Endpoint

4/30/2018
07:25 PM
50%
50%

Slack Releases Open Source SDL Tool

After building an SDL tool for their own use, Slack has released it on Github under an open source license.

Security is a matter of friction — applying as much as possible to malign actors and processes, and as little as possible to legitimate users and applications. For software developers, any additional friction can seem too much and lead to teams working around, rather than with, the processes intended to provide built-in security. Slack is a fast-moving company that needs lightning-fast development cycles and secure software. It's a situation that called for a tool they didn't have. So they built one and released it as an open source application for anyone to use.

Slack has a small development team and a seemingly insatiable appetite for new capabilities and features; it's not uncommon for the company to deploy code to production 100 times in a day. "Integrating security into products, with distinct steps and quite a bit of process, didn't align with the way things worked here," says Max Feldman, a member of the product security team at the company.

Feldman says that the development team looked at existing tools, including Microsoft's, but that the tools either added too much overhead or were oriented toward a waterfall development process. "Process can be antithetical to rapid development," says Feldman. His team's challenge was to, he says, "bring best practices into Slack while remaining "Slack-y."

The new tool is intended to help Slack implement a security development lifecycle. The application, dubbed "GoSDL," was described in depth in a recent company blog post. The goal, says Feldman, was to develop rapid and transparent development.

GoSDL is, he says, a fairly simple PHP application that allows any team member to begin the process of interacting with security. "The beginning of the process of a new feature is one where they can check whether they want direct security involvement," Feldman says. If so, the feature is flagged "high risk," not because of any actual risk but to make it high priority for security team action. If the security involvement box isn't checked, it doesn't mean that security steps aside, but their involvement begins with a series of questions about the impact on existing products and features.

Once the security team is involved it begins to put together risk assessments (high, medium, or low) for each component of the feature. The product engineer or manager is responsible for a component survey with additional checklists of potential issues.

All of the checklists and communications to this point are created in the PHP application running on the Slack platform. Once the lists reach the point of requiring action, the application generates a Jira ticket that creates the action item checklist.

"This empowers engineers and developers to evaluate their own security," Feldman says. "We'll be involved and help, but the more they're versed in security, the better we are." And that "better" is embodied in a cultural shift toward security, as well.

"One of the things we tried to do with the blog post and documentation is talk about the culture and how to use it," Feldman says, adding that the "transparency and communication are an integral aspect of this; without them it could still work but it would be much different."

It is important, he says, for security to be seen as a trusted partner in the development process rather than a blocking adversary. "The fostering of mutual trust between development and engineering is a goal. Engagement, getting familiar with people, meeting people as they join," is critical, he says.

"For us the behavioral and cultural aspects are sufficient but we've tried with the blog post to clarify how it might be useful. We want to let teams integrate the tool and make things pleasant for everyone," Feldman explains.

GoSDL is available on Github.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/30/2018 | 11:11:24 PM
"The fostering of mutual trust between development and engineering is a goal"
Collaboration is the ultimate end game. In many cases you can see a direct correlation to optimization.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-10727
PUBLISHED: 2018-07-20
camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive ...
CVE-2018-8018
PUBLISHED: 2018-07-20
Apache Ignite 2.5 and earlier serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a spe...
CVE-2018-14415
PUBLISHED: 2018-07-20
An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen.
CVE-2018-14418
PUBLISHED: 2018-07-20
In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI.
CVE-2018-14419
PUBLISHED: 2018-07-20
MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.