The developer who lives on the roof: chronicles of the past PDUG Picnic
Looking at the cold autumn landscape outside the window, one probably won’t believe that just a month ago more than a hundred unsuited developers who gathered in one place by chance, voluntarily arranged themselves a long working solarium on a hot sunny roof. Nobody complained: everyone drank lemonade (beer was looming on the horizon), listened to harsh reports about hacking applications, their own protection and various useful utilities, asked questions, talked on the sidelines. Downstairs, along Bolshaya Novodmitrovskaya, occasionally a lone biker drove back and forth, diluting the conversation about the safe development of musical hits of the nineties. By the end of the evening it smelled fried - no, it was not the developers who were engaged in a dispute over which language was cooler, and the cook finally laid out delicious sausages on the grill.
So PDUG Picnic 2016 was held - an informal get-together for developers who, at their leisure, seriously think about whether the code they write is safe.
We held the first meeting of the Positive Development User Group back in May: then the PHDays VI platform, already full of events, became a temporary home for participants. It was based on a two-day seminar by Timur Yunusov and Vladimir Kochetkov (@ VladimirKochetkov ), dedicated to hacking and protection of applications, which was held in the autumn of 2015 in our office. An optimized program, which was also adopted with a bang, was made by Volodya Kochetkov, who spoke about the design and development of secure applications, and Lesha Goncharov helped him with his puzzles on abnormal programming. The audience was grateful: there were a lot of questions, discussions and even disputes, which once again proved: there is interest in the topic, and this is remarkable.
')
So the idea to gather around the theme of safe development of an open community has found a real embodiment.
PDUG Picnic successfully picked up the baton: 117 participants, 4 reports, countless questions, food and beer - even very dry statistics look encouraging. It didn’t do, however, without the intervention of the villain-destiny: initially five reports were planned, but just a day before the speech, Volodya Kochetkov lost his voice and could only answer a few questions from the audience at the end of the meeting. Nevertheless, force majeure was conditionally painless: the remaining speakers received a piece of extra time.
By gathering colleagues by 3:30 pm, we took a big risk: it was probably not so easy for many to leave the office right in the middle of the day. However, the fears were not justified: at the improvised reception desk, a rush arose long before the appointed time: the dedicated organizers barely had time to distribute badges. The guests were very different: developers from banks, government agencies, companies specializing in software development, even information security experts came up. In a word, the party turned out to be many-sided.
What was especially nice was the many familiar faces, those with whom we had time to meet at PHDays . I want to believe that the number of our friends will only grow.
The schedule was tight: they all managed to say hello and have a snack, as it had already gone. Rami Muleis (@ rami0 ), Application Inspector's promotion manager and our permanent moderator, not only explained why "it’s so great that we all gathered here today", but also introduced the newly-worn symbol of the community - Madagascar ah-ah, natural a vulnerability quest specialist whose colorful face waving all day on the huge PDUG flag above the roof.
From the words, however, quickly got down to business. Timur Yunusov (@ YunusovTimur ), a conditional representative of the “dark side of power”, opened the technical marathon of the official program: considering the security of applications from the perspective of a potential hacker, he told about the mistakes that developers usually make and how hackers can use such “holes” in the code.
However, the fundamental ways of fighting hacker arbitrariness at a picnic were found after all - Valera Boronin took care of this, who spoke about the process of safe development (SSDL), told about profits and pitfalls when building it (on this subject Valera's overview presentation , as well as using the example of static code analysis using PT Application Inspector, showed how to integrate elements of safe development into everyday life in the most natural way for developers.
He did this by connecting to a project on GitHub, finding vulnerabilities in it and successfully eliminating them, while remaining in his beloved Visual Studio. The machine itself prompted Valera what she thought about his commits, - communicating with him directly in the source code. This is our way!
