Tech 'n Savvy
Tech 'n Savvy
3' Put the Security in DevSecOps with Abdel Sy Fane
April and Emily interview Abdel Sy Fane, a security manager with over 10 years of experience. They discuss how Abdel got into tech, DevSecOps, personal cybersecurity tips, and more!
00:00 Intro + How Abdel got into tech and DevSecOps
10:29 What is CSNP?
13:11 Personal Cybersecurity Tips
20:39 DevSecOps Overview
41:33 A Day in the life of a DevSecOps engineer
49:09 CyberSecurity and DevSecOps career advice
Resources Mentioned (not owned or created by us!)
OWASP: https://owasp.org/
Awesome DevSecOps: https://github.com/devsecops/awesome-devsecops
Awesome Ethical Hacking Resources: https://github.com/husnainfareed/Awesome-Ethical-Hacking-Resources
Awesome Hacking Resources: https://github.com/vitalysim/Awesome-Hacking-Resources
***Disclaimer 1***
The views and opinions expressed in Tech & Savvy are those of the speakers and do not reflect the official policy or position of any company mentioned in the episode. Any content provided by our speakers is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything.
***Disclaimer 2***
There are sections in this episode where we talk about hacking. Tech & Savvy is NOT encouraging, nor endorsing you or anyone else to hack anyone or anything, which will result in you breaking the law or getting arrested. If you want to learn how to hack responsibly, there are 2 great Github Repos called "Awesome Ethical Hacking Resources" and "Awesome Hacking Resources" to help you get started learning.
Emily: 0:03
Hey, everyone, you're listening to Tech & Savvy. I'm Emily.
April: 0:08
And I'm April.
Emily: 0:09
And today we're going to be talking about DevSecOps. So we have with us today Abdel Sy Fane, who is our first guest. We're very excited to have him here. And before we get started, I just wanted to give an overview. We're going to start by just talking with Abdel about his career and giving an introduction. Then we're going to talk about some personal cybersecurity tips. And then we'll get into the more technical part, which we'll be talking about DevSecOps. And finally, we're going to end with talking about some advice and tips if you want to get into security or specifically get into a career with DevSecOps. So with that let's get started. Hey, Adbel.
Abdel: 0:51
Hey, there.
Emily: 0:52
How are you doing?
Abdel: 0:54
I'm doing well. Just enjoying this beautiful Chicago winter storm.
April: 0:59
Whelp. Yeah...
Abdel: 1:01
I just got an alert that don't be surprised if the power goes out from the electric provider.
April: 1:07
Oh, that's super exciting.
Emily: 1:10
Great day to do this.
Abdel: 1:12
Yep.
April: 1:13
Hope you have a generator or you have some battery packs so...
Abdel: 1:17
Yeah, I usually walk around with a couple of solar panel battery chargers. So while we got some light I should probably get on that. You have to be prepared. You never know.
Emily: 1:31
So Abdel is actually one of our good friends. Pretty good friends. I would say.
April: 1:36
Alright, friends. Let’s not get too crazy.
Abdel: 1:38
Really good.
Emily: 1:39
We all used to work together at Allstate. And we've since separated except I've joined Abdel at Protiviti now.
Abdel: 1:49
It's your turn April.
April: 1:51
Uh?
Emily: 1:51
What's that?
Abdel: 1:51
It's your turn April.
April: 1:52
Oh, it's my turn for what?
Abdel: 1:54
To join Protiviti.
April: 1:55
OMG.
Abdel: 1:56
Let's bring that three duo back together.
Emily: 1:59
Three duo.
April: 2:00
The three duo. You mean trio?
Abdel: 2:02
Yes, the trio's.
April: 2:05
Oh, man.
Emily: 2:06
So Abdel Sy Fane is a senior manager at Protiviti. He has 10 years of experience in security and technology, including experience as an application security engineer, security analyst and more. And Abdel, do you want to talk about how you got into tech or security?
Abdel: 2:27
Yeah, it's always interesting when people ask me some of those questions. Because I start thinking, how far do I go back? I feel like I have so much history in terms of just different places that I've lived. And I'm getting to this point, right? So I was born in Mali, [and] moved to the US 2001. Wow, it's been 20 years or almost 20 years. And I guess ever since I was a kid, I was always fascinated by technology. I remember I used to play with our VCRs and TV when I was back in Mali. And I came to the US, started going to school and computers just fascinated me. I always knew I wanted to do something with computers just didn't know what. In fact, I always thought I was going to be some kind of like hardware engineer, or someone who actually built computers. But, so fast forward, I went to high school. I went to two high schools. I went to Hollywood High and Oakland Tech. So when I went to Oakland tech, that's when I really got exposed to technology. I remember Oakland tech, my first year, my computer teacher was recycling computers. And he gave me one of those. And you could say that was like the beginning, right? Getting this computer and being able to, - I don't know, - surf the net, [and] play games. I think just having those exposure, it's really what allowed me to get to this point. And then, of course, I went to college. I got a bachelor's degree and master's degree in cybersecurity. And when I was in college, I knew the industry want people to have experience. So throughout my college time, I had several jobs. Some of them were actually IT related to the path that I chose. And on top of that I used to just sort of like penetration testing, just seeing things that I can hack, just to get some of that exposure. And I know some time ago, I hacked my neighbor.
April: 4:47
How did that turn out?
