:31:39,450 --> 00:31:44,640 your sprint is two weeks in that two 760 00:31:41,820 --> 00:31:47,070 weeks we need to figure out which 761 00:31:44,640 --> 00:31:49,710 features didn't how to change month and 762 00:31:47,070 --> 00:31:52,980 for some point actually the 763 00:31:49,710 --> 00:31:54,480 the do testing of it Spanish it we don't 764 00:31:52,980 --> 00:31:56,010 have time to spend two weeks on 765 00:31:54,480 --> 00:31:59,010 requirements analysis two weeks on that 766 00:31:56,010 --> 00:32:00,720 only two weeks and code reviews etc so 767 00:31:59,010 --> 00:32:02,700 security teams have to kind of refocus 768 00:32:00,720 --> 00:32:05,820 and think about okay what do we trying 769 00:32:02,700 --> 00:32:08,070 to accomplish not how can we speed up 770 00:32:05,820 --> 00:32:10,760 the same old activities because you know 771 00:32:08,070 --> 00:32:10,760 the wheels won't come off 772 00:32:11,900 --> 00:32:18,600 yeah so developers use things like 773 00:32:14,970 --> 00:32:21,780 Jenkins we could use things like Jenkins 774 00:32:18,600 --> 00:32:23,879 in fact we have stuffing using things 775 00:32:21,780 --> 00:32:27,899 like Jenkins this is just an example 776 00:32:23,880 --> 00:32:30,780 that pipeline I'd built it myself thank 777 00:32:27,900 --> 00:32:32,220 you the trick is to make all your 778 00:32:30,780 --> 00:32:34,440 Jenkins stages empty 779 00:32:32,220 --> 00:32:36,120 so nothing happens and that way you get 780 00:32:34,440 --> 00:32:39,210 a green check mark for things it 781 00:32:36,120 --> 00:32:42,479 succeeded so this is running on my home 782 00:32:39,210 --> 00:32:45,780 Jenkins server doing nothing just it's 783 00:32:42,480 --> 00:32:47,850 just they're making a speech oh so this 784 00:32:45,780 --> 00:32:49,710 is an example kind of or what we might 785 00:32:47,850 --> 00:32:52,649 do for some of our company for most of 786 00:32:49,710 --> 00:32:54,420 our customers will go in and go what 787 00:32:52,650 --> 00:32:56,640 security tools do you have what are you 788 00:32:54,420 --> 00:32:58,320 trying to achieve what does your build 789 00:32:56,640 --> 00:33:00,030 pipeline look like okay well I see if we 790 00:32:58,320 --> 00:33:02,760 can insert some security stuff in there 791 00:33:00,030 --> 00:33:04,560 so in this case we put in some static 792 00:33:02,760 --> 00:33:07,550 analysis for security we put in some 793 00:33:04,560 --> 00:33:11,220 dynamic testing and so on 794 00:33:07,550 --> 00:33:14,340 so from us if it's feeling point of view 795 00:33:11,220 --> 00:33:17,160 it's great that we're breaking stuff but 796 00:33:14,340 --> 00:33:18,419 the developers aren't gonna love us for 797 00:33:17,160 --> 00:33:20,910 making their stuff they're gonna love us 798 00:33:18,420 --> 00:33:22,290 for telling them and helping them fix 799 00:33:20,910 --> 00:33:22,950 the stuff and prevent it from happening 800 00:33:22,290 --> 00:33:26,730 in the future 801 00:33:22,950 --> 00:33:27,840 so they from that perspective if we're 802 00:33:26,730 --> 00:33:29,970 not if we're not speaking the language 803 00:33:27,840 --> 00:33:32,428 of development if you're not using the 804 00:33:29,970 --> 00:33:36,749 same tools the same processes 805 00:33:32,429 --> 00:33:44,820 with their current worldview we're not 806 00:33:36,749 --> 00:33:49,919 really doing software security so winces 807 00:33:44,820 --> 00:33:51,600 like me I wasn't sure how to title the 808 00:33:49,919 --> 00:33:53,279 slide I start off with some career 809 00:33:51,600 --> 00:33:56,100 advice but that sounded a bit arrogant 810 00:33:53,279 --> 00:33:58,619 so I've done with career suggestions 811 00:33:56,100 --> 00:34:02,158 they also considers to be some humble 812 00:33:58,619 --> 00:34:03,658 requests from someone who is constantly 