Security Champions Playbook

Transcript

1. Security Champions Playbook Moscow, 17.11.2017 Alexander Antukh

2. •  Head of AppSec •  Opera Software •  @c0rdis Whoami

3. Champions, really?

4. “New era of software with modern appsec” Nice presentation “Security

   champions v1.0” Previous work

5. •  Many projects •  Even more teams •  Different technologies

   •  No strong security culture Imagine theoretical situation VS YOU

6. •  … it’s good enough for now •  … these

   risks are not relevant •  … it’s just a pilot project •  … we’re changing too fast •  … third-party will do it for us •  … we don’t want no formalisms „Security is important! But…”

7. So what’s with the Champions?

8. •  Developers •  QAs •  Architects •  Designers •  …

   •  Anyone interested! Security Champions

9. someone with an insight to the project internal kitchen Security

   Champion is …

10. someone who becomes the team’s security SPOC Security Champion is

    …

11. someone who wants to upgrade security But what’s more important,

    it’s …

12. Benefits of having sec champs •  Scaling security through multiple

    teams •  Engaging “non-security” folks •  Creating a security culture

13. Security Champions at

14. Security Champions at •  Security Champion survey •  11 questions,

    7 yes/no + proposals/ideas •  20 respondents •  CISOs •  project leaders •  developers •  testers •  architects

15. Security Champions expectations 0 10 20 30 40 50 60

    70 80 90 100 Share knowledge Help decision making Guard best practices Build threat models Security reviews R&D initiatives Bug bounty

16. •  Attend security conferences •  Define best practices •  Prioritize

    security-relevant stories in Backlog •  Monitor vulnerabilities in tools/libraries •  Write security tests for identified risks More outcomes: http://bit.do/security_champions Other selected expectations

17. •  You’re alone with a million of security problems • 

    ????? •  Champions appear and solve them So far it looks like that: PROFIT!

18. Security Champions Playbook

19. Security Champions Playbook 1.  Identify the teams 2.  Define the

    role 3.  Nominate champions 4.  Set up communication channels 5.  Build solid knowledge base 6.  Maintain interest

20. •  1 product = 1 team? •  Technologies? •  Documentation?

    •  Communication? •  Management? •  Current reviews? •  Release calendar? 1. Identify the teams

21. •  Expected outcome after this step: 1. Identify the teams

    (contd.) Product Team Technologies Security contact Team lead Product manager BTS Comments Product1 Alpha Python, Django Vasya Pupkin Vasya Pupkin Kleopatra Stepanovna HELO Usage of Bandit tool Product1 Beta … … … … … …

22. •  Measure current security state among the teams •  Define

    goals you plan to achieve in mid-term •  Identify places where Champions could help •  Produce clearly defined roles for the Champions 2. Define the role

23. Depending on current progress and strategy, roles descriptions could be:

    •  Verify security reviews •  Control best practices within the team •  Raise issues for risks in the existing code •  Build threat models for new features •  Conduct automated scans for the code •  Investigate bug bounty reports 2. Define the role (contd.)

24. Not appoint!! Enthusiasm, remember? ;) 3. Nominate Champions

25. • Get approvals on all levels • … • Because otherwise you’ll hear

    the worst argument ever • I HAD NO TIME FOR SECURITY!!! 3. Nominate Champions (contd.)

26. Once nominated, make him feel like a Champion: • entry to

    the security meta-team • official introduction to the peers • insignia ;) 3. Nominate Champions (contd.)

27. • Slack? • IRC? • Skype? • Keybase? • Yammer? • Mailing lists? 4. Set up

    communication channels

28. Internal wiki as the main resource! •  Security meta-team with

    listed champs •  Clearly defined roles and procedures •  Secure development best practices •  Risks & vulnerabilities •  Checklists 5. Build solid knowledge base ü  Web/mobile security checklist ü  Third-party security checklist ü  UI security checklist ü  Privacy checklist ü  …

29. Open source to the rescue! • Security Knowledge Framework • ASVS +

    MASVS • CERT secure coding standards • and many more… 5. Build solid knowledge base (contd.)

30. • Workshops & trainings •  Strategy / best practices •  Security

    quizes •  Hacker Thursday •  "Month of bugs” • Keep them motivated! 6. Maintain interest

31. 6. Maintain interest (contd.) https://github.com/Simpsonpt/AppSecEzine https://github.com/paragonie/awesome-appsec

32. Monthly security newsletters •  Updates & plans •  Recognition for

    leaders •  Another source of communication •  Also serve as checkpoints for all 6. Maintain interest (contd.)

33. Security conference calendar •  Start here: https://infosec-conferences.com •  Add local

    events… •  And participate in OWASP chapter meetings J 6. Maintain interest (contd.)

34. https://github.com/c0rdis/security-champions-playbook

35. • The playbook will allow you to get sec reinforcements but

    THINK BIGGER! • Once established properly, they will greatly help you in spreading security across the company and in achieving future sec goals • … and the best is to see how they develop themselves! Afterword

36. Questions? @c0rdis