Becoming a Security-Conscious Company (CHCon 2019) without notes

Transcript

1. THE FOLLOWING TALK HAS BEEN WRITTEN FOR PEOPLE WHO WANT

   TO SEE SECURITY CULTURE TAKE ROOT AT THEIR COMPANY BY SOMEONE WHO’S LEARNING, EVERY DAY.

2. Hi. @aupajo

3. Who am I? @aupajo

4. Disclaimer.

5. I know nothing. But more than I did 6 months

   ago.

6. How to become a security- conscious software company. Or one

   way , at least.

7. Spoilers.

8. Buy. Measure. Bake and share. Works for Security & Cupcakes

9. Our story begins Central America… * Probably . retelLings may

   vary . *
10. None
11. None
12. None

13. When I got back I started in writing…

14. …and thinking…

15. …and sharing…

16. Making a compelling case to focus.

17. Reasons to focus on security It’s a long-term competitive advantage.

    It’s practical risk mitigation. It’s the right thing to do, which speaks to your values as a company. ✓ ✓ ✓
18. None

19. Buy. Measure. Bake and share. Get buy-in

20. Leadership Risks and opportunities Management Measurement, direction and practices Implementation

    Skills, tools, and support

21. You have buy-in. Now what?

22. What are you trying to do?

23. Well, how would you measure it?

24. OKRs Appeals to engineering sensibilities. It works. Bonus: You only

    need to read the first three (-ish) chapters to get the gist. Good contender for the best 1½ hour you can spend for your company.

25. Objective Become a security-conscious company by June 2020. How do

    we measure this? Time-bound, specific

26. security-conscious adj. Embracing security culture through awareness, capabilities, and practice.

27. Key Results 1. On 100% of our projects where we

    play a significant security role, a developer has passed a test for critical application security knowledge
 2. 100% of all employees (excluding those in their first month) have passed a test for basic workplace security
 3. 100% our client solutions pass the “critical” section of our internal security solution scoring matrix

28. Key result #3 100% our client solutions pass the “critical”

    section of our internal security solution scoring matrix Measurable Measurable. NeEd to define this What counts as a “solution” anyway? NeEd to determine what’s “critical”

29. Components with known vulnerabilities audited in CI Security role explicitly

    described in contract Passes ASVS Level 1 Etc… Client A Yes Yes Yes No Client B No No Yes No Client C Yes Yes Yes Yes Client D Yes No Yes No Passing 75% 50% 100% 25% 63% 9/16 =

30. Buy. Measure. Bake and share. Give yourself specific goals (OKRs

    are nice)

31. You’ve got measurable goals. Now what?

32. “Just do NIST.” (INSERT AUTHORITY OF CHOICE)

33. Don’t reinvent the wheel.

34. Top 10 OWASP Top 10s 1. Top 10 Most Critical

    Web Application Security Risks 2. API Security Top 10 3. Serverless Top 10 4. Cloud-Native Application Security Top 10 5. Top 10 IoT Vulnerabilities Don’t get lost in the weeds.

35. “Just buy DUO.” (INSERT PRODUCT OF CHOICE)

36. “Just hire somebody.”

37. “Bake in” don't “bolt on”.

38. Culture is like yoghurt.

39. A strong engineering culture Developers lift each other up Continuous

    improvement Gaps between teams are bridged Experimentation encouraged Wins and losses shared
40. None
41. None

42. Leverage experience.

43. Buy. Measure. Bake and share. Bake it into your culture

44. Buy. Measure. Bake and share.

45. Security alone is hard.

46. We have a common goal to keep the public trusting

    the software we build.

47. We’re better off working together to solve this problem.

48. Default to open. Internally and externally.

49. None
50. None

51. Help each other succeed. Meet-ups Slack Conferences Open source Blog

    posts

52. Buy. Measure. Bake and share. Be open, lift each other

    up
53. None

54. Take my notes…
 Ask me questions… Continue the conversation… @aupajo

    InfoSecNZ Slack / Twitter

55. Buy. Measure. Bake and share.

56. Thank you.