813 00:34:02,159 --> 00:34:08,639 from the higher people who know the self 814 00:34:03,659 --> 00:34:13,109 as purity if you don't know how to 815 00:34:08,639 --> 00:34:15,480 program to learn it you don't have to be 816 00:34:13,109 --> 00:34:17,940 like fantastically talented software 817 00:34:15,480 --> 00:34:19,290 developer but you don't have to know 818 00:34:17,940 --> 00:34:20,819 every language is you're not that you'd 819 00:34:19,290 --> 00:34:23,250 have to know a specific language you 820 00:34:20,819 --> 00:34:27,089 pick something up you know uh I think we 821 00:34:23,250 --> 00:34:29,429 probably in our office in London on a 822 00:34:27,089 --> 00:34:34,469 semi weekly basis we have like a 823 00:34:29,429 --> 00:34:36,690 religious war brewing because Matthew is 824 00:34:34,469 --> 00:34:39,589 very much the Python guy 825 00:34:36,690 --> 00:34:42,000 I'm inverse banished the JavaScript guy 826 00:34:39,589 --> 00:34:47,339 and then someone will run into the room 827 00:34:42,000 --> 00:34:49,918 and go go lie and one that chaos ensues 828 00:34:47,339 --> 00:34:51,839 so yeah it doesn't have to be specific 829 00:34:49,918 --> 00:34:53,549 like the lines of the content compare 830 00:34:51,839 --> 00:34:55,099 their concepts you know like functional 831 00:34:53,549 --> 00:34:57,960 programming lambda functions 832 00:34:55,099 --> 00:34:59,190 object-oriented stuff this is very 833 00:34:57,960 --> 00:35:03,240 useful when you're talking to developers 834 00:34:59,190 --> 00:35:07,470 so when you've sort of given them your 835 00:35:03,240 --> 00:35:10,680 pen test report and says yeah baby I'm 836 00:35:07,470 --> 00:35:14,490 not gonna call it ugly but it's got some 837 00:35:10,680 --> 00:35:16,078 issues then you're gonna have a much 838 00:35:14,490 --> 00:35:17,549 more fruitful and can start a 839 00:35:16,079 --> 00:35:19,500 conversation with the developers if you 840 00:35:17,549 --> 00:35:23,369 can speak the language if you can relate 841 00:35:19,500 --> 00:35:24,569 to them in the concept of okay more 842 00:35:23,369 --> 00:35:26,700 frameworks say using more than that 843 00:35:24,569 --> 00:35:29,009 framework if you use this function it's 844 00:35:26,700 --> 00:35:34,589 better than if you use this function for 845 00:35:29,010 --> 00:35:36,420 example and in one way you might do this 846 00:35:34,589 --> 00:35:39,750 is find a pet project you know I've 847 00:35:36,420 --> 00:35:42,210 always wanted to do you know a bit of 848 00:35:39,750 --> 00:35:43,079 PHP programming you know okay write 849 00:35:42,210 --> 00:35:46,859 several web 850 00:35:43,079 --> 00:35:49,380 to something or or or invitin I'm sorry 851 00:35:46,859 --> 00:35:51,739 Matthew sorry 852 00:35:49,380 --> 00:35:54,539 so yeah you can blog about it you know 853 00:35:51,739 --> 00:35:56,880 fill it up get to put on bitbucket or 854 00:35:54,539 --> 00:35:57,959 whatever or you know if you don't know 855 00:35:56,880 --> 00:35:59,459 saw something Scratchy 856 00:35:57,959 --> 00:36:00,899 there's a plenty of open source projects 857 00:35:59,459 --> 00:36:02,700 out there that especially in the 858 00:36:00,900 --> 00:36:07,640 security space that could do with some 859 00:36:02,700 --> 00:36:07,640 help so you know stop contributing I 860 00:36:10,160 --> 00:36:15,058 don't know why I keep using the clicker 861 00:36:12,269 --> 00:36:17,640 external networks another thing is 862 00:36:15,059 --> 00:36:22,019 learning architecture our Software 863 00:36:17,640 --> 00:36:24,180 Architect training why so learn things 864 00:36:22,019 --> 00:36:26,839 like you're one of those frameworks do 865 00:36:24,180 --> 00:36:31,739 you know one Java spring day wasn't 866 00:36:26,839 --> 00:36:33,420 fails do and so on and how can they help 867 