Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AppSec Awareness: A Case Study in Security Cult...

Avatar for edgeroute edgeroute
December 07, 2016

AppSec Awareness: A Case Study in Security Culture Change

How does an individual change the application security culture of an organization? By deploying an application security awareness program with engaging content, humor, and recognition. See the blue print for how you can build an application security awareness program based on real life experience. Change the security DNA of everyone in your organization.

Avatar for edgeroute

edgeroute

December 07, 2016

More Decks by edgeroute

Other Decks in Technology

Transcript

  1. APPLICATION SECURITY AWARENESS: A CASE STUDY IN SECURITY CULTURE CHANGE

    CHRISTOPHER ROMEO CEO / PRINCIPAL CONSULTANT SECURITY JOURNEY @EDGEROUTE
  2. About Chris Romeo • CEO / Principal Consultant @ Security

    Journey • 20 years security experience, CISSP, CSSLP • 10 years at Cisco, leading the Cisco Security Ninja program & CSDL • Speaker at RSA, AppSec USA, AppSec EU, & ISC2 Security Congress • Co-host of the #AppSec PodCast @edgeroute Copyright © Security Journey, 2016
  3. Agenda ▪The Problem Space or why do we need application

    security? ▪Creating sustainable security culture ▪Application Security Awareness Copyright © Security Journey, 2016
  4. Benefits of Changing Security Culture 1.Everyone gains a foundational knowledge

    of #appsec and with minimal investment 2.Dev’s learn the detailed lessons of #appsec and avoid repeating history 3.Provides a defined mission through security activity 4.Central connection point for your new crop of security conscious
  5. Define the problem ▪ Our organizationlacks: – general application security

    knowledge – appreciation for the evolving threat landscape – experience with secure development practices and tools – motivation to improve security
  6. Design Decision #3: Roles Development ••SW Engineer ••Tester ••Manager ••HW

    Engineer Operations ••IT ••DevOps Internal ••Sales ••Marketing ••Executives Everyone
  7. Design Decision #4: Activities & Behaviors Build ••A security tool

    or process ••Partnerships ••Security community Enrich ••Mentor ••Teach a course ••Deliver presentations Explore ••Security issue analysis ••Security committee ••A vulnerable web app Implement ••A security feature ••A security test ••Security strategy
  8. Security Fundamentals Attacks & Attackers Simple SDL Security Myths Privacy

    & Customer Data Protection Security Business Case Level 1 Content Map
  9. Level 2 Content Map Web Dev OWASP Top 10 Secure

    Design Principles Secure Coding for JavaScript Attacking a Web Application Input Validation
  10. Copyright © Security Journey, 2016 Example Content: The Vulnerability Continuum

    1 2 3 Vulnerability – a weakness in a system, application, or network that is subject to exploitation or misuse Exploit – a program that allows attackers to automatically break into a system Attack – An attempt to gain unauthorized access
  11. Key Takeaways ▪ Vulnerabilities are real and everywhere ▪ Changing

    security culture… – Open their eyes (awareness) – Fill their brains (knowledge / history) – Task their hands (activity) ▪ A Programmatic Approach – Content – Humor / Story – Gamification
  12. Security White Belt Copyright © Security Journey, 2016 Fundamentals Attacks

    & Attackers Breached! Business Case Myths Threat Landscape: IoT, Cloud, Mobile Software Supply Chain Culture and Mindset Managing Resources Soft Skills Secure Development Lifecycle Privacy & Customer Data Protection Product Incident Response Knowledge Sources www.securityjourney.com