Abdel: 4:50
Well, I hacked them. And don't worry, we're pretty good friends, pretty good neighbors. And I told them like, "Hey, look you have this thing enabled on your Wi Fi. You have to disable it otherwise someone like me could easily also break through your Wi Fi." To be honest, it wasn't a sophisticated attack. It was actually a brute force attack. It just happened back in those days some specific Cisco routers had a vulnerability that would actually allow brute force attack. Weird thing is, one you had to have WPS enabled. WPS really help people... Suppose you're in a network, you're at someone's house and you don't want to type a very long password. So there's like a WPS pin that when you punch in, it allows you in. So this WPS pin was hard coded to their router. And what happened is you can actually brute force it, you can try guess it. And while you’re trying to guess it actually tells you that, "Oh, no, that's the wrong password." And each time you guess a number, it tells you, "Yes, that number is correct." So you could be like, "One, two." Its like, "Yeah, one, two is right." But four or five, six, is not right.
Emily: 5:52
OH, no.
April: 5:54
OMG.
Abdel: 6:02
It just didn't have security built into it. I think the shortest time I ever guessed those numbers, with an automated attack was like three hours, which was not bad.
Emily: 6:10
Yeah.
Abdel: 6:12
Yeah, yeah. So, all of those things sort of led me to where I am today.
Emily: 6:19
Yeah. I love that story through hacking.
April: 6:24
Exactly.
Emily: 6:24
Hacking for fun and that led you to cybersecurity. And hopefully, as we know that vulnerability doesn't exist anymore as long as you've updated.
April: 6:35
Hopefully, updated within the past 10 years.
Abdel: 6:39
Oh, God. Yeah. No, that was so long ago. Those routers, they're not sold anymore.
April: 6:45
So, Abdel can you give us a little bit of your background?
Abdel: 6:49
Yeah, sure. So the way I got into DevSecOps... Yeah, this is weird because technically speaking DevSecOps actually just belongs under application security umbrella. But unfortunately, because of the complexity and just how hard it is to get DevSecOps going the industry sort of split those two things apart. It's you either know application security or you know DevSecOps. Most of the time, you don't know both. If you're an application security engineer and you know how to code, you know DevSecOps. That's really what it is. It's really bringing your engineering skills to automating security processes. So, after college, I worked for Allstate. I was a virtualization engineer. It's called VMware. It's basically what AWS is today. So I was one of those engineer. And I used to write PowerShell scripts to automate Hoi. Sort of like deploy this virtual machines and manage this virtual machines. And from that point on, I left All State, joined the government, worked for the Veterans Administration, and I was a security analyst there. And being a security analyst, I was doing this like vulnerability and management. Unfortunately, that wasn't a good fit for me because I wanted to go more of an engineering path. And because it's the government things are a little bit complicated. I remember I wrote some scripts to automate some of the things that we did but because this is government, - I don't know, - it just never went anywhere. And funny enough, three years later, I talked to some coworkers and they're talking about the script that they're using to automate. And I was like, "Wait a minute, I built that." I should have some credit for that. Anyway, that's okay. And then fast forward, I joined Allstate again. Second time. And that's really [when] I got exposed to sort of security and automation. That was really the beginning. And it was a great experience. At the time, it was just me and my boss, it was just two of us. And at the time, Allstate didn't really have... They didn't have Develop. And we really built that into the process to a point where developers builds... they build their app, and they want to deploy, automation tools kick in, run security tests for them, make sure the compliance is there, report the information to a dashboard and then automatically deploy your app for you. So that was amazing. Just being able to be part of that team and building something like that was really, I guess, like an eye opening for me. So I guess, I reached a point where I thought, "Okay, well, I kind of want to join consulting." Because I want to know what other organizations are doing. And I think that things that we build at Allstate was amazing. I've never heard from anyone else doing similar things so I thought I could bring those skills to these other companies that are out there if I'm a consultant. And that's really what led me to join Protiviti's.
Emily: 10:17
Great. Yeah, you have a lot of experience in different types of security, which is great. And of course, I worked with you at Allstate when you were an application security engineer so yeah, that's great.
Abdel: 10:28
Yeah, yeah.
April: 10:31
And we can also see that your passion is not just in your job, you also are the president of a nonprofit, right?
Abdel: 10:37
Yeah.
Emily: 10:37
Oh, yeah. Talk about that. The triple duo, again.
April: 10:42
The triple duo...
Abdel: 10:46
Yeah, of course. You're all part of CSNP. I guess I don't know what I can tell you about the CSNP that you don't already know.
April: 10:57
Tell our audience. Our audience might not know about CSNP.
Abdel: 11:00
Yeah, so I guess we can go back to the foundation. Right? Oh, God. 2017, I think it was. Maybe 2018. I started a Chicago group here called Chicago Cybersecurity. And the whole idea behind it was sort of like to create this community, where people come together. We invite industry leaders to come talk about cybersecurity, and just really like sharing that knowledge. And again, it took a life of its own. And sometime 2019, Emily, myself, and Andrea, we all used to work at Allstate at one point. We sort of came together and said, "Hey, why don't we start a nonprofit and sort of like branch out." Expand it to other states across the US. So, that sort of happened, right? And the goal behind the CSNP is, we want to provide, we want to help our community, [and] we want to support our community. We understand that there is a talent gap when it comes to cybersecurity. There's also a gender gap when it comes to cybersecurity as well. Right? So we're really trying to do our part to bridge that gap. Right? When you look at the cybersecurity pool, they're saying that by just next year, the open position would be 6 million open positions, right? That's a very large number. So there's clearly a problem, right? Why aren't there more people in these fields, especially minorities and women?