00:36:31,739 --> 00:36:34,259 the developers as I save you a lot of 868 00:36:33,420 --> 00:36:36,989 time when we're having conversations 869 00:36:34,259 --> 00:36:39,509 with developers about I found some 870 00:36:36,989 --> 00:36:41,549 problems then a lot of times it can come 871 00:36:39,509 --> 00:36:43,349 down to look if you use the framework 872 00:36:41,549 --> 00:36:46,229 like this you're going to avoid these 873 00:36:43,349 --> 00:36:50,339 problems so if you if you learn how they 874 00:36:46,229 --> 00:36:52,249 work you can be helpful become fluent in 875 00:36:50,339 --> 00:36:56,630 things like entir application 876 00:36:52,249 --> 00:37:01,129 architecture and other fun phrases which 877 00:36:56,630 --> 00:37:01,130 architects will use to to bamboozle you 878 00:37:01,910 --> 00:37:07,229 I had one conversation once where it was 879 00:37:05,279 --> 00:37:09,900 an architect way we came up with we said 880 00:37:07,229 --> 00:37:12,299 look we don't have any requirements for 881 00:37:09,900 --> 00:37:14,089 the software we have principles 882 00:37:12,300 --> 00:37:16,140 [Music] 883 00:37:14,089 --> 00:37:17,420 so we talked a bit about it and it turns 884 00:37:16,140 --> 00:37:19,379 out they were requirements they just 885 00:37:17,420 --> 00:37:22,799 didn't want to call them requirements 886 00:37:19,380 --> 00:37:25,289 website yeah this becomes super helpful 887 00:37:22,799 --> 00:37:26,819 when you're starting from language you 888 00:37:25,289 --> 00:37:30,180 need to be able to understand design 889 00:37:26,819 --> 00:37:31,619 language design throw up diagrams 890 00:37:30,180 --> 00:37:36,029 anything be able to even troll them as 891 00:37:31,619 --> 00:37:41,269 well Visio will become your friend sort 892 00:37:36,029 --> 00:37:45,690 of and also not every security issue is 893 00:37:41,269 --> 00:37:49,288 a buck something that design flaws 894 00:37:45,690 --> 00:37:52,020 so what I mean by that well okay the way 895 00:37:49,289 --> 00:37:55,380 we talk about bugs and forces bugs are 896 00:37:52,020 --> 00:37:57,030 mistakes that you make in the code so 897 00:37:55,380 --> 00:38:00,630 you forget assembly color wall or you 898 00:37:57,030 --> 00:38:05,130 invent your placement wrong or so some 899 00:38:00,630 --> 00:38:07,140 nothing so my biggest problem with my or 900 00:38:05,130 --> 00:38:08,490 you know you you meant to take one 901 00:38:07,140 --> 00:38:10,020 barrel and add it to another big 902 00:38:08,490 --> 00:38:11,910 actually subtract or something like you 903 00:38:10,020 --> 00:38:14,400 know you your your intention was correct 904 00:38:11,910 --> 00:38:18,839 but you that fingered something that's a 905 00:38:14,400 --> 00:38:20,549 book a designer floor is where when you 906 00:38:18,839 --> 00:38:24,690 design the application 907 00:38:20,549 --> 00:38:26,430 you forgot about something or didn't 908 00:38:24,690 --> 00:38:27,599 quite design it right so maybe you 909 00:38:26,430 --> 00:38:29,940 forgot to put in an authentication 910 00:38:27,599 --> 00:38:33,589 that's a pretty big forgetting something 911 00:38:29,940 --> 00:38:35,970 it does happen or you think you've 912 00:38:33,589 --> 00:38:37,859 designed like an authorization scheme 913 00:38:35,970 --> 00:38:39,839 that will protect all the crown jewels 914 00:38:37,859 --> 00:38:42,740 but actually you left a great big gaping 915 00:38:39,839 --> 00:38:45,960 hole over here on the left or something 916 00:38:42,740 --> 00:38:52,109 and so here's an example of where that 917 00:38:45,960 --> 00:38:55,490 Nova design for this is my cat Alex if 918 00:38:52,109 --> 00:38:55,490 alex is a big 919 00:38:57,839 --> 00:39:02,529 he's not really he's just really 920 00:38:59,950 --> 00:39:06,669 affectionate and when he doesn't