Here are the 5 Best Moments from CISO Series Video Chat “Hacking Code: An hour of critical thinking on avoiding self-harming code.”
Our guests for this discussion were:
- Mackenzie Jackson (@advocatemack), developer advocate, GitGuardian
- DJ Schleen (@djschleen), director of DevSecOps, VillageMD
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor GitGuardian
Best Bad Idea
Congrats to Brian Colt, information security engineer, DASH Financial Technologies for winning this week’s Best Bad Idea!
Other honorable mentions go to:
“Only use obscure libraries in your code. The more obscure the better – less chance of being exploited.” – Brian Colt, information security engineer, DASH Financial Technologies
“Require all users to use dial-up Internet so any issues with code can be fixed before the users know it’s a problem.” – Neil Saltman, senior account executive, Anomali
“Wait until the very end of the SDLC to test your code for security flaws and vulns. Twelve hours before release should be adequate to identify and remediate.” – Brian Colt, information security engineer, DASH Financial Technologies
“All code must be written in Klingon. ” – Larry Rosen, manager, security advisory, Avanade
” Do testing only when the application has been rolled out; this way you have real environment setting and don’t need to simulate traffic.” – Roland Mueller, self-employed
“Containerize your code using Tupperware.” – Larry Rosen, manager, security advisory, Avanade
“Only allow code into production that is vetted by a ROSHAMBO battle.” – Craig Hurter, director security operations, Colorado Governor’s Office of Information Technology
“Make sales people commit code to production since they know what customers want.” – David Lagacé, manager GRC, Lowe’s Canada
“Do pair programming by pairing programmers with each other’s mothers.” – Ian Poynter, virtual CISO, Kalahari Security
“Give contractors and sub-contractors admin access to your repos. Only provide them with one username to share amongst themselves.” – Brian Colt, information security engineer, DASH Financial Technologies
“Only use frameworks and libraries older than three years; this way you have a mature development environment.” – Roland Mueller, self-employed
Best Strategies
“Have all your repos protected by SSO, MFA and an IP whitelist.” – Brian Colt, information security engineer, DASH Financial Technologies
“Include repos in IT asset management program and security audits.” – Brian Colt, information security engineer, DASH Financial Technologies
“Ensure that all devs attend secure coding classes. Require it before they get access to repos. Repeat often.” – Brian Colt, information security engineer, DASH Financial Technologies
“Utilize a comprehensive requirements and design (regardless of whether you use SDLC or Agile methodologies) and address the needs of all stakeholders (including the security team).” – Andrew Aken, CIO / vCISO, DocDrew, LLC
“Treat your API keys as you would encryption or SSH keys.” – Brian Colt, information security engineer, DASH Financial Technologies
Quotes from the chatroom
“Secure code = quality code = developers don’t want to be notorious for being low quality engineers.” – Dan Walsh, CISO, VillageMD
“‘Should be’ and ‘Do’ however aren’t mutually inclusive. Yes, we should have developers bake in security. But, we need to have controls in place since many/most don’t.” – Andrew Aken, CIO / vCISO, DocDrew, LLC
“Tools are helpful because I’ve noticed that sometimes I miss aspects of my threat model because I didn’t think to ask the same questions that the tool did.” – Justin Armstrong, senior healthcare information security professional, Tausight
“The 2 paths of the app, The code and the logic, Logic is the hardest to discover and correct” – Richard Rushing, CISO, Motorola Mobility
“Security team needs empathy towards dev teams. Developers are creators, security team are destroyers.” – Amol Naik, CISO, Unacademy
