Building Security Through Culture (Craft Conf - Budapest 2016)

Aa6b7d3a12a61bfe0ce9c8a12405bd75?s=47 Rich Smith
April 29, 2016

Building Security Through Culture (Craft Conf - Budapest 2016)

A talk given at Craft Conf 2016 in Budapest by myself and Destiny Montague (@thisiscarlsagan), it discusses developing security culture in an organisation and some of the lessons learnt in pursuing this at Etsy.

Aa6b7d3a12a61bfe0ce9c8a12405bd75?s=128

Rich Smith

April 29, 2016
Tweet

Transcript

  1. 1.

    1 Building Security Through Culture D E S T I

    N Y M O N TA G U E - @ T H I S I S C A R L S A G A N 
 R I C H S M I T H - @ I O D B O I
  2. 2.

    2 What are we talking about today? • Security Culture

    • Areas that security teams & security industry gets wrong • People are as important as tech for effective security • Share Destiny’s specific experience of security at Etsy • Things we’ve learnt on our security culture journey at Etsy • Ultimately, as developers how can you work better with security
  3. 3.

    3 Rich Smith Destiny Montague • Security Engineer at Etsy

    • Co-Founder of Etsy’s Device Lab • 15+ years in IT • Background in liberal arts • Problem-solving & fixing • Hardware & software support • Creativity is essential • Play in several bands • Make jewelry @thisiscarlsagan @iodboi $ alias whoarewe=“whoami” • Director of Security at Etsy • Co-Founder of Syndis, Reykjavík Iceland • 15+ years in the security industry • Background in breaking not building • Pen-testing, Red Teaming, Attack Sim • Vulnerability research, Exploit development • Attack framework & tooling • Lots of Sec Architecture & logical flaw finding
  4. 5.

    5 Etsy is a global marketplace where people around the

    world connect, both online and offline, to make, sell and buy unique goods. 42
  5. 6.

    6 By the Numbers 1.6M active sellers AS OF DECEMBER

    31, 2015 24M active buyers AS OF DECEMBER 31, 2015 $2.39B annual GMS IN 2015 35+M items for sale AS OF DECEMBER 31, 2015 819 employees around the world AS OF DECEMBER 31, 2015 9 offices in 
 7 countries AS OF DECEMBER 31, 2015 51% female employees, 49% male AS OF DECEMBER 31, 2015 86% feel connected to the
 company and to each other AS OF 2014
  6. 11.

    11 Information security the set of requirements that arise at

    the intersection of technology and society
  7. 13.

    13 From this simple picture it’s easy to that people

    need to be considered alongside technology when thinking about security
  8. 14.

    14 It doesn’t diminish your security street cred to value

    people as much as technology, it means you will have greater impact and effectiveness.
 You have more tools to work with. Security Ego
  9. 17.

    17 …and maybe breaking down silos - but that’s just

    really different words for Communication & Collaboration
  10. 18.
  11. 19.

    19 We shouldn’t need to make up a special word

    for ‘Doing Our Jobs Properly’
  12. 23.

    23 When we say DevOps let’s understand what we really

    mean, that is we are mindfully using Communication & Collaboration to do our roles the best we can
  13. 24.

    24 Also realise that Communication & Collaboration are symmetric -

    they require effort from all parties to actually succeed Bonus Points
  14. 25.

    25 In particular we need recognize Communication & Collaboration are

    critical to building a positive security culture
  15. 26.

    26 Unfortunately Communication & Collaboration is something that many security

    teams are 
 not very good at, which makes building a 
 security culture hard
  16. 27.

    27 And the building - and maintaining - a strong

    security culture is required to build an effective security organization
  17. 28.

    28 What is Security Culture? 48 ‘Culture includes a set

    of shared values, goals & principles that guides the behaviors, activities, priorities and decisions of a group of people working towards a common objective’ Photo by Emily Andrews Karl Wiegers - Creating a Software Engineering Culture
  18. 29.

    29 THE TIME WHEN A SINGLE PERSON OR TEAM CAN

    BE RESPONSIBLE FOR AN ORGANISATION’S SECURITY IS LONG OVER… Laura Bell
  19. 36.