get 921 00:39:02,529 --> 00:39:13,869 affection from me or my wife he turns to 922 00:39:06,670 --> 00:39:15,700 his friend the Rumba now the way I 923 00:39:13,869 --> 00:39:17,589 discovered this was basically and I come 924 00:39:15,700 --> 00:39:22,089 home from work and there's a rumba in 925 00:39:17,589 --> 00:39:25,569 the corner with a dead battery and he 926 00:39:22,089 --> 00:39:29,109 kept happening and then one day I was 927 00:39:25,569 --> 00:39:31,450 working from home I Alex's asleep on the 928 00:39:29,109 --> 00:39:33,759 beds in the bedroom and I hear the rumor 929 00:39:31,450 --> 00:39:35,019 go do do it's gonna start as thing and 930 00:39:33,760 --> 00:39:38,309 how to get off the bed at once 931 00:39:35,019 --> 00:39:40,629 downstairs what is happening 932 00:39:38,309 --> 00:39:42,369 Alex has figured out that to get 933 00:39:40,630 --> 00:39:47,349 affection teaches us wait for the uber 934 00:39:42,369 --> 00:39:50,140 to wake up and it gets passed so this is 935 00:39:47,349 --> 00:39:52,089 what I call and design for because the 936 00:39:50,140 --> 00:39:53,980 makers or uber have done lots of many 937 00:39:52,089 --> 00:39:57,000 clever things but one thing they've 938 00:39:53,980 --> 00:40:02,859 never planned for was what I call the 939 00:39:57,000 --> 00:40:06,309 attention-seeking cat abuse case so he 940 00:40:02,859 --> 00:40:08,049 has finally stopped doing this but they 941 00:40:06,309 --> 00:40:17,549 know we had better buy a new battery for 942 00:40:08,049 --> 00:40:20,519 the robot okay who could does come it 943 00:40:17,549 --> 00:40:23,259 prefers hard if it gives me a headache 944 00:40:20,519 --> 00:40:24,848 but it is worth knowing a bit about it 945 00:40:23,259 --> 00:40:27,849 getting familiar with it some a history 946 00:40:24,849 --> 00:40:31,089 of it you don't have to become a math 947 00:40:27,849 --> 00:40:32,920 whiz but knowing why it's hard to get 948 00:40:31,089 --> 00:40:34,480 bites is really happy because that's 949 00:40:32,920 --> 00:40:37,089 when there's some classic mistakes that 950 00:40:34,480 --> 00:40:37,480 have been made I've had a lead of 951 00:40:37,089 --> 00:40:45,009 Schroder 952 00:40:37,480 --> 00:40:47,319 I picked the video example I want to 953 00:40:45,009 --> 00:40:48,730 thank professor County pastor in a hot 954 00:40:47,319 --> 00:40:50,920 way for this wonder if he made us all 955 00:40:48,730 --> 00:40:54,849 this as part of our network security 956 00:40:50,920 --> 00:40:56,710 mask so neither interpreter clever 957 00:40:54,849 --> 00:40:58,569 people they came up with two 958 00:40:56,710 --> 00:41:00,940 authentication protocols back in 1978 959 00:40:58,569 --> 00:41:03,160 one with secret key base one was public 960 00:41:00,940 --> 00:41:04,480 key based and they only took about three 961 00:41:03,160 --> 00:41:05,890 years for someone to break the secret 962 00:41:04,480 --> 00:41:11,420 key base one and in fact there's a 963 00:41:05,890 --> 00:41:13,848 replay attack but the public key 964 00:41:11,420 --> 00:41:15,680 actually was fine for another well for 965 00:41:13,849 --> 00:41:17,000 about 17 years until someone figured out 966 00:41:15,680 --> 00:41:18,230 last year there's a man in middle of 967 00:41:17,000 --> 00:41:21,140 attack innocent 968 00:41:18,230 --> 00:41:23,420 so really smart people coming up with 969 00:41:21,140 --> 00:41:25,910 what looks like a really clever idea 970 00:41:23,420 --> 00:41:28,400 and it seems to be clever and then 17 971 00:41:25,910 --> 00:41:30,799 years later someone goes actually has a 972 00:41:28,400 --> 00:41:34,069 really simple way of attacking it so 973 00:41:30,799 --> 00:41:36,619 it's really hard to get bite and the 974 00:41:34,069 --> 00:41:39,980 similar story for things like our