SlideShare una empresa de Scribd logo

Building Security Teams

Astera Esther Schneeweisz
Astera Esther Schneeweisz

Presented at the CTO Meetup Berlin Dec. 2017

Tecnología
1 de 37
Descargar para leer sin conexión
Building Security Teams
whotheheckami ● @astera ● Director of Security at SoundCloud ● Net/infra/app security, user auth*, anti-abuse, corp IT ● Total 250 employees ● 130 in engineering ● 13 part of the Security org
“Security is not a team.”
2 friends in your garage
12 people start-up
80 people, investors, partners... Security
Systems Engineering Security
Traffic Engineering Security
Product Engineering Team Security
Aspects of Security ● Network security ● Infrastructure security ● Application security ● Product security ● Data security ● User safety
Aspects of Security ● Network security ● Infrastructure security ● Application security ● Product security ● Data security ● User safety ● Contractual obligations ● Legal compliance ● Risk management
Who do you hire? … and where from?? ● Academic background ● Security researchers ● Pentesters ● Consultants ● Security community ● …
Who do you hire? … and where from?? ● Academic background ● Security researchers ● Pentesters ● Consultants ● Security community ● … ● Internal hires
You Hire for Your Needs Understand the business risk, and how much you are willing to invest.
You Hire for Your Needs and for the organization you want to be a part of ● Empathy ● Passion ● Smarts ● Service-orientedness ● Culture adds
You Hire for Your Needs and for the organization you want to be a part of ● Empathy ● Passion ● Smarts != 0day ● Service-orientedness ● Culture adds
You Hire for Your Needs and for the organization you want to be a part of ● Empathy ● Passion ● Smarts != 0day ● Service-orientedness ● Culture adds ● Self-awareness
Connecting Your Team with the Rest of the Organization
Connect with the organization Make security, adversarial thinking, and the care for users’ data and privacy part of everyone’s concern. ● Risk reviews ● Code reviews ● Team partnerships ● Security-informed KPIs ● Defined accountabilities ● Education
Connect with the organization Make security, adversarial thinking, and the care for users’ data and privacy part of everyone’s concern. ● Risk reviews ● Code reviews ● Team partnerships ● Security-informed KPIs ● Defined accountabilities ● Education ● Evangelism ● No FUD
Educate ● Everything starts with onboarding ● Tell everyone about the services you provide to them ● Curate top-notch documentation, publish advisories, and have achievable policies ● Nurture a culture of great post-mortems ● Recommend further educational resources ● Teach adversarial thinking ● Encourage them to partake in your bug bounty program
Build a Path of Least Resistance ● Give concrete guidance on code reviews and production-readiness ● Integrate Static Code Analysis in Continuous Integration ● Warn about high-risk area changes ● Continuously run tests against business-critical security failures ● Give other teams access to visibility tools ● Offer internal and external code audits ● Build carrots, not sticks
Maslow’s Pyramid of Code Review (after Charles-Axel Dein)
Build a Path of Least Resistance ● Give concrete guidance on code reviews and production-readiness ● Integrate Static Code Analysis in Continuous Integration ● Warn about high-risk area changes ● Continuously run tests against business-critical security failures ● Give other teams access to visibility tools ● Offer internal and external code audits ● Build carrots, not sticks
Saying Yes
Communication How to feel comfortable with saying ‘Yes’ ● Before thinking “OMG”, get all the information ● Understand both risks and benefits of a solution for the business from their point of view - they’re the experts on their products ● Don’t jump to the What: Tell a good story about Why, in their language ● Make it easy to communicate and compare risks and/or cost ● Change the nature of the conversation, organization-wide ● No blame, no shame ● It’s all about impact
Building the Right Thing, at the Right Time
The Challenges ● There’s never enough time! ● Security teams’ tasks are often highly operational, easily leading to employee burnout ● Everything constantly changes ● There’s a new team working on a new service every other new week ● Auditing itself doesn’t secure anything ● KPIs are hard ● Law is hard
The Challenges ● There’s never enough time! ● Security teams’ tasks are often highly operational, easily leading to employee burnout ● Everything constantly changes ● There’s a new team working on a new service every other new week ● Auditing itself doesn’t secure anything ● KPIs are hard ● Law is hard ● That’s definitely not all of them, but I’m running out of space here...
Some Solutions ● Give your team a purpose that is worthwhile ● As a team, prioritize. Then, prioritize again. ● Dedicate time for research as much as for addressing tech debt ● Work on one (1!) thing at a time ● Automate, automate, automate, iterate… ● Know when shit is hitting the fan, vs. when the house is burning down ● Cherish how quickly bug fixes can be deployed through CI/CD/IAC ● Schedule end-of-month wrap-ups with your team
Solutions Outside of Your Team ● Teach leadership to ask the right questions ● Curate a risk matrix, with them ● Make sure security has a seat at any table where strategy is discussed ● Ask teams to rate their own risk stance, data classification level, etc. ● Let every team own their DFDs and threat models, and keep them as artifacts others can learn from
Measuring Success … and making teams happy, healthy, and sustainable ● Key Performance vs. Risk Indicators ● The Net Promoter Score ● You might start with… ○ Number of security incidents above threat score x, MoM ○ % of logging coverage (prioritize according to your top risks) ○ % of staff trained
Measuring Success … and making teams happy, healthy, and sustainable ● And then aim at… ○ % of test coverage ○ % of vulnerabilities discovered during testing ○ Mean Time To Detect ○ Mean Time To Repair ○ % of outage due to security incidents ○ Visualizing risk reduction
Thank y’all I would’ve had nothing to talk about here if it wasn’t for... ● everyone on my teams, present and past - you teach me something new every day! ● @zanelackey ● @benjammingh ● @mousemke ● AG
Safety first! astera@soundcloud.com | security@soundcloud.com