Emily: 12:39
So CSNP stands for Cybersecurity Nonprofit, and it's an organization that Abdel, April and I actually are all part of. And the goal is Abdel just talked about is to provide free resources in security to bring more people into the security field, as well as just to teach the general public cybersecurity tips and awareness to keep themselves safe. So if you're interested in learning more about CSNP, you can go to csnp.org. Alright, so thanks, Abdel, for giving us some background about your career. Now we're going to talk about the next segment, which is personal cybersecurity. And personal cybersecurity, I think is really important. So many attacks could be prevented, both personally and just in your organizations, just by having more awareness about cybersecurity. And there's a lot of things that we can do to protect ourselves. Abdel, what are some tips you can give to people to improve their personal security and protect themselves?
Abdel: 13:50
Yeah, I guess when it comes to personal security, the biggest thing for me is privacy. But in terms of just preventing some kind of - I don't know - malware attack on yourself, I feel like there's a lot of things that you could do. But a lot of it really just comes through education, right? Is educating our self, right? Things like not clicking on random emails, not responding to emails. Well, always check the domain name of an email. See where it came from because a lot of time you're going to see that it says someone's name. And this happens to me actually, a lot. People send emails to people within CSNP pretending to be me. If you look at the domain, it says something random, but if you don't, all that says is Abdel Fane. So a lot of times people will fall for that. When it comes to things like that, you just have to be vigilant. Obviously, avoid random websites that you don't trust, right? Just because they could have malware on it. And something that's important is ad blocker. You might think like, "Oh, ad blocker, I don't want to see ad." But no, there's also security risk there. Pick your favorite website - I don't want to drop any company's name here - But pick your favorite website. You visit this website every day. It's legitimate, everybody knows about it. But unfortunately, they might be running free ads. And guess what? These ads are not managed by them. And sometimes these ads can actually have vulnerabilities within themselves, which allow - by just going to a certain website, this ad pops up, and what it does is it can drop some kind of file within your machine, and boom, you've got a malware. But when you have ad blocker, it will prevent that specific ad from ever running on your screen. So ad blocker is important from a security perspective and of course if you don't want to see ads. So in terms of security, I think, you have like phishing attacks, you just have to be looking out for these sorts of things. It's not really... I mean, of course, there's anti-viruses that you can use that if you accidentally click on something that you shouldn't have. I will say 50% of the time, these anti-virus will prevent it. But personally... I guess it depends on the anti-virus. I personally don't use anti-virus. And maybe because I have a Mac. But Apple does a really good job when things are running on your system. If you're trying to run something, as a user, and you're trying to do something that's administrative, Apple's not going to let you do that. They're going to say, "Hey, punch in your password." Versus as a Windows machine, if you log in as an admin, whatever you do, you're an admin, right? It's not one to try to stop you on that. And I know, they do have extra features that you can enable to make sure that they asks you or prompts you like, "Hey, are you trying to do this right now? Are you sure you want to do this? You know what it's gonna do?" I feel like those are just the kind of things that people need to see, in order to really start having that sort of like mindset. And when it comes to privacy, there are several things you can do out there. You know, one of them is private browsing. You know, we have these tech giants who are good at knowing who we are, and the things we want to buy, because they track us. They track where we're coming from, [and] they track what we do on his website through cookies. So of course, you can use DuckDuckGo. The whole thing is that they're about privacy. They are not going to share your data with, I guess, third party affiliates. That's just not what they're going to do. And of course, it's also getting a VPN service. So it's great, you're using DuckDuckGo. But guess what, Facebook is likely to know who you are just based on like your IP address. Where you're coming from, right? So they can start like building profiles on you and such. But you jump on a different network. You could be in a different country, different state, and you use something like DuckDuckGo, then it really becomes difficult for them to pinpoint who you are. So those are the really... unfortunately, those are the best thing we can do to stay out of the radar of these tech giants.
Abdel: 18:39
I mean, it's really hard to go about without using these tools. I mean, what are you going to do not use Google Chrome? It's like the best browser out there. What are you going to do, not have a Facebook account or an Instagram, or any of these? You are sort of like trapped using those tools. But if you want to use them, they’re smart ways. Like, every time I get on Instagram, before I get on it, I just hop on a VPN and go somewhere else. So that they can't keep track of all this algorithm. Like, what does this guy like? If anything, all they know is what I do on that platform. That's it. So again, best thing you can do is private browsing, or secure browsing, like DuckDuckGo. And use VPN service to just sort of like stay anonymous.
Emily: 19:25
Great. So to summarize, Abdel gave us a lot of security and privacy tips. So the first one for security was to always check where the email is coming from. To check the domain. Because there's a lot of phishing attacks that are coming through and they're actually very advanced at this point. And the second was to use ad blocker, because it's even more so than just you don't want to see ads. There's a lot of security risk from showing ads and accidentally clicking something [and] going to another website. Which was another tip Abdel had was to just always be careful when you're clicking a link to see where it goes. Another was to have the anti-virus enabled. And then Abdel talked about privacy. And he talked about using DuckDuckGo, which is a search engine. So it's an alternative to Google, if you don't want to be tracked. And he also talked about using a VPN, or virtual private network, which just is another level. It keeps you from being tracked as well. And then he also talked about how these organizations can track you even when you're not on their platform using cookies. And so just be aware of that, be careful of that. Alright, so now that we've talked about personal cybersecurity tips, hopefully everyone can protect themselves more stay safe online, we're going to actually get into the more technical part, which is DevSecOps. And so before we get into DevSecOps, which is really more about an organizational type of security, that has to do with securing apps, April can you give us an introduction about DevOps?