c4 and 975 00:41:36,619 --> 00:41:44,180 b5 and quite a few other algorithms and 976 00:41:39,980 --> 00:41:45,380 protocols out there so it's I'm not 977 00:41:44,180 --> 00:41:47,839 looking for anyone to start inventing 978 00:41:45,380 --> 00:41:49,519 crypto I'm looking forward sort of you 979 00:41:47,839 --> 00:41:52,640 know if people can get their heads 980 00:41:49,519 --> 00:41:55,129 around why why smart people do dumb 981 00:41:52,640 --> 00:41:58,359 things I Spit my heart opening it but 982 00:41:55,130 --> 00:42:02,950 you know why these things can happen 983 00:41:58,359 --> 00:42:05,000 okay you don't need a bigger box which I 984 00:42:02,950 --> 00:42:06,589 think this goes without saying 985 00:42:05,000 --> 00:42:08,299 especially given they are looking at the 986 00:42:06,589 --> 00:42:10,339 schedule over the part of the next day 987 00:42:08,299 --> 00:42:14,299 you know it's not just about web apps 988 00:42:10,339 --> 00:42:16,369 although I think we probably spend but 989 00:42:14,299 --> 00:42:19,009 we in a half the testing work that we do 990 00:42:16,369 --> 00:42:24,049 if not more is web apps 991 00:42:19,009 --> 00:42:25,460 we don't know mobile testing as well but 992 00:42:24,049 --> 00:42:28,880 of a half of all the work that we do is 993 00:42:25,460 --> 00:42:31,220 probably web apps but we we do love an 994 00:42:28,880 --> 00:42:34,250 interesting work in things like Internet 995 00:42:31,220 --> 00:42:37,939 of Things automotive medical devices 996 00:42:34,250 --> 00:42:40,700 that kind of stuff mainly and it's sort 997 00:42:37,940 --> 00:42:42,769 of in which pickings in the sense that a 998 00:42:40,700 --> 00:42:47,629 lot of these technologies are being 999 00:42:42,769 --> 00:42:50,500 built without necessarily co2 being a 1000 00:42:47,630 --> 00:42:52,759 main player in the beginning so 1001 00:42:50,500 --> 00:42:55,269 miscounting a repeat other mistakes made 1002 00:42:52,759 --> 00:42:57,799 in previous generations of technology 1003 00:42:55,269 --> 00:43:01,788 and this is where you can bring a lot of 1004 00:42:57,799 --> 00:43:04,788 value by both demonstrating in the 1005 00:43:01,789 --> 00:43:07,170 issues with the technology but if you 1006 00:43:04,789 --> 00:43:09,330 can speak your thoughts totally 1007 00:43:07,170 --> 00:43:13,440 how to avoid the issues and how to fix 1008 00:43:09,330 --> 00:43:17,400 the issues that's that will be you'll 1009 00:43:13,440 --> 00:43:23,100 become someone's best friend embrace 1010 00:43:17,400 --> 00:43:25,530 everything as code you I feel like I 1011 00:43:23,100 --> 00:43:27,089 should mention AWS at this point you 1012 00:43:25,530 --> 00:43:28,800 know aw surviving gotten to pet that 1013 00:43:27,090 --> 00:43:30,570 much come down the road of everything is 1014 00:43:28,800 --> 00:43:34,400 code you know why infrastructure is code 1015 00:43:30,570 --> 00:43:36,680 our network is code our policy is cold 1016 00:43:34,400 --> 00:43:42,540 you know who's gonna be the one document 1017 00:43:36,680 --> 00:43:44,970 nobody who's going to make their their 1018 00:43:42,540 --> 00:43:46,590 code passed a bunch of security 1019 00:43:44,970 --> 00:43:48,959 requirements are built into the build 1020 00:43:46,590 --> 00:43:52,380 process everyone because they don't want 1021 00:43:48,960 --> 00:43:54,740 to have to deal with the friction build 1022 00:43:52,380 --> 00:43:57,360 pipelines that will come now Jenkins etc 1023 00:43:54,740 --> 00:44:00,569 security sensors we can write them as 1024 00:43:57,360 --> 00:44:02,160 code now so if it's you know if it's 1025 00:44:00,570 --> 00:44:04,230 champions pipeline you have a Metasploit 1026 00:44:02,160 --> 00:44:06,210 script or anything it's all code and 1027 00:44:04,230 --> 00:44:09,540 these will