Recomendados

Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Cory Scott
 
Stefaan Lukermans & Dominic Maes - Testers And Garbage Men - EuroSTAR 2011
Stefaan Lukermans & Dominic Maes - Testers And Garbage Men - EuroSTAR 2011Stefaan Lukermans & Dominic Maes - Testers And Garbage Men - EuroSTAR 2011
Stefaan Lukermans & Dominic Maes - Testers And Garbage Men - EuroSTAR 2011
TEST Huddle
 
How to Get Stuff Delivered
How to Get Stuff DeliveredHow to Get Stuff Delivered
How to Get Stuff Delivered
Barry Hodge
 
How to Make a Good Idea Great
How to Make a Good Idea GreatHow to Make a Good Idea Great
How to Make a Good Idea Great
Barry Hodge
 
Agile Practices of Effective Tech Leads
Agile Practices of Effective Tech LeadsAgile Practices of Effective Tech Leads
Agile Practices of Effective Tech Leads
Brice Nkengsa
 
A Rapid Introduction to Rapid Software Testing
A Rapid Introduction to Rapid Software TestingA Rapid Introduction to Rapid Software Testing
A Rapid Introduction to Rapid Software Testing
TechWell
 
Rikard Edgren - Testing is an Island - A Software Testing Dystopia
Rikard Edgren - Testing is an Island - A Software Testing DystopiaRikard Edgren - Testing is an Island - A Software Testing Dystopia
Rikard Edgren - Testing is an Island - A Software Testing Dystopia
TEST Huddle
 
Michał Stryjak, Poznaj Context-Driven Testing
Michał Stryjak, Poznaj Context-Driven TestingMichał Stryjak, Poznaj Context-Driven Testing
Michał Stryjak, Poznaj Context-Driven Testing
Future Processing
 

Recomendados

Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Cory Scott
 
Stefaan Lukermans & Dominic Maes - Testers And Garbage Men - EuroSTAR 2011
Stefaan Lukermans & Dominic Maes - Testers And Garbage Men - EuroSTAR 2011Stefaan Lukermans & Dominic Maes - Testers And Garbage Men - EuroSTAR 2011
Stefaan Lukermans & Dominic Maes - Testers And Garbage Men - EuroSTAR 2011
TEST Huddle
 
How to Get Stuff Delivered
How to Get Stuff DeliveredHow to Get Stuff Delivered
How to Get Stuff Delivered
Barry Hodge
 
How to Make a Good Idea Great
How to Make a Good Idea GreatHow to Make a Good Idea Great
How to Make a Good Idea Great
Barry Hodge
 
Agile Practices of Effective Tech Leads
Agile Practices of Effective Tech LeadsAgile Practices of Effective Tech Leads
Agile Practices of Effective Tech Leads
Brice Nkengsa
 
A Rapid Introduction to Rapid Software Testing
A Rapid Introduction to Rapid Software TestingA Rapid Introduction to Rapid Software Testing
A Rapid Introduction to Rapid Software Testing
TechWell
 
