Thoughts on an AppSec Program (Pt. 5) – Training, outreach, and networking

Tuesday, January 5th, 2010

I’ve spent the past 3.5 years working on a team where my primary responsibilities involved “application security”. Now that this era has come to an end, I’d like to share some of the initiatives and define their successes and shortcomings. This is part 5 of 5 so please be sure to read parts 12, 3, and 4.

Training, outreach, and networking
We decided to leverage existing communications avenues (mailing lists, newsletters, status reports, etc) as well as setup a Wordpress blog. We used these tools to publish information about security news, link to 3rd party security documentation, security guidance, solicit feedback and most importantly, identify individuals throughout the organization that had interest or skills in secure software development. Our goal with the outreach program was not only to make information resources available, but also to ensure that our services were transparent and accessible. Like us, most security groups have to overcome the stigma of being a crazy bunch of paranoid hackers who cost the company money and cause deadlines to slip. As such, the outreach program coupled with our threat modeling and security consulting services were delivered with clarity, transparency, and comprehensiveness.

We also delivered numerous training courses aimed at educating developers and architects in defensive programming, software vulnerabilities, and threat modeling. These courses were typically delivered to smaller audiences and accompanied with hands on activities. We found that these courses were not only being well received, but also that attendees would contact us to request additional training tailored to a specific topic that would be relevant to their products. I feel that we had the distinct benefit of having team members who were very adept at delivering training and realize that not all organizations have this sort of resources. Given a high enough priority in company goals, training can easily be purchased, and employees who are members of professional groups can leverage relationships with professionals outside the organization who would be willing to deliver the training.

For more information on homegrown security teams, checkout my post.

Posted in Enterprise Security, WebAppSec | Comments

Customer Care

Saturday, March 21st, 2009

were_listeningMaybe the title should have been caring for your customers, I’m not sure. Either way, when you’re involved in security, specifically for a product, or a company who builds products, you should be listening to your customers! Who are your customers? Well, that’s a grey area. Is it your employer, the development teams you collaborate with, or users of the product? If you answered all of the above, you’re correct.

Unfortunately, far too often, security folk forget that last one – the product users. All the quality assurance and security testing in the world won’t account for (hopefully) thousands of users and a few (hopefully) conscientious hackers who might be reporting issues.

So how would one go about accomplishing this task?

  • Establish a public, well documented process for bugs to be reported
    This process might be as simple as providing an email address for reporting issues or as complex as a form which creates a ticket in a tracking system. The point is, you MUST have a way for feedback to be provided
  • LISTEN AND RESPOND TO ALL FEEDBACK
    I can’t stress this enough! When you give users an avenue to report issues, you must accept and acknowledge all reports. When you ignore feedback, your customers get pissed. When you customers get pissed, they turn to any and all online avenues to bash the service and your lack of response. With services like Twitter, Facebook, and MySpace which thrive on user generated content, reputation can be affected within a matter of hours!
  • Be where the feedback is
    Big news: the internet is searchable!

    • Google is a great tool for searching. Furthermore, Google will provide results in RSS feeds which can be loaded into your favorite Feed reader.
    • Twitter is where the people are! Twitter is also searchable and with tools like Tweetdeck and tweetbeeps.com it’s easy to capture tweets which mention your product.

So why do I feel the need to be captain obvious with this post? Well, far too often, as with most security researchers, I’ve reported issues in various products. Some owners have been very responsive while others don’t even bother responding with a form/canned response. With copycat products being released everyday, if you don’t take care of your users, they’ll go somewhere else.

For a good place to start on reputation checkout SpinHunters.com

Posted in Enterprise Security | Comments