end up speaking stuff and 1028 00:44:06,210 --> 00:44:12,900 getting that so I'm sure there are other 1029 00:44:09,540 --> 00:44:14,310 examples I've forgotten here consider 1030 00:44:12,900 --> 00:44:16,200 being a security champion within the 1031 00:44:14,310 --> 00:44:19,230 organization where you work or at 1032 00:44:16,200 --> 00:44:21,149 someone will work if you're studying so 1033 00:44:19,230 --> 00:44:22,590 as I said you know you've got these caps 1034 00:44:21,150 --> 00:44:26,070 you've got security you've got a lot of 1035 00:44:22,590 --> 00:44:28,380 printing operations and so on one thing 1036 00:44:26,070 --> 00:44:31,200 that we found is it's a tends to be a 1037 00:44:28,380 --> 00:44:34,400 lot easier to teach a developer about 1038 00:44:31,200 --> 00:44:36,960 security than they is to try and teach 1039 00:44:34,400 --> 00:44:41,160 combat or traditional IT security person 1040 00:44:36,960 --> 00:44:42,390 about how to speak to developers is it 1041 00:44:41,160 --> 00:44:45,990 just seems to work better the other way 1042 00:44:42,390 --> 00:44:49,620 right so in other organizations where we 1043 00:44:45,990 --> 00:44:51,689 work the sophists unit group is able to 1044 00:44:49,620 --> 00:44:53,750 be relatively small because they've got 1045 00:44:51,690 --> 00:44:56,400 these champions in the engineering and 1046 00:44:53,750 --> 00:44:58,950 calamities who they're developers so 1047 00:44:56,400 --> 00:45:01,440 they're architects and so on but they 1048 00:44:58,950 --> 00:45:03,689 have a passion for security they they 1049 00:45:01,440 --> 00:45:06,600 know about security and they become some 1050 00:45:03,690 --> 00:45:08,770 of the focal point within their team for 1051 00:45:06,600 --> 00:45:11,170 security so this office view does not 1052 00:45:08,770 --> 00:45:13,660 yell at everyone there's people actually 1053 00:45:11,170 --> 00:45:18,070 embedded in the organization so they 1054 00:45:13,660 --> 00:45:20,589 come in a sweet spot and don't forget 1055 00:45:18,070 --> 00:45:24,310 about culture so different organizations 1056 00:45:20,589 --> 00:45:25,839 have different cultures so you've got 1057 00:45:24,310 --> 00:45:26,950 kind of the developers and security that 1058 00:45:25,839 --> 00:45:28,720 kind of an awesome band all 1059 00:45:26,950 --> 00:45:30,720 organizations and depending on the 1060 00:45:28,720 --> 00:45:34,299 corporate culture that can be really 1061 00:45:30,720 --> 00:45:35,500 brutal awesome then in other 1062 00:45:34,300 --> 00:45:39,160 organizations a little bit more 1063 00:45:35,500 --> 00:45:40,810 collaborative so if you're if you're a 1064 00:45:39,160 --> 00:45:42,220 consultant on sides of the organization 1065 00:45:40,810 --> 00:45:45,190 where they've got a very sort of us 1066 00:45:42,220 --> 00:45:46,990 versus them culture you're gonna have to 1067 00:45:45,190 --> 00:45:50,140 work harder to win over the developers 1068 00:45:46,990 --> 00:45:53,169 and so be conscious or be conscious of 1069 00:45:50,140 --> 00:45:55,170 that so holiday and technologies keep 1070 00:45:53,170 --> 00:45:58,180 changing but you know the people where 1071 00:45:55,170 --> 00:46:00,880 we can we all kind of stay the same and 1072 00:45:58,180 --> 00:46:08,379 since that all of our hang-ups and we'll 1073 00:46:00,880 --> 00:46:10,750 have our cultural kind of parents so so 1074 00:46:08,380 --> 00:46:16,510 in summary finding security issues is 1075 00:46:10,750 --> 00:46:19,570 the easy part doesn't mean it's easy I 1076 00:46:16,510 --> 00:46:22,390 mean it's it's really hard it's really 1077 00:46:19,570 --> 00:46:26,530 challenging and I've spent like how long 1078 00:46:22,390 --> 00:46:29,098 staring at one particular system where 1079 00:46:26,530 --> 00:46:32,710 I'm cleaning