At TOPdesk security is an important topic. It always has been, but in the last year the way we approach security is changing fast. We think we’re on the right track, and today we’re announcing the next step to help developers enjoy secure development.
Security at TOPdesk
In the past, our ICT department already put effort in educating employees how to deal with security in our office: How do you keep your password safe? What do you do if you see the door to the server room open, but without ICT people around? Our software already had a pretty good level of security. We use pair programming and code reviews to also avoid vulnerabilities. But like many other companies, the security knowledge was spread across a limited number of people.
This works fine when you release twice a year, but it doesn’t work very well with continuous deployment. It is no longer possible to do extensive penetration testing a few days before a release. Also, when using more and more cutting edge technology, we need more people who understand what is safe and what isn’t. Because we can’t make every developer a security expert, raising the average knowledge level, together with more automation, should do the trick.
Security CoP
Therefore, last year we started a Community of Practice with several people who were passionate about security. Together we’re working on increasing the awareness among our developers. We’re working on many levels at the same time to change our approach of security to an approach that is more compatible with the agile mindset. For the short term the main goal is to further increase the awareness. We created our own customized OWASP top 10 poster and put them in several places in the office. We give awareness trainings to programmers, testers, designers and Product Managers (the ‘why’ of security), and within a few weeks we’ll continue with more hands-on trainings and workshops (focussing on the ‘how’). Furthermore, we’re also working on cheat-sheets that help developers to do secure development in a fun and easy way.
Besides spreading the awareness, we also replaced the old penetration tests that were done a few times per year with continuous penetration testing. We also use static code analysis tools and check specific vulnerabilities in unittests. Finally, we scan the tools and libraries we use in our software for known vulnarabilities and keep them up-to-date.
Meetup
Today I’d like to announce our next step to bring security to all developers.
We’ve invited Martin Knobloch (OWASP Netherlands) for a public meetup at TOPdesk
The date is April 20th and the location is TOPdesk Delft (Martinus Nijhofflaan 2, 2624 ES Delft). Whether you work at TOPdesk or not (yet), Everyone is invited! Just tell us that you’d like to come and we’ll have beer and pizza ready. Martin Knobloch from OWASP Netherlands will be our main speaker. He will speak about OWASP, requirements and common security problems. He will give an overview of different OWASP projects and he will show how to find vulnerabilities with some discussion on how to solve them. The meetup schedule is as follows:
18:00 Welcome! Food and drinks 19:00 Start with talks and small breaks 20:30 Informal drinks ... Doors close ;)
You can sign up on our meetup page. I hope to see a lot of familiar and new faces at the meetup!