April: 21:12
Yeah, sure. So kind of like Emily said, DevSecOps has to do more with the application security side, but it's also an evolution off of DevOps. And basically, what DevOps is, is it's a combination of development, and IT operations. Traditionally, in the past and even sometimes still today, development and IT operations, meaning like deployment, those like security checks, those are all much siloed from each other. So those two groups weren't working together. And that's why you would have those waterfall processes where releases would take six to eight months. Because first you got to do the developers, and then you have to punt it over to IT, and then they find something wrong, so they send it back to the developer. So it's a very, very slow process. And with DevOps, it's really there to help transform that development and delivery lifecycle, and something that's a lot faster. When those two teams are working together, and they're not siloed, there's more communication that's going on. You can ramp up your delivery, because you're working hand in hand. You talk to the developers and they talk to IT, and you're both on the same page, and that enables you to deliver faster. But the one thing that which is like kind of like a con to DevOps is that security tends to be left until the end. Something's ready, it's deployed, it's in staging, or pre-prod, it's ready to go, but they're like, "Oh, now let's do a pen tests, or now let's do a security scan." Then you find all these problems. You might have to rework your architecture now, because there's a security vulnerability. And I think that's really where DevSecOps takes DevOps to a whole new level.
Emily: 23:25
Okay, so you have development, and then you have operations. And those used to be kind of separated. And then they combined that into DevOps, and that just speeds up the process. And now to speed up the process even more, they're also putting security with that to make DevSecOps or development security operations to make that even faster, so you don't have to just leave security as an afterthought. So Abdel, can you tell us more about what is DevSecOps?
Abdel: 23:58
Yeah, I mean, it's essentially taking DevOps and baking security into it. So to April's point, and your point, that security won't be an afterthought. That it is part of the software development or system development life cycle. Throughout each of these lifecycles, you do security. So by the time you go to production, at minimum, you have less security things to worry about, versus going back and re-architecting your application. That's the last thing you want to do, because that's going to slow down your releases. And unfortunately, with enterprises, going back and re-architecting, that's a no-no. Because it's like, now that’s business. Now we need to make money. So now you have to account, "Okay, do I secure this ASAP? Or do I lose this client?" And you never want to arrive at those two because as business you want to say, "I need to make money?" And now maybe you've done some cost benefit analysis and say, "Well, this data gets breached. I don't know. Big deal." No no, right? So you don't want to arrive to that point. So, do security as early as possible, so that you don't have to do, at least you don't have to like rework your entire application. You don't have to deal with this sort of like business decision whether you should go to production or not. And you continue to have those happy clients.
April: 25:27
But kind of based off of what Abdel was saying, especially when it comes to the software development lifecycle. Typically, it's you develop, then you test and then you deploy, you get feedback, then you develop, you test, and then you deploy. And you keep doing that until you're ready to go to production. And then like he said, you end up leaving security out. So then it's like, develop, test, deploy, develop, test, deploy, prod, security, everything's messed up, go all the way back, [and] re-architect. So as Abdel just said, DevSecOps just really helps actually speed up your development process. Because if you're creating, say an authentication, or a login service, you want to have your security set up for that right from the beginning. You don't want to create your login service, and then think about security after. So they're all encompassing, and the more you try to integrate them with each other and making development a lot faster. And that's why you have companies that make releases every week, every month, [and] you always have new and new updates going because they figured out a way to optimize their software development lifecycle process. So Abdel, do you agree? Are those some of the benefits? Or do you have any other benefits that you can see from DevSecOps?
Abdel: 26:52
I mean, you summed it up. Yeah, you summed it up? Yeah, not sure I have anything else to add to that. It's about securing the software before it's in production. Right? That's really the goal there. Obviously, the process is a little bit complicated. And probably the most complicated stages of your DLC is actually like the first stages, right? When you're doing planning. Because unfortunately developers, they don't know security. So during that planning phase, you really want a security person to be in there to help you integrate security to that planning process. There's a lot of things that you can do during that stage before you even bring in tools. Develop, it's a process. It's a process that integrates tools into your development to speed that up and do testing. But there's a lot you can do without tools. And unfortunately, I feel like a lot of enterprises, they don't know that.
Emily: 28:07
So to sum up the benefits, then it sounds like speed is a big one, just to make it so that you can more continuously release updates, in terms of software development. Alright, so it sounds like there are a lot of benefits to doing Develops as opposed to just DevOps. So how are companies adopting to DevSecOps? Are they adopting quickly? Do they see it as a problem? Are some kinds of companies more likely to take it on faster than others? Just what have you seen in terms of companies adopting the DevSecOps framework?
Abdel: 28:46
So unfortunately, companies that have been around the longest are the one's slowest to adapt DevSecOps. Just because they already have everything built out. And all of a sudden, this new thing came. And unfortunately, it's going to require them to do some re-architecting. And their most likely not ready for that. I think startups are adapting DevSecOps the fastest because they don't really have pre-existing infrastructure. And it's just easier to just start from scratch. Reworking old technology as part of the process - I mean, some of these old technologies don't support like this kind of automation. If you look at some of these companies, that have been around 50-80 years, they still have old servers, [and] mainframes, that you can't really do anything about. It's just sitting there. And it's still processing, whatever data is still processing. And there's no freaking way you're going to automate DevSecOps into that. Like, how are you going to do that? In fact, they don't even want to touch it because they're thinking like, "Oh, if I touched it, that's a game over." So it's challenging for enterprises to just move to that. But then again, they shouldn't just sit around and say, "Well, I can't do anything about it." Maybe you start working on rebuilding that mainframe into the cloud. So that you can actually start securing it. And, again, startups they're adopting it faster just because they don't have to start from the... they don't have to start from the ground.
