Keynote: Developers as a Malware Distribution Vehicle
This keynote is now available to view on InfoQ.com
Watch videoAbstract
A malicious XCode injected malware into thousands of apps, stealing data of millions of users. Tokens committed to a GitHub repo exposed millions of Uber drivers and passengers. A phished developer gave the Syrian Electronic Army access to the Financial Times’ site.
What do all of these have in common? They were caused by developers. Well-intentioned, smart and experienced developers. They had nothing to do with writing insecure code, and everything to do with the incredible access we’re entrusted with, ranging from code that reaches millions to direct access to these users’ data.
In the name of DevOps, we’ve made developers incredibly powerful – but when does such access become unacceptable risk? Are there architectures and processes that let us move fast without exposing the keys to the kingdom? Can our culture be trusting and agile yet have a healthy appreciation of risk?
Besides building a sober appreciation of this risk, this talk will help equip us to handle it. We’ll learn risk management from role models inside and outside of tech, understand cognitive biases, and build the case that good security constraints can actually help us move faster. Lastly, we’ll share a vision of where we may be headed, and how we can protect ourselves – and our users.
What is the talk about any why is it so important to you?
This talk is about the security implications of the great power that developers have today. With a click of a button, developers can deploy code. The reach of that code is ever growing. This is an amazing way to deliver rich features and allows a truly rapid pace of development, but they’re also scary… scary as hell. Balancing this empowerment with safety is not obvious.
This talk shows through storytelling and examples what can happen when this balance goes wrong. It offers examples, role models, and guidelines on how to think about addressing balancing a rapid pace of deployment with safety concerns.
Without too many details, what are some of the stories you plan to cover?
We’ll talk about viruses that spread by compromising developers. We’ll talk a little bit about how that happens and what it means when it happens. Part of that discussion will be what to look for to even know if it has happened. Similarly, we’ll talk about incidents where privileged developer access to production data led to some issues. The goal is to learn from some of these stories.
In addition, we’ll look at some of the software giants. These are the companies that are known for their strong security and developer empowerment and see what we can learn. We’ll answer things like how do the biggest and most well-known tech companies address this risk. Companies we’ll look to include Microsoft, Google, and Netflix. We’ll see what practices we can learn from them.
This is not a problem that has a silver bullet. Everything is a tradeoff. The goal of this talk is to arm you with the right questions and offer the right examples to understand where you want to draw the line between developer empowerment and safety.
What trend in the next 12 months would you recommend an early adopter/early majority SWE to pay particular attention to?
The growth in adoption of DevSecOps practices. As DevOps helps us accelerate our business, it’s increasingly clear that security is either the bottleneck or is left behind, neither is a good option. The imperfect “DevSecOps” buzzword embodies security practices that we can integrate into the software development process without slowing it down.
