Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Slack Releases Open Source SDL Tool

After building an SDL tool for their own use, Slack has released it on Github under an open source license.

Security is a matter of friction — applying as much as possible to malign actors and processes, and as little as possible to legitimate users and applications. For software developers, any additional friction can seem too much and lead to teams working around, rather than with, the processes intended to provide built-in security. Slack is a fast-moving company that needs lightning-fast development cycles and secure software. It's a situation that called for a tool they didn't have. So they built one and released it as an open source application for anyone to use.

Slack has a small development team and a seemingly insatiable appetite for new capabilities and features; it's not uncommon for the company to deploy code to production 100 times in a day. "Integrating security into products, with distinct steps and quite a bit of process, didn't align with the way things worked here," says Max Feldman, a member of the product security team at the company.

Feldman says that the development team looked at existing tools, including Microsoft's, but that the tools either added too much overhead or were oriented toward a waterfall development process. "Process can be antithetical to rapid development," says Feldman. His team's challenge was to, he says, "bring best practices into Slack while remaining "Slack-y."

The new tool is intended to help Slack implement a security development lifecycle. The application, dubbed "GoSDL," was described in depth in a recent company blog post. The goal, says Feldman, was to develop rapid and transparent development.

GoSDL is, he says, a fairly simple PHP application that allows any team member to begin the process of interacting with security. "The beginning of the process of a new feature is one where they can check whether they want direct security involvement," Feldman says. If so, the feature is flagged "high risk," not because of any actual risk but to make it high priority for security team action. If the security involvement box isn't checked, it doesn't mean that security steps aside, but their involvement begins with a series of questions about the impact on existing products and features.

Once the security team is involved it begins to put together risk assessments (high, medium, or low) for each component of the feature. The product engineer or manager is responsible for a component survey with additional checklists of potential issues.

All of the checklists and communications to this point are created in the PHP application running on the Slack platform. Once the lists reach the point of requiring action, the application generates a Jira ticket that creates the action item checklist.

"This empowers engineers and developers to evaluate their own security," Feldman says. "We'll be involved and help, but the more they're versed in security, the better we are." And that "better" is embodied in a cultural shift toward security, as well.

"One of the things we tried to do with the blog post and documentation is talk about the culture and how to use it," Feldman says, adding that the "transparency and communication are an integral aspect of this; without them it could still work but it would be much different."

It is important, he says, for security to be seen as a trusted partner in the development process rather than a blocking adversary. "The fostering of mutual trust between development and engineering is a goal. Engagement, getting familiar with people, meeting people as they join," is critical, he says.

"For us the behavioral and cultural aspects are sufficient but we've tried with the blog post to clarify how it might be useful. We want to let teams integrate the tool and make things pleasant for everyone," Feldman explains.

GoSDL is available on Github.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/30/2018 | 11:11:24 PM
"The fostering of mutual trust between development and engineering is a goal"
Collaboration is the ultimate end game. In many cases you can see a direct correlation to optimization.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.