April: 30:30
Nice. And what kind of tools are these companies using? Are there just DevSecOps tools that are more oriented for companies that have existing architecture versus companies that don't have existing architecture? Are they all the same?
Abdel: 30:46
Yeah. So really, any vendor can build a security tool, as long as they have some kind of like backend API that you can call to run. Like the service without someone manually logging in to clicking buttons. You can claim that's a Develop tool. That's really what it is. If I can dynamically call a service, and do something, and then take action, without manually getting involved in that process, you have DevSecOps there. So there are a lot of tools out there. There's a lot of tools out there in the industry. There's so many vendors. And I'm sure all of them says DevSecOps, because they can integrate to your CI/CD pipeline. Now when you look at the SDLC, I think organizations they might break it down between maybe five and eight stages, from planning all the way to like operations. But regardless how many stages you break it down to, each of the stages is where you want to add security into it. And then you sort of have to like, figure out which security tools make sense for what stage. If you are in UAT stages, you probably don't want to do things penetration testing. Just because you want to make sure that from functional perspective that this thing actually works. And when you look at like the planning phase, you probably don't want to do any automation there. That's really where you should look at security requirements. How are you going to integrate those security testing? When we talked about, there's a login, username should only accept special characters, or certain characters. That area, you don't want to do any sort of automation. You actually want to manually go through this and make sure those things are there. Oh, and by automation, I just mean, third party vendors. Of course, developer should write their own test cases to test for those sort of like requirements. So you really have to pick and choose, and look at your SDLC. See what you're doing at that certain stage, and see what tool makes sense. Because it's like a million tools out there. But I think what's really important is that as long as you choose, like SAS tool which is a static analysis, DAS; dynamic analysis testing. There’s RAS. RAS is something that you'll most likely put in your production, just to protect your app and runtime. And then there's is, which is interactive testing. So you just have to pick and choose, and figure out which stages you want to put those in. And sometimes you might want to put them in all of the stages. Because it makes sense for your organization, because you want to make sure that all of those security requirements are met before you go to production.
Emily: 33:41
Awesome. And you mentioned DevSecOps pipeline. Can you just clarify what you mean by that? What is the DevSecOps pipeline?
Abdel: 33:50
So when you... keep in mind that DevSecOps is just DevOps with security. So that CI/CD pipeline is a DevOps pipeline. It's not a security pipeline. So whatever the DevOps team have built in to say, "This is how we're going to deploy our application." Security is issued... security is sort of like plugin for that process. So a CI/CD pipeline or continuous integration, and - I don't know - I guess it depends - development and deployment. It depends which stage you are. If you're like, towards the end, then you're talking about deployment. If you're like very early than you're talking about development. These are just orchestration tools like Jenkins that allow you to achieve DevOps. I think, in a nutshell, that's what it is.
Emily: 34:38
Okay, so, CI/CD; continuous integration, [and] continuous deployment pipeline. So the pipeline just means you're doing things in sequence. Is that right? So you have all these security tools, and then you just run them through like this pipeline. So you're doing all these, and you're getting all these checks for security tools or other types of testing as well [like] quality, [and] things like that.
Abdel: 35:04
Yeah, I mean, that's what it is. Again, it's a DevOps pipeline. Security is not coming in and redefining some kind of pipeline. It's whatever DevOps has that exists, and then security saying, "Okay, in this stage you're building this app right here." Now, in this stage, we can do SAS, because now you actually have an artifact that we can scan against. In this stage, you're doing dependency scanning. Because now you've produced like some kind of like bill of material that you can do dependency scans against. So, again, these pipelines are developed by the development team themselves. And security comes in, [and] says, "Here's what we can do in each of these stages to make sure that this is secure before we get to production."
Emily: 35:48
With that in mind, Abdel can you talk about some best practices for DevSecOps?
Abdel: 35:55
Yeah, I think I just talked about those. When you look at the SDLC, you have multiple stages. Each of the stages, you want to do security testing. You want to do what makes sense for your organization. And I always tell this to clients, before you jump into, "Hey, what can I do in terms of automation." You should have a mature defying process on how you secure application. And that could mean developer training. I mean, you want to bring in these automated tools and say, "Yeah, we're doing SAS, DAS, RASP all of these things." But well, what about your development team? Do they know how to use the tool? Do they know how to interpret that tool? It’s going to throw them some information. Like, how would they know how to interpret that? Or what to do with that information, or data, I should say? So it's important to have some of these fundamentals in place, right? And OWASP, the open web application security project does a pretty good job on defining really secure development or secure SLDC, they call it. So when you look at the secure SLDC, it talks about things that you should be doing. And I will say, that's your best practice. If you want to make sure that you're building secure application, you follow that framework. You follow that framework. Yeah, I think that's... and we talked about like that planning phase. This is where maybe you start talking about like architecture. What's going to be part of this application? And OWASP has like, this document called ASVS, which is the application verification security standard. And this ASVS goes in detail on asking you what kind of app you're trying to build. And then it makes recommendation as to, "Okay, what and how you should do to secure the application." And the login thing, we keep going back to the easiest thing, it'll say, "Do you have a login? Oh, great. Okay, here's what you should do. You should be premising, you should be sanitizing, you should be escaping, you should be doing all of these things in those fields. So that's a really good place to start, before you start bringing out all this automation tools in. Follow the DevSecOps. See things that you can do without tools. See things that developers can do. I always want to remind people that tools are just tools. They don't really have intelligence, per se. The person that is going to know how the application work fully is the person who's building it. They're the person who's going to be able to figure out where all of those flaws are. So you want to flesh those out as much as possible before you get into the automated process.
