Endpoint

Slack Releases Open Source SDL Tool

After building an SDL tool for their own use, Slack has released it on Github under an open source license.

Security is a matter of friction — applying as much as possible to malign actors and processes, and as little as possible to legitimate users and applications. For software developers, any additional friction can seem too much and lead to teams working around, rather than with, the processes intended to provide built-in security. Slack is a fast-moving company that needs lightning-fast development cycles and secure software. It's a situation that called for a tool they didn't have. So they built one and released it as an open source application for anyone to use.

Slack has a small development team and a seemingly insatiable appetite for new capabilities and features; it's not uncommon for the company to deploy code to production 100 times in a day. "Integrating security into products, with distinct steps and quite a bit of process, didn't align with the way things worked here," says Max Feldman, a member of the product security team at the company.

Feldman says that the development team looked at existing tools, including Microsoft's, but that the tools either added too much overhead or were oriented toward a waterfall development process. "Process can be antithetical to rapid development," says Feldman. His team's challenge was to, he says, "bring best practices into Slack while remaining "Slack-y."

The new tool is intended to help Slack implement a security development lifecycle. The application, dubbed "GoSDL," was described in depth in a recent company blog post. The goal, says Feldman, was to develop rapid and transparent development.

GoSDL is, he says, a fairly simple PHP application that allows any team member to begin the process of interacting with security. "The beginning of the process of a new feature is one where they can check whether they want direct security involvement," Feldman says. If so, the feature is flagged "high risk," not because of any actual risk but to make it high priority for security team action. If the security involvement box isn't checked, it doesn't mean that security steps aside, but their involvement begins with a series of questions about the impact on existing products and features.

Once the security team is involved it begins to put together risk assessments (high, medium, or low) for each component of the feature. The product engineer or manager is responsible for a component survey with additional checklists of potential issues.

All of the checklists and communications to this point are created in the PHP application running on the Slack platform. Once the lists reach the point of requiring action, the application generates a Jira ticket that creates the action item checklist.

"This empowers engineers and developers to evaluate their own security," Feldman says. "We'll be involved and help, but the more they're versed in security, the better we are." And that "better" is embodied in a cultural shift toward security, as well.

"One of the things we tried to do with the blog post and documentation is talk about the culture and how to use it," Feldman says, adding that the "transparency and communication are an integral aspect of this; without them it could still work but it would be much different."

It is important, he says, for security to be seen as a trusted partner in the development process rather than a blocking adversary. "The fostering of mutual trust between development and engineering is a goal. Engagement, getting familiar with people, meeting people as they join," is critical, he says.

"For us the behavioral and cultural aspects are sufficient but we've tried with the blog post to clarify how it might be useful. We want to let teams integrate the tool and make things pleasant for everyone," Feldman explains.

GoSDL is available on Github.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/30/2018 | 11:11:24 PM
"The fostering of mutual trust between development and engineering is a goal"
Collaboration is the ultimate end game. In many cases you can see a direct correlation to optimization.
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8939
PUBLISHED: 2019-02-19
data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted Plex username that is mishandled when constructing the History page.
CVE-2019-8935
PUBLISHED: 2019-02-19
Collabtive 3.1 allows XSS via the manageuser.php?action=profile id parameter.
CVE-2019-3812
PUBLISHED: 2019-02-19
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.
CVE-2019-8933
PUBLISHED: 2019-02-19
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on ...
CVE-2019-7629
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.