Rikard Edgren - Testing is an Island - A Software Testing Dystopia
Rikard Edgren - Testing is an Island - A Software Testing DystopiaRikard Edgren - Testing is an Island - A Software Testing Dystopia
Rikard Edgren - Testing is an Island - A Software Testing Dystopia
TEST Huddle
 
Michał Stryjak, Poznaj Context-Driven Testing
Michał Stryjak, Poznaj Context-Driven TestingMichał Stryjak, Poznaj Context-Driven Testing
Michał Stryjak, Poznaj Context-Driven Testing
Future Processing
 
Context driven tester
Context driven testerContext driven tester
Context driven tester
Wasiqul Huq
 
Isabel Evans - Quality In Use - EuroSTAR 2011
Isabel Evans - Quality In Use - EuroSTAR 2011Isabel Evans - Quality In Use - EuroSTAR 2011
Isabel Evans - Quality In Use - EuroSTAR 2011
TEST Huddle
 
Defining Test Competence
Defining Test CompetenceDefining Test Competence
Defining Test Competence
Johan Hoberg
 
Training for Automated Testing - Kelsey Shannahan
Training for Automated Testing - Kelsey ShannahanTraining for Automated Testing - Kelsey Shannahan
Training for Automated Testing - Kelsey Shannahan
QA or the Highway
 
Lean software development and scrum model
Lean software development and scrum modelLean software development and scrum model
Lean software development and scrum model
Noreen Aamir
 
Rapid Software Testing: Strategy
Rapid Software Testing: StrategyRapid Software Testing: Strategy
Rapid Software Testing: Strategy
TechWell
 
Imrul: Context Driven Testing
Imrul: Context Driven TestingImrul: Context Driven Testing
Imrul: Context Driven Testing
SQABD
 
[HCMC STC Jan 2015] Workshop Of Context-Driven Testing In Agile
[HCMC STC Jan 2015] Workshop Of Context-Driven Testing In Agile[HCMC STC Jan 2015] Workshop Of Context-Driven Testing In Agile
[HCMC STC Jan 2015] Workshop Of Context-Driven Testing In Agile
Ho Chi Minh City Software Testing Club
 
Why all deadlines are bad for quality
Why all deadlines are bad for qualityWhy all deadlines are bad for quality
Why all deadlines are bad for quality
Johan Hoberg
 
Graham Freeburn - Make Your Testing Smarter - Know Your Context!
Graham Freeburn - Make Your Testing Smarter - Know Your Context!Graham Freeburn - Make Your Testing Smarter - Know Your Context!
Graham Freeburn - Make Your Testing Smarter - Know Your Context!
TEST Huddle
 
Outcome Over Output - And why should we care?
Outcome Over Output - And why should we care?Outcome Over Output - And why should we care?
Outcome Over Output - And why should we care?
Scrum Australia Pty Ltd
 
Quality Awareness When Practicing Agile Testing
Quality Awareness When Practicing Agile TestingQuality Awareness When Practicing Agile Testing
Quality Awareness When Practicing Agile Testing
youngculture
 
Welcome to the DevOps Playground
Welcome to the DevOps PlaygroundWelcome to the DevOps Playground
Welcome to the DevOps Playground
OpsGenie
 
Testers Qbit Conference 19.09.2007 Web
Testers Qbit Conference 19.09.2007 WebTesters Qbit Conference 19.09.2007 Web
Testers Qbit Conference 19.09.2007 Web
Alan Mather
 
CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12
jemtallon
 
Security by default - Building continuous cyber-resilience.
Security by default - Building continuous cyber-resilience.Security by default - Building continuous cyber-resilience.
Security by default - Building continuous cyber-resilience.
Thoughtworks
 
Secure Continuous Delivery
Secure Continuous DeliverySecure Continuous Delivery
Secure Continuous Delivery
Equal Experts
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
jamieayre
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Year Zero
Year ZeroYear Zero
Year Zero
leifdreizler
 
Real world dev ops
Real world dev opsReal world dev ops
Real world dev ops
Mohan Krishnan
 
Usa prácticas de integración continua y sobrevive para luchar otro día.
Usa prácticas de integración continua y sobrevive para luchar otro día. Usa prácticas de integración continua y sobrevive para luchar otro día.
Usa prácticas de integración continua y sobrevive para luchar otro día.
Software Guru
 