April: 39:00
Thank you for that, Abdel. So to summarize what you were saying. First, just make sure if you're integrating security into your pipeline, or you're bringing these tools that your developers actually know how to use the tools. They're not just throwing it at them and say, "Hey, we're doing security now. So integrate with this."
Abdel: 39:22
Yeah, the last thing you want to do is tell a developer how they should build their pipeline. That's not going to be a fun conversation. You should understand what they have, and then see how you can integrate to that. Not just build your own and say, "Hey, integrate with my stuff."
April: 39:39
Great. And the next point that you made was that if you're trying to make sure you're following those security standards, when you're building an application is to use a OWASP, which is the open web application security project, to kind of use that as an outline to make sure you're checking off all the important aspects to improving security within your application. And I believe the last thing you mentioned was, don't go straight into getting a vendor. See if you can either implement the security practices into your pipeline yourself. Really analyze what you already have, before you go and spend a lot of money on something that actually could have been done in house. And one thing I wanted to mention is that Develops, really is a development method methodology. It's very similar to Agile, which I think a lot of people work with nowadays, at their jobs. And Agile just has to do with doing software development, based off of that continuous feedback that we talked about. It really goes into that software development lifecycle where you plan, you develop, you test, you get feedback, you develop, you test, and you get feedback. And DevSecOps is also just an evolution kind of on Agile. It's almost Agile plus security, where you're just injecting that additional security aspect to improve your software development lifecycle.
Abdel: 41:25
You're not reinventing the wheel. You're not like defining a new process for security. You're just adding security to what already exists.
Emily: 41:38
Could you just walk us through a day in the life of a DevSecOps engineer? What is it like? Like, are you coding a lot of time? Are you meeting with people? What are some of the things that you do day to day? Just if somebody is interested in DevSecOps.
Abdel: 41:58
Yeah, that's a pretty interesting question. It's interesting, because if you work in an environment that knows what they're doing, and they've set up this DevSecOps process - chances are you're not doing a lot of heavy lifting anymore. Because now you've created this automated process. Now, developers are not reaching out to you quite often anymore, because as part of their pipeline, they're getting security feedback, and they're fixing those feedback without originality. So if a company has done Develop right, the security team are not going to get a lot of calls from the development team. Now, of course, if you're trying to build out Develop, I think it's really important, one; is to get that foundation going. When I talked about OWASP and secure design, you really need to have that. Once you have that set up, then you have to start doing some research on vendors. There's a million vendors out there who all claim to do DevSecOps. So you have to look into each of these vendors, probably based on costs, and what makes sense for your organization, you will buy that product. And then you would automate our product through the process. You're going to write some code, that going to get integrated to whatever pre-existing DevOps pipeline that exists today.
Emily: 43:23
So it sounds like very different jobs, depending on the organization. Either you're more just monitoring, [and] being there for developers to reach out to you. And maybe adding or removing certain tools, that's if it's already established, or you could really be doing a lot more technical, heavy lifting, actually building out the DevSecOps pipeline. Okay.
Abdel: 43:45
Yeah. And I guess, one of the tools that gives, I guess, largest false positive are associative like SAS tools, static analysis testing tools. And these tools, they're going to give a lot of false positive, which means our developer is going to be reaching out to you a lot. So honestly, when I worked back at Allstate that kept us pretty busy. Where developers are reaching out and say, "Hey, I got this thing. I don't know how to fix it, or I think it's a false positive. Can you get rid of it?" So that's going to capture a lot of you’re... That's when I get a lot of your time.
Emily: 44:23
April, do you have anything to add as a developer, as you've seen working with DevSecOps?
April: 44:31
Oh, yeah. So kind of like what Abdel was saying. When you tend to either have a third party system or a lot of stuff is automated, sometimes there does end up being certain false flags. For example, if your application goes through a security scan, and it's saying that you need to HTML encode something, but you already know that it is being encoded somewhere else in your project but it wasn't captured properly, then you can probably go to the security person and explain your situation, and they can kind of strip that security vulnerability away. Or if it goes through a dependency scan, and it tells you, "Hey, this dependency, there's a vulnerability here." Maybe, your company's Nexus repository doesn't have the latest version of that dependency, in order for you to get rid of that security vulnerability. You might have to get an exception until they're able to update it. So those are kind of some of the things that I've come across. It really ends up being that sometimes its dependency vulnerabilities, or it's some type of code vulnerability. And there's not always a lot of back and forth, usually. I would say a lot of the times the scans end up being relatively accurate. When there's something wrong, it's just a matter of being able to resolve the ones that aren't. And that kind of comes with what Abdel was saying. You can't just force developers to use a tool that they don't know how to use. Which I've seen and kind of heard of a few times. They tell you, "Hey, you have to start implementing these scans." And now all of a sudden, how do I access these scans? But then they say, "Oh, if this scan fails, your pipeline is not going to deploy." Okay, how do I resolve the vulnerabilities? You can't just force it on developers, which I think is a problem. A lot of companies tend to force new security. They try to force security into the pipeline, as opposed to kind of saying, "Hey, we need to do this. Let's figure out how we can do it properly."
