Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DODDFW2017 - Root-Causing Culture Impact on the Secure-by-Design Transformation

DevOpsDays DFW
August 29, 2017
Business
0
340

DODDFW2017 - Root-Causing Culture Impact on the Secure-by-Design Transformation

We built a dashboard that aggregates feeds from various security-specific tools in our DevSecOps Tool Chain. The result was an eye opener on the effect of organizational culture and individual behavior on the application security posture. The Developer Dashboard collects data from tools such static code analysis, dynamic app-scan, open source scan, JIRA, source code repository/version control, LMS (training), LDAP, and others. The data is visualized to help identifying root cause for repeated introduction of vulnerable code or poor quality code as related to effort that includes the adoption of secure coding practices, management endorsement of the secure-by-design mentality, availability or lack of proper training, legacy apps with dead or obsolete code, or applications with no active development or support. The capabilities of the dashboard provide a view all the way from the individual contributor up to the CIO (navigating the LDAP hierarchy) to help establish a scope of the problem whether (isolated or wide-spread) and help in identifying a proper remedy across teams and organizations where similar conditions existed.

The aggregated data into a single dashboard rendered the information more accessible and helped in addressing some important concerns and questions: - Measuring indicators of the secure-by-design transformation - Explain the significant variations in the Vulnerability Density and relation to obsolete/dead code clean-up - Rate of reusing common code and its implications on the cost of remediation vs. overall risk and probability of discovery of vulnerabilities - Defining a custom vs. standard training program to yield a higher ROI - Managing remediation through a risk-reduction vs. compliance approach - Building awareness about real threats and cyber-attacks in the wild - Prioritizing the remediation of vulnerabilities (e.g., OWASP Top 10, exploitability, severity) - Distribution of roles and skills in the org (Management vs. individuals, doers vs. management, junior vs. senior, …) - Impact of geographical distribution of team on other indicators

The dashboard was never meant to be a glorified, metric-driven to-do list. Rather, it was intended, through the use of data visualization and pattern correlation, to help in understanding the key drivers of an accelerated and needed culture change.

DevOpsDays DFW

August 29, 2017
Tweet

More Decks by DevOpsDays DFW

See All by DevOpsDays DFW
DODDFW2017 - Everything I need to know about DevOps I learned in The Marines
doddfwvol
0
520
DODDFW2017 - I'm Hunting Sasquatch – Finding Intermittent Issues Using Periodic Automation
doddfwvol
0
330
DODDFW2017 - Recipe for DevOps Success, Capital One Style
doddfwvol
0
530
DODDFW2017 - Why You Need to Stop Using THE Staging Server
doddfwvol
0
340
DODDFW2017 - Contributing to Open Source
doddfwvol
0
230
DODDFW2017 - The Dr. Seuss Guide to Code Craftsmanship
doddfwvol
0
320
DODDFW2017 - Configuration Management and Provisioning Are Different
doddfwvol
0
930
DODDFW2017 - Better Remote Teams
doddfwvol
0
240
Canary In A Coal Mine
doddfwvol
0
250

Other Decks in Business

See All in Business
リスキル会社説明資料
reskill_
0
110
株式会社CINC 会社案内/Company introduction
cinchr
5
33k
HRBrain|26卒 新卒向け|会社説明資料
hrbrain
2
520
株式会社EventHub 会社紹介資料
eventhub
0
20k
Crisp Code inc. | わたしたちの事例/実績 - Portfolio
so_kotani
1
230
東大放射線科2025年度入局者向け資料
utrad
0
460
第24回クラウド女子会 登壇資料
o2mami
1
1.4k
HRBrain|26卒 新卒向け|会社説明資料
hrbrain
2
350
「強い」エンジニアと働く中で、新卒1年目・未経験プロダクトマネージャーが何に悩み、どこに自分の価値を見出したか
kassy1127
17
7.3k
『射精責任』を禁欲本へ
takuro_nakajima
PRO
1
1.5k
カジュアル面談って、もっとカジュアルに していいの / informal session #jasstnano
pineapplecandy
0
120
Company Deck 2024Q1
tterasoma
0
300

Featured

See All Featured
Large-scale JavaScript Application Architecture
addyosmani
504
110k
Fantastic passwords and where to find them - at NoRuKo
philnash
37
2.5k
Optimising Largest Contentful Paint
csswizardry
8
2.4k
Unsuck your backbone
ammeep
663
57k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
322
20k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
Faster Mobile Websites
deanohume
299
30k
Optimizing for Happiness
mojombo
370
69k
The Invisible Side of Design
smashingmag
294
49k
Navigating Team Friction
lara
178
13k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
78
42k

Transcript

  1. © Verizon 2017, All Rights Reserved. Information contained herein is

    provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. Root-Causing Culture Impact on the Secure-by-Design Transformation Manah Khalil IT Application Security, Director [email protected]

  2. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. 2 Background & Context Improve Release Time & Quality Sustainable Process Reducing Operating Cost DevOps, Cloud, and the Security Initiative Enhanced Application Security Posture Delivering on the Business Requirement Shareholder Value

  3. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. Corporate culture refers to the shared values, attitudes, standards, and beliefs that characterize members of an organization and define its nature. 3 Corporate Culture

  4. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. 4 IT DevOps Culture a good, solid agile IT culture requires nurturing, mentoring, and guidance TIME TRAINING TECHNOLOGY

  5. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. • Are we moving in the right direction? • Can you really establish causality? • Can we justify the spending? • What else can we do? 5 So, What’s the Problem What is the root cause?

  6. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. Look Closely: 6 Your DevOps Dashboard is full of clues!!

  7. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. 7 Developer Dashboard

  8. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. Possible reasons for Increase: • Adding more projects to an app • Adding new vulnerable code • Reducing code Possible reasons for decrease: • Vulnerability remediation • Clean-up of dead code • Removing obsolete projects Follow-ups: • Ask questions. Why? • Check total count of lines of code 8 Example: Vulnerability Density

  9. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. • Who’s lagging and why? • Why those peaks and valleys? 9 Ask the Questions • Scans are slowing down • App count increasing • Is it a tool capacity issue? or • Team spread too thin?

  10. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. • Who’s introducing new issues? Why? • New issues vs. recurring similar issue types? • How long is it taking to remediate? 10 Release to Release Vulnerabilities Instant feedback promotes true accountability

  11. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. Done with a Checklist vs. Thorough Coverage? 11 Dynamic Application Scanning Trust but Verify!

  12. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. 1. ↘ Drill Down to zoom in on problematic area 2. ↗ Climb-up to find extent and scope of issue 12 Locate the Problem • Is it individual (training, accountability, tool…) • Manager (training, prioritization, focus, authority, accountability,…) • Application (technology, tools, process, …) • Organization (direction, priority, …)

  13. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. • Talent Management & Individuals • Experience (Senior vs Junior) • Suitability of training material and delivery method (CBT vs. classroom vs. hands-on) • Applications & Roles • Who’s checking in code • Who’s managing • Who’s PM’ing • Capacity Planning • Which applications are properly resourced • Active vs. in-sustained engineering application 13 Other Things to Look at

  14. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. ‘Succeed Together’ or ‘Fail Alone’ 14 Is Your IT Culture Promoting a: $$$

  15. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. Ask the Questions 15 Final Thought, ….