Más contenido relacionado

La actualidad más candente

Rapid Software Testing: Strategy
Rapid Software Testing: StrategyRapid Software Testing: Strategy
Rapid Software Testing: Strategy
TechWell
 
[HCMC STC Jan 2015] Workshop Of Context-Driven Testing In Agile
[HCMC STC Jan 2015] Workshop Of Context-Driven Testing In Agile[HCMC STC Jan 2015] Workshop Of Context-Driven Testing In Agile
[HCMC STC Jan 2015] Workshop Of Context-Driven Testing In Agile
Ho Chi Minh City Software Testing Club
 
Quality Awareness When Practicing Agile Testing
Quality Awareness When Practicing Agile TestingQuality Awareness When Practicing Agile Testing
Quality Awareness When Practicing Agile Testing
youngculture
 

La actualidad más candente (14)

Context driven tester
Context driven testerContext driven tester
Context driven tester
 
Isabel Evans - Quality In Use - EuroSTAR 2011
Isabel Evans - Quality In Use - EuroSTAR 2011Isabel Evans - Quality In Use - EuroSTAR 2011
Isabel Evans - Quality In Use - EuroSTAR 2011
 
Defining Test Competence
Defining Test CompetenceDefining Test Competence
Defining Test Competence
 
Training for Automated Testing - Kelsey Shannahan
Training for Automated Testing - Kelsey ShannahanTraining for Automated Testing - Kelsey Shannahan
Training for Automated Testing - Kelsey Shannahan
 
Lean software development and scrum model
Lean software development and scrum modelLean software development and scrum model
Lean software development and scrum model
 
Rapid Software Testing: Strategy
Rapid Software Testing: StrategyRapid Software Testing: Strategy
Rapid Software Testing: Strategy
 
Imrul: Context Driven Testing
Imrul: Context Driven TestingImrul: Context Driven Testing
Imrul: Context Driven Testing
 
[HCMC STC Jan 2015] Workshop Of Context-Driven Testing In Agile
[HCMC STC Jan 2015] Workshop Of Context-Driven Testing In Agile[HCMC STC Jan 2015] Workshop Of Context-Driven Testing In Agile
[HCMC STC Jan 2015] Workshop Of Context-Driven Testing In Agile
 
Why all deadlines are bad for quality
Why all deadlines are bad for qualityWhy all deadlines are bad for quality
Why all deadlines are bad for quality
 
Graham Freeburn - Make Your Testing Smarter - Know Your Context!
Graham Freeburn - Make Your Testing Smarter - Know Your Context!Graham Freeburn - Make Your Testing Smarter - Know Your Context!
Graham Freeburn - Make Your Testing Smarter - Know Your Context!
 
Outcome Over Output - And why should we care?
Outcome Over Output - And why should we care?Outcome Over Output - And why should we care?
Outcome Over Output - And why should we care?
 
Quality Awareness When Practicing Agile Testing
Quality Awareness When Practicing Agile TestingQuality Awareness When Practicing Agile Testing
Quality Awareness When Practicing Agile Testing
 
Welcome to the DevOps Playground
Welcome to the DevOps PlaygroundWelcome to the DevOps Playground
Welcome to the DevOps Playground
 
Testers Qbit Conference 19.09.2007 Web
Testers Qbit Conference 19.09.2007 WebTesters Qbit Conference 19.09.2007 Web
Testers Qbit Conference 19.09.2007 Web
 

Similar a Building Security Teams

CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12
jemtallon
 
Secure Continuous Delivery
Secure Continuous DeliverySecure Continuous Delivery
Secure Continuous Delivery
Equal Experts
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
jamieayre
 
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
Andrew O. Leeth
 
Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
Big data and other buzzwords
Big data and other buzzwordsBig data and other buzzwords
Big data and other buzzwords
Andrew Clark
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
Daniel Liber
 

Similar a Building Security Teams (20)

CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12
 
Security by default - Building continuous cyber-resilience.
Security by default - Building continuous cyber-resilience.Security by default - Building continuous cyber-resilience.
Security by default - Building continuous cyber-resilience.
 