Abdel: 46:49
Yeah, I kind of want to add to that. I think the way we build Develop when I was at Allstate, before I left the company, we bought a new security tool. And we bought a new security tool. And we have several 100 developers with several 100 apps, right? Now, this new tool is here, how we integrate it to the process so that we don't have to talk to a 100 different people and say, "Hey, here's how you do XYZ. Here's how to make it work. Here's how to test it." All of that, it's time consuming from developer and security engineers. And again, developers, the goal is to build code and deploy it. That's what they getting paid for. So when you involve them [and] consume their time, it's just going to create this bad user experience. And the reason why I say... I'll say is doing it right is because we brought in this new security product, we integrate it to the process, developer did not have to lift a finger. All they know is that they came in, they did their job. And next thing you know, there's a new security tool. I say, "Hey, look, there's a new security tool, and it's giving you this new information. You're like, "Oh, I didn't have to do anything to make that work. I didn't have to go somewhere new to figure out that that's there." It was part of the process. And trust me that was a lot of work to get to that point, where the whole process was automated. And even a deployment was automated. All the developer had to do was build our code and call the service. The service pick it up, run security scans, dump all the results in a dashboard, and deploy for you automatically. It was - you know - that’s DevSecOps. That way when you bring in new tools, you don't really have to go to the developer and say, "Hey, change your process and do blah, blah, blah." Aint nobody got time for that? So really, I think that is a right way to do it. But again, it comes off as challenges. You really need good engineers, to sort of build something like that out.
Emily: 48:51
Yeah, and I'm glad we have April here too, to get the developer side. So it sounds like that's really important for good DevSecOps, is making it as easy on the developer as possible. Because again, they already are dealing with the development aspects. So you really want to make it simple for them to do the testing. Alright, so that was a lot of very technical information about what DevSecOps is. So definitely check it out. Learn more about DevSecOps, if this is an area that you're interested in. But now we're going to get into our final segment, which is just talking about careers for people who want to get into security or specifically get into DevSecOps. So Abdel, what advice do you have to someone who's trying to get just a career in security, not necessarily DevSecOps, but just wants to get into the security field?
Abdel: 49:43
Yeah. For once, you definitely don't need a formal education. I mean, there is so much resources online that's available today that you can use to learn everything you need to know. I think it's important to have that sort of like self-determination. Otherwise, then maybe you need a formal education. For me, what helped me most was I was curious. And because I was curious, I started learning things and how to do certain things. Like how do you hack a Wi Fi router, for example? I was curious. And that curiosity led me to learning and see how that work. And trust me I literally use that in my resume. And say, "Hey, I broke into this router." That's the kind of things that I think hiring managers want to see. They want to see that you're passionate about this thing, and actually know the thing as well. But because the cybersecurity feels so small, I think passion is... if you have passion, someone wants you out there. And the best way to show passion is doing things on your own personal time. Doing research, figuring out how to exploit something. And if you do come up with something good, go to a meetup or something and talk about it. And shared knowledge. All of these things will help you with your professional career. And some time, I can go to an event and talk about something and someone will reach out to me and say, "Hey, this was great. Are you in the market right now?" So I think that's what helped me get into the field. Just doing things on my own. Well, I actually got my first security certification just few months ago. This whole time, I did not have a security certification. That just goes to tell you that it's more important that you actually have technical skills, you can do something versus having a piece of paper that says you know stuff. Now, that doesn't mean to say that certification is not important. It is important because it shows that you're dedicated to cybersecurity, you're dedicated to learning. And certification also means that you sort of like stay on top of what's happening. So I know SANS has a lot of... they have security training. They also have training on DevSecOps. So if that's something you're interested in, definitely check that out. But again, there's so many... there's so much materials that exist out there, that you don't really need to pay for something. You can learn about it, you can get the skill set without really paying for anything. That's really how I got... I guess that's really how I got to where I am today.
Emily: 52:55
I just want to jump in and caution people about hacking. Even if you have the best intentions, I just want to make sure that if you're... Be very careful about hacking random things to try to get experience. But there are a lot of free resources out there. There are websites specifically designed to have vulnerabilities. So I think that's a great place to start is just go to all these free ones. And I don't know if they'll do have any that you think are your favorite free. Websites that are intentionally vulnerable for you to learn some hacking.
Abdel: 53:30
Yeah. So, look, that hacking stuff that I did was years ago. I have done like hacking demos, maybe last year, [or] two years ago. Guess what I did? I spun up a virtual environment. So, no, you don't need to go hack your neighbors, you can set up everything that you need on your computer. There's something called Virtual Box, it's free. Virtual Box allow you to spin up virtual machines. You can spin up your own computers, servers, whatever you want it to be, and you can actually attack those machines as if they were outside machines. So yes, please don't go out and hack anyone - I don't know - network or electronic device, because I'm pretty sure that's illegal in every state in the United States.
Emily: 54:19
Even if you have the best intentions to help. Just be very careful. I just really want to warn people about that. Yeah, I also wanted to add on, Abdel you talked about curiosity and passion, I really think those are some of the most important things and getting security... like if you're just trying to get a job, that's not going to do it. But if you have a passion for security, that's what makes all the difference. And so really just learning, and we've been talking about hacking, but there's so many sides of security, that don't even involve finding vulnerabilities. So, definitely look into like all the different kinds of careers out there and then really just dedicate yourself to learning as much material as possible. Because as Abdel said you can have a certification that says, "I know this." But then they're going to interview you and ask you questions, very specific questions about that. And it's not going to be like the test. It's going to be like, do you actually know it? Can you have a conversation about it? Have you read the latest news about some attack that happened? Things like that. So that's really important. And then just participating in things like hackathons, going to workshops, going to networking events are really important. And also just having things like, Abdel said that you can put on your resume. Just projects, even if it's not a hacking project, if it's a coding project, if you're just replicating some kind of attack on your own computer or something like that. There's a lot of different things.
Abdel: 55:52
Yeah, and I think CSNP is a really great platform for that. We do have... you can come and speak on a platform. You can come and watch other people speak. We have hackathons, you can participant in these hackathons. And I think that is by design. We set it up so that it gives you that learning experience. So just something else to look at.