Closer to the third report, the scorching sun finally began to decline, but the technical degree did not. The PT AI code analysis turned out to be rich in topics for discussion: the queue in the program reached Vanya Kochurkina (@ KvanTTT ), who made a report explaining his May article on Habré and told about the use of patterns in the process of signature code analysis and pattern possibilities matching
The role of the last speaker went to Lesha Goncharov, who, at the end of the meeting, presented his colleagues with the Positive Positive utility, developed by Positive, to identify vulnerable application components (both under development and those already running), configuration errors and sensitive data.
Someone, most likely, will remember that Approof already somehow flashed on Habré . So, we not only do not stop its development, but also launched a contest to write new rules for the Fingerprint core right at the picnic. By the way, there is still an opportunity to participate and win a branded PDUG T-shirt: for the most unusual rule and for the largest number of sent rules. Especially for this, we have created a separate repository , if you suddenly become interested in the Challenge - send your pull-requests, we will be glad to get any ideas.
By the time when the official part of the program came to an end and beer and pizza went into action, it was already getting dark. No one was in a hurry to disperse - there were topics for discussion, there were a lot of questions, which, probably, became even more than before the meeting. Nevertheless, the next step towards the meeting was made, the “chips” were removed from the topic - and the time has come for even more painstaking work on the further development of the community.
“We want to unite developers, architects, analysts, testers, area managers and information security specialists into a single community, the goal of which will be to increase the competence of these specialists in the field of secure application development,” explained the head of the product marketing department at Positive Technologies and the top organizer. events Masha Ratsin. “Our experts spoke at the first meetings, but in the future we will definitely call on speakers from other IT companies.”
Plenty of plans. Already in the autumn we are going to stir up a fresh mitap, the first of many of its kind, and launch a series of themed webinars. In addition, following a picnic, we organized a group on Facebook , where we are slowly sharing materials (for example, a photo report is already available), and then we will start throwing announcements of future meetings and other interesting things. Welcome, by the way.
PDUG is an open community, and we strive to create a platform where everyone will have the opportunity to share their experiences. If you yourself want to somehow promote the topic of safe development, have a relevant interesting experience and in your working piggy bank there are cool cases, life tips and all sorts of other usefulness - knock us on pdug@ptsecurity.com , discuss possible joint activities. All are welcome: suggestions on sites, ideas for new cool reports or cool reports themselves, along with speakers (we are for batch processing). Let's develop safe together!
So PDUG Picnic 2016 was held - an informal get-together for developers who, at their leisure, seriously think about whether the code they write is safe.
PDUG community: from creation to the present day
We held the first meeting of the Positive Development User Group back in May: then the PHDays VI platform, already full of events, became a temporary home for participants. It was based on a two-day seminar by Timur Yunusov and Vladimir Kochetkov (@ VladimirKochetkov ), dedicated to hacking and protection of applications, which was held in the autumn of 2015 in our office. An optimized program, which was also adopted with a bang, was made by Volodya Kochetkov, who spoke about the design and development of secure applications, and Lesha Goncharov helped him with his puzzles on abnormal programming. The audience was grateful: there were a lot of questions, discussions and even disputes, which once again proved: there is interest in the topic, and this is remarkable.
')
So the idea to gather around the theme of safe development of an open community has found a real embodiment.
PDUG Picnic successfully picked up the baton: 117 participants, 4 reports, countless questions, food and beer - even very dry statistics look encouraging. It didn’t do, however, without the intervention of the villain-destiny: initially five reports were planned, but just a day before the speech, Volodya Kochetkov lost his voice and could only answer a few questions from the audience at the end of the meeting. Nevertheless, force majeure was conditionally painless: the remaining speakers received a piece of extra time.
By gathering colleagues by 3:30 pm, we took a big risk: it was probably not so easy for many to leave the office right in the middle of the day. However, the fears were not justified: at the improvised reception desk, a rush arose long before the appointed time: the dedicated organizers barely had time to distribute badges. The guests were very different: developers from banks, government agencies, companies specializing in software development, even information security experts came up. In a word, the party turned out to be many-sided.