Secure Continuous Delivery
Secure Continuous DeliverySecure Continuous Delivery
Secure Continuous Delivery
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
Year Zero
Year ZeroYear Zero
Year Zero
 
Real world dev ops
Real world dev opsReal world dev ops
Real world dev ops
 
Usa prácticas de integración continua y sobrevive para luchar otro día.
Usa prácticas de integración continua y sobrevive para luchar otro día. Usa prácticas de integración continua y sobrevive para luchar otro día.
Usa prácticas de integración continua y sobrevive para luchar otro día.
 
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
 
Product Agility: 3 fundamentals from the trenches
Product Agility: 3 fundamentals from the trenchesProduct Agility: 3 fundamentals from the trenches
Product Agility: 3 fundamentals from the trenches
 
Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
 
Behind The Scenes Data Science Coolblue 2018-03-22
Behind The Scenes Data Science Coolblue 2018-03-22Behind The Scenes Data Science Coolblue 2018-03-22
Behind The Scenes Data Science Coolblue 2018-03-22
 
Product Agility: 3 fundamentals from the trenches (Braga,PT)
Product Agility: 3 fundamentals from the trenches (Braga,PT)Product Agility: 3 fundamentals from the trenches (Braga,PT)
Product Agility: 3 fundamentals from the trenches (Braga,PT)
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Return of the security champions ep1 (1)
Return of the security champions ep1 (1)Return of the security champions ep1 (1)
Return of the security champions ep1 (1)
 
Services, tools & practices for a software house
Services, tools & practices for a software houseServices, tools & practices for a software house
Services, tools & practices for a software house
 
The Machine Learning Audit
The Machine Learning AuditThe Machine Learning Audit
The Machine Learning Audit
 
Big data and other buzzwords
Big data and other buzzwordsBig data and other buzzwords
Big data and other buzzwords
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
 
Software Quality for Developers
Software Quality for DevelopersSoftware Quality for Developers
Software Quality for Developers
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Building Security Teams

  • 2. whotheheckami ● @astera ● Director of Security at SoundCloud ● Net/infra/app security, user auth*, anti-abuse, corp IT ● Total 250 employees ● 130 in engineering ● 13 part of the Security org
  • 3. “Security is not a team.”
  • 10. Aspects of Security ● Network security ● Infrastructure security ● Application security ● Product security ● Data security ● User safety
  • 11. Aspects of Security ● Network security ● Infrastructure security ● Application security ● Product security ● Data security ● User safety ● Contractual obligations ● Legal compliance ● Risk management
  • 12. Who do you hire? … and where from?? ● Academic background ● Security researchers ● Pentesters ● Consultants ● Security community ● …
  • 13. Who do you hire? … and where from?? ● Academic background ● Security researchers ● Pentesters ● Consultants ● Security community ● … ● Internal hires
  • 14. You Hire for Your Needs Understand the business risk, and how much you are willing to invest.
  • 15. You Hire for Your Needs and for the organization you want to be a part of ● Empathy ● Passion ● Smarts ● Service-orientedness ● Culture adds
  • 16. You Hire for Your Needs and for the organization you want to be a part of ● Empathy ● Passion ● Smarts != 0day ● Service-orientedness ● Culture adds
  • 17. You Hire for Your Needs and for the organization you want to be a part of ● Empathy ● Passion ● Smarts != 0day ● Service-orientedness ● Culture adds ● Self-awareness
  • 18. Connecting Your Team with the Rest of the Organization
  • 19. Connect with the organization Make security, adversarial thinking, and the care for users’ data and privacy part of everyone’s concern. ● Risk reviews ● Code reviews ● Team partnerships ● Security-informed KPIs ● Defined accountabilities ● Education
  • 20. Connect with the organization Make security, adversarial thinking, and the care for users’ data and privacy part of everyone’s concern. ● Risk reviews ● Code reviews ● Team partnerships ● Security-informed KPIs ● Defined accountabilities ● Education ● Evangelism ● No FUD
  • 21. Educate ● Everything starts with onboarding ● Tell everyone about the services you provide to them ● Curate top-notch documentation, publish advisories, and have achievable policies ● Nurture a culture of great post-mortems ● Recommend further educational resources ● Teach adversarial thinking ● Encourage them to partake in your bug bounty program
  • 22. Build a Path of Least Resistance ● Give concrete guidance on code reviews and production-readiness ● Integrate Static Code Analysis in Continuous Integration ● Warn about high-risk area changes ● Continuously run tests against business-critical security failures ● Give other teams access to visibility tools ● Offer internal and external code audits ● Build carrots, not sticks
  • 23. