Dev(Sec)Ops and the Hunter/Farmer model

Fabrizio Zeno Cornelli

CODEMOTION MILAN - SPECIAL EDITION 10 – 11 NOVEMBER 2017

Thanks to Randall Munroe: xkcd.com

Get a Good Password

$ dd if=/dev/random count=1

| base64 | cut -c1-22

c4EdYgLedpD30qKJ6YAKjQ

Use 128 bit

$ gsort -R ˜/dict/words.txt

| head -4 | paste -sd ‘-‘ -

Get a Good Password

Use dictionary

11 bits to index words.txt?

128/11 !" 12

Get a Good Password

How many words?

Why Password0! Is not good?

HOW TO CRACK A PASSWORD

How passwords work

stored[user] = hash(password)

hash(password) !" stored[user] $→ auth

How to crack a password

Retrieve stored hashes

Deduce hash

Plaintext? Done :

- Bruteforce attack

- Dictionary attack

Brute force Attack

Test every single possible password.

From ‘a’ up to ‘ZZZZZZZZ..ZZZ’

Dictionary Attack

hash(guess) !" stored $→ (^-^)

$ john stored.txt

stored = set(‘abFZSxKKdq5s6’, ‘ulMGRyl03i2gm’ …)

dic = [‘password’, ‘12345’, …]

rules = [‘:’, ‘u’, … ‘so0’, ‘cAz[0-9][!$§]’]

_guesses = jexpand(dic, rules) # [‘password’, ‘PASSWORD’, …, ‘passw0rd’, ‘Password0!’…]

[ g for g in _guesses if hash(g) in stored ]

How to crack a password

So what?

FABRIZIO CORNELLIzeno@sicurieffetti.it

CV

CTO, Enterprise srl

DEV / QA Manager, HT

Consultant, from 2016

DEVELOPER“if it ain’t broke, don’t fix it”

Constructive

Design then code (and test)

High level languagesGood PracticesRTFMFrameworks and Libraries

Progra()ing skills (some languages)

Don’t reinvent the wheel

DRIVEN BY Sense of order Growth Collaboration Planning/OCD issues

Dev Proverbs

The ends does not justify the mean

Choose two: good, fast, cheap

Any fool can write code that a computer can understand. Good progra()ers write code that humans can understand. [M. Fowler]

HACKER“shit happens”

Deconstructive: Reverse Engineer

Lateral Thinking

Subvert the manual

Shortcut / quick and dirty

Must be the first

Low level Languages

(C, asm)

DRIVEN BY Challenge Showing off Boring issues

Hacking Proverbs

the ends justify the means

a clever person solves a problem, a wise person avoids it

a lot goes a shecat to the grease, that she leaves the little arm

Comparative table

Deductive Inductive

Deconstructive Constructive

Reverse Engineering Progra()ing skills

Lateral Thinking Good Practice

Shortcut Design then code

Subvert the manual RTFM

Shortcut Frameworks and libs

Incautious Conservative

Low level lang High level lang

Hacker Developer

Shared values

Discipline / Focus

Imagination

Patience

Farmer Hunter model

B2B Sales model

Hunter focused on creating new sales opportunities, prospecting and closing. “eat what they kill.”

Farmer manages and sells to existing relationships. account manager

Hunter vs FarmerTake charge Let things develop

Aggressive Laid Back

Prospector Planner

Competitive Collaborative

Always be closing So, what do you think

Individualist Team player

Short term Long term

Risky Safe

Hunter vs Farmer

Really a coincidence? Is there any anthropologic root?

STONE AGEanthropologic session

Small clans

Nomadic

Hunters

Resources Developer

Languageand politics

Villages and cities

Farmers

Hunter vs Farmer

nomadic / autonomy permanent settlements

innovation tradition

initiative patience

indipendence collaboration

Are we changed?

We still “feel” the connection with cats and dogs

Trium Brain theory (Paul MacLean)

PALEOLITHIC HUNTER HACKER

NEOLITHIC FARMER DEVELOPER

Are we Hunters or Farmers?

Both of them

Be a hunter get your POC

Be a farmer: evolve an idea to a product

Make your team

0

20

40

60

80

POC Project Dev Maintain/PT

Hunter Farmer

DEVSECOPS“hunter as a service”

Defenders cannot win

Defenders cannot win

Defending is more difficult

Attackers can abuse any vulnerability

Multi Layer defence

Multi Layer defence

Defending is expensive

How can I prove that I’m secure?

Popper’s refutability

Popper’s refutability

the inherent possibility that a statement can be proven false

- Halting problem

- “this system is secure”

Popper’s refutability

POSITIVISM

proof $→ true

REFUTABILITY

paradox $→ false

DevSecOps’ Refutability

each part should be testable and tested

devsecops is the continuous invalidation process

anti pattern

security by obscurity

Russell’s inductivist turkey PART 1

Russell’s inductivist turkey PART 2

Hiring

Hiring

“I’m looking for a hacker”

“We need a developer”

Hiring

You have a few hours to match

Does your candidate fits your job needs?

Does your job appeal to the candidate?

Is your candidate a person or a resource?

1,2,3,4,5?

That's amazing! I've got the same combination on my luggage.

Thanks

Fabio Sangiovanni

Mariachiara Pezzotti

Federico Gandellini

Luciano Colosio

THANK YOUhacked potato for you

(no animal was harmed in the making of this presentation)