What was especially nice was the many familiar faces, those with whom we had time to meet at PHDays . I want to believe that the number of our friends will only grow.
Galloping across Europe
The schedule was tight: they all managed to say hello and have a snack, as it had already gone. Rami Muleis (@ rami0 ), Application Inspector's promotion manager and our permanent moderator, not only explained why "it’s so great that we all gathered here today", but also introduced the newly-worn symbol of the community - Madagascar ah-ah, natural a vulnerability quest specialist whose colorful face waving all day on the huge PDUG flag above the roof.
From the words, however, quickly got down to business. Timur Yunusov (@ YunusovTimur ), a conditional representative of the “dark side of power”, opened the technical marathon of the official program: considering the security of applications from the perspective of a potential hacker, he told about the mistakes that developers usually make and how hackers can use such “holes” in the code.
However, the fundamental ways of fighting hacker arbitrariness at a picnic were found after all - Valera Boronin took care of this, who spoke about the process of safe development (SSDL), told about profits and pitfalls when building it (on this subject Valera's overview presentation , as well as using the example of static code analysis using PT Application Inspector, showed how to integrate elements of safe development into everyday life in the most natural way for developers.
He did this by connecting to a project on GitHub, finding vulnerabilities in it and successfully eliminating them, while remaining in his beloved Visual Studio. The machine itself prompted Valera what she thought about his commits, - communicating with him directly in the source code. This is our way!
Closer to the third report, the scorching sun finally began to decline, but the technical degree did not. The PT AI code analysis turned out to be rich in topics for discussion: the queue in the program reached Vanya Kochurkina (@ KvanTTT ), who made a report explaining his May article on Habré and told about the use of patterns in the process of signature code analysis and pattern possibilities matching
The role of the last speaker went to Lesha Goncharov, who, at the end of the meeting, presented his colleagues with the Positive Positive utility, developed by Positive, to identify vulnerable application components (both under development and those already running), configuration errors and sensitive data.
Someone, most likely, will remember that Approof already somehow flashed on Habré . So, we not only do not stop its development, but also launched a contest to write new rules for the Fingerprint core right at the picnic. By the way, there is still an opportunity to participate and win a branded PDUG T-shirt: for the most unusual rule and for the largest number of sent rules. Especially for this, we have created a separate repository , if you suddenly become interested in the Challenge - send your pull-requests, we will be glad to get any ideas.
By the time when the official part of the program came to an end and beer and pizza went into action, it was already getting dark. No one was in a hurry to disperse - there were topics for discussion, there were a lot of questions, which, probably, became even more than before the meeting. Nevertheless, the next step towards the meeting was made, the “chips” were removed from the topic - and the time has come for even more painstaking work on the further development of the community.
And then what?
“We want to unite developers, architects, analysts, testers, area managers and information security specialists into a single community, the goal of which will be to increase the competence of these specialists in the field of secure application development,” explained the head of the product marketing department at Positive Technologies and the top organizer. events Masha Ratsin. “Our experts spoke at the first meetings, but in the future we will definitely call on speakers from other IT companies.”
Plenty of plans. Already in the autumn we are going to stir up a fresh mitap, the first of many of its kind, and launch a series of themed webinars. In addition, following a picnic, we organized a group on Facebook , where we are slowly sharing materials (for example, a photo report is already available), and then we will start throwing announcements of future meetings and other interesting things. Welcome, by the way.
PDUG is an open community, and we strive to create a platform where everyone will have the opportunity to share their experiences. If you yourself want to somehow promote the topic of safe development, have a relevant interesting experience and in your working piggy bank there are cool cases, life tips and all sorts of other usefulness - knock us on pdug@ptsecurity.com , discuss possible joint activities. All are welcome: suggestions on sites, ideas for new cool reports or cool reports themselves, along with speakers (we are for batch processing). Let's develop safe together!
Source: https://habr.com/ru/post/309884/
All Articles