    36 Security as a Blocker • Lazy or just plain

    bad security teams default to blocking • In a fast, agile, Continuous Deployment world blocking makes you a NOP • You will be ignored and you will be circumvented • No’s are a finite reason, use them wisely, • `sed ’s/no/yes but/g'`
  20. 38.

    38 ‘A security team that is left out of the

    process is worse than no security team at all’ Ben Hughes - 
 Earlier this week at Delivery of Things World in Berlin
  21. 40.

    40 Security as an Enabler • Support teams to do

    their new crazy ideas (securely!) • Chase solutions to difficult problems • If your security engineers don’t like solving hard problems you have the wrong ones • Helping people to solve their problems incentivises them to engage you
  22. 41.
  23. 45.
  24. 46.
  25. 47.

    Corp IT Security Device Lab keep proprietary data secure restrict

    ability to alter OS/software RFID Tagging passcode lock prevent theft secure access to production data ability to remotely lock/wipe MDM omg wut?
  26. 48.
  27. 54.

    58 Security Team Hiring • A successful security culture needs

    the security team involved in the process 100% • Again think in terms of Communication & Collaboration • Don’t expect your recruiters to understand all the nuances • Initial outreach from you is more genuine and carries more weight • Better at evaluating both for accomplishments & approach - cultural fit • Remove silos - but closing still needed (Hint: they are better at it than you!)
  28. 59.

    3 2 1 62 Transparent Enabling Blameless 3 Principles of

    Effective Security A security teams success should be measured by what they enable not by what they block
  29. 60.

    3 2 1 62 Transparent Enabling Blameless 3 Principles of

    Effective Security A security team that is open as to what it does and why spreads understanding and is embraced
  30. 61.

    3 2 1 62 Transparent Enabling Blameless 3 Principles of

    Effective Security Security failures will happen, only without blame will you understand true causes & learn
  31. 62.

    63 Photo by Emily Andrews 49 ‘Sociable conversation is the

    inevitable product of socializing. Sociable conversation is the way that human beings establish trusted relationships among themselves’ Cory Doctorow - Information doesn’t want to be free Security Outreach
  32. 63.

    64 Security Outreach • Outreach is distinct from Education •

    Outreach focuses on relationship building • Remove barriers • Reduce intimidation • Can be as simple as footing the bill for cake, donuts or beer! • Assign budget to this, it will be some of the best security ROI you see
  33. 64.

    65 Bootcamps & Rotations • Have people come and ‘bootcamp’

    with your security team • Embraces transparency • No better way to provide insight to the day-to-day of security • Builds strong personal relationships • Seeds Champions back out to the organization ….
  34. 65.

    66 Champions • Champions are friends & allies the security

    team • Champions help enable you to: • Build strong links into teams across the organization • Organically share security knowledge & awareness • Lower barrier to interaction with the security team • Scale a security team without direct hiring
  35. 66.

    67 Securgonomics • The study of the efficiency of people's

    security interactions in their working environment • Security teams often lock themselves away in special rooms • Focus on being accessible & visible to everyone, it’s invaluable • Lowers the barrier to interact with security IRL • Sit in the busiest part of the office you can • Have security dashboards front and centre /səˈkyo͝or/ ɡəˈnämiks/
 noun
  36. 67.

    68 Gummi bears are the way to your developers hearts

    ….. Security Candy! • Biggest sources of security pod ‘drive bys’ • IRC bot commands so people can what’s in stock • Bootcamp project
  37. 69.

    70 Questions you can ask about your org security org

    • When you walk around the office do people voluntarily interact with you? • How often do you proactively include security in your project? • Do you grow your security team with internal hires? • Do you scale your security efforts champions? • Is security seen as enabling or blocking? • Recognition - How often does Thank You come to or from the security team? • Does security have buy-in from the very top? • Is humble a word in the security teams vocabulary? How often is it used?
  38. 70.
  39. 71.

    Teşekkür ederim! / Thank you! D E S T I

    N Y M O N TA G U E - @ T H I S I S C A R L S A G A N 
 R I C H S M I T H - @ I O D B O I