I'm sure there's a whole 1080 00:46:29,099 --> 00:46:34,450 think I can get through it I just wasted 1081 00:46:32,710 --> 00:46:36,460 five days trying to figure that it can 1082 00:46:34,450 --> 00:46:39,149 be really hard to really challenging but 1083 00:46:36,460 --> 00:46:41,770 relatively speaking it's the easy part 1084 00:46:39,150 --> 00:46:43,240 because once I found an issue the 1085 00:46:41,770 --> 00:46:45,040 developers then have to go fix it they 1086 00:46:43,240 --> 00:46:46,959 have to figure out the payroll how can I 1087 00:46:45,040 --> 00:46:49,060 fix this in such a way that nobody can 1088 00:46:46,960 --> 00:46:52,810 do that particular attack and anything 1089 00:46:49,060 --> 00:46:56,830 that looks a bit like it has anyone got 1090 00:46:52,810 --> 00:46:59,259 a pen test where they found a cross-site 1091 00:46:56,830 --> 00:47:01,240 scripting issue and then the report they 1092 00:46:59,260 --> 00:47:03,640 say okay steps to reproduce go to this 1093 00:47:01,240 --> 00:47:05,379 page put in this into the input field 1094 00:47:03,640 --> 00:47:07,910 this particular value into the input 1095 00:47:05,380 --> 00:47:09,710 field and click go and voila you have a 1096 00:47:07,910 --> 00:47:13,460 I scripting attack and then the 1097 00:47:09,710 --> 00:47:19,700 developers fix it by blacklisting just 1098 00:47:13,460 --> 00:47:21,619 that example happens one so the valves 1099 00:47:19,700 --> 00:47:23,569 aren't used to this kind of approach 1100 00:47:21,619 --> 00:47:26,990 they're not thinking about how or do I 1101 00:47:23,569 --> 00:47:29,089 need to escape values and you know trees 1102 00:47:26,990 --> 00:47:31,848 it's a trust boundaries and how do i do 1103 00:47:29,089 --> 00:47:35,119 encoding etc they're thinking that is an 1104 00:47:31,849 --> 00:47:38,329 attack I need to start with that so it's 1105 00:47:35,119 --> 00:47:39,619 it's hard to get get things right and 1106 00:47:38,329 --> 00:47:41,440 then ultimately implementing these 1107 00:47:39,619 --> 00:47:44,180 issues from happening in the first place 1108 00:47:41,440 --> 00:47:47,569 that's the biggest challenge of all and 1109 00:47:44,180 --> 00:47:49,609 where where organisations will spend 1110 00:47:47,569 --> 00:47:50,420 literally millions trying to trying to 1111 00:47:49,609 --> 00:47:59,720 solve this problem 1112 00:47:50,420 --> 00:48:05,559 so be conscious of that magnitude by the 1113 00:47:59,720 --> 00:48:09,500 way we're hiring so yeah love we've got 1114 00:48:05,559 --> 00:48:11,299 someone back we'll be at at this panel 1115 00:48:09,500 --> 00:48:15,049 all day as well I so please become at 1116 00:48:11,299 --> 00:48:19,630 the chat if he leaves in working with us 1117 00:48:15,049 --> 00:48:24,259 we have consulting positions open with 1118 00:48:19,630 --> 00:48:26,119 interns this summer as well so if I have 1119 00:48:24,259 --> 00:48:27,829 to admit I'm trying to think of a 1120 00:48:26,119 --> 00:48:30,980 berkeley alumni do we have in the office 1121 00:48:27,829 --> 00:48:32,390 right now sonic physics and quite a few 1122 00:48:30,980 --> 00:48:34,549 of them came through coming into our 1123 00:48:32,390 --> 00:48:35,900 program so we we brought them in over 1124 00:48:34,549 --> 00:48:38,660 the summer between the second or third 1125 00:48:35,900 --> 00:48:41,900 year how lots of fun and then we ended 1126 00:48:38,660 --> 00:48:44,808 up hiring so please do come talk to us 1127 00:48:41,900 --> 00:48:47,119 if you're interested you'll find you'll 1128 00:48:44,809 --> 00:48:50,269 find some friendly habit a alumni and 1129 00:48:47,119 --> 00:48:56,299 then you'll find some other people we 1130 00:48:50,269 --> 00:48:58,720 try to be nice as well with that thank 1131 00:48:56,299 --> 00:48:58,720 you very much