April: 56:18
Yeah. And also, if you're looking to get into tech, security is a great place to... it's a great industry for you to kind of step into, especially if you think that getting into tech means you have to learn Java, or you have to learn how to code and application. Security is so broad that sometimes you don't even need to know how to code. So it's a nice stepping stone, if you're looking to get into tech, or you're trying to make a career change. A lot of people actually do make career changes into security, because it tends to be a little bit more accessible than just learning how to code Java and stuff like that.
Abdel: 56:58
Yeah, yeah, I can tell you that. In my software development classes that I was forced to take. I don't know in the beginning, it was definitely not fun. I just couldn't get it. I couldn't on grasp there. And I think maybe towards my last year in school, I took a C programming course on C++. And I think that was the first time I was like, "Okay, this is not too bad." But even still, that was challenging for me. So it was really hard for me to break that just because I didn't have that kind of experience. But I think, after I left college and joined Allstate, became a VMware engineer. I was a college hire. So they didn't have real work for me. And I didn't really do a lot of work. So what I did was, I took it upon myself to like learn PowerShell scripting. Because VMware... if you want to do any kind of like automation, PowerShell will seem to be the way to go. So as I said, I took a PowerShell class, and I started like doing automation here and there, and then it got fun. I was like, "Whoa, this is actually fun. Wow." So I started enjoying it. And when I left Allstate, when I joined the VA, I waited like three months to get my clearance. And within that three months, I was so bored. I thought, "Well, what if I took a Python course?" So I took a Python course. Anyways, so as you can see this curiosity, this passion to just learn sort of drove the path for me. So I think those are important, but it's also important as security has probably a 100 different branches. You do not need to be an engineer to be part of cybersecurity. In fact, when you're starting out your cybersecurity career, I think being a cybersecurity analyst is probably what's going to get you the most exposure to just different things. And it's not a technical job. As long as you can google things and read things, you'll do well.
Emily: 59:05
Yeah, I think the best thing to do too, is to really put yourself out there, attend these events, and, go to some of these hackathons. I think it's a great place to learn. And I think a lot of people are nervous, because they think it's going to be too advanced or anything, but just showing up, just talking to people. A lot of times they'll have hackathons that are more entry level, that are really just about learning. It's not even as much about competing. I just really want to emphasize that that's a great place to learn.
April: 59:37
So Abdel, specifically for DevSecOps, do you have any tips for anyone who's trying to pursue a career in that?
Abdel: 59:48
Yeah, I think if you're a software developer, that's it. That's like you've met 80% of the requirement. In fact, when I was a manager back at Allstate, our requirement was... it's really hard to find someone who has that development and security skill set. So which one of those two things are really hard to come by that you can just get a job and learn as easy? That's development. So we Started shifting towards, "Hey, let's hire developers, because it's easy to teach someone security." Got someone on security training classes, look online? Security is easy. So, if you're a developer, you want to get into DevSecOps, you already met the requirements. Just get some fundamental knowledge around what security is, right? And if you're a... I guess if you don't have any knowledge, and you kind of want to go towards that DevSecOps path. Well, it might be a little bit challenging, because you should learn how to code a little bit. You should get some of that security knowledge. There's a lot of resources out there on DevSecOps. But again, DevSecOps is about integrating with DevOps, which is automation. Automating how you build and deploy applications. You can't build and deploy automating in automation fashion without having coding knowledge. So that's really important. And if you're already like some kind of security analysts, again, there's still like, a little bit about a coding challenge. So you really need to know coding. That is really fundamental.
Emily: 1:01:37
So if you're already a software developer, learn some security. And if you're already in security, learn some coding, that's the best way to get into DevSecOps. And obviously, if you're not doing either those, you have a lot to learn. Or you might want to start with one path and merge into DevSecOps. Great, so we're just about done here. Abdel, do you have anything else specific about DevSecOps, for people who want to get into that career? Maybe any skills they need, tools they should know how to use or certifications that you would recommend?
Abdel: 1:02:13
Um, the way I like to do... how I get. This sort of DevSecOps exposure is, I look at open source. There's so many open source tools that are out there. You google search, open source tools for SAS, you find something, and you figured out how it integrates to a DevOps pipeline. And then you started learning that way. That's really been my approach. Look at OWASP. Go on GitHub and look at OWASP, they have so many tools. Figure out which one you want to play with. Yeah, I don't think there's anything else that I would add to that.
Emily: 1:02:55
Okay. I also just wanted to add, there's one GitHub repo, awesome DevSecOps that I saw. And it just has a lot of different resources for learning about DevSecOps. So that's also a good place to start if you're interested. But as Abdel pointed out, open source tools. I think that's really great to look at. Alright, so that's all we had today. Thank you, Abdel so much for coming on, giving us your time and talking about security in general, careers, as well as DevSecOps.
Abdel: 1:03:27
Yeah, it was my pleasure. Thank you for having me on your platform.
Emily: 1:03:32
Yeah. And hopefully we'll have Abdel come back sometime, as well. I know there's so many other topics in security that we can talk about. So it was really great having you Abdel.
Abdel: 1:03:42
Thank you.
April: 1:03:43
It was a great conversation.
Emily: 1:03:45
Yeah. So again, you can learn more about us at Tech & Savvy. That's tech, the letter N, savvy.com. You can also follow us on Instagram, tech.n.savvy is our handle. And we look forward to seeing you next time. Our intro and outro song is gone by FourOneFour.
April: 1:04:03
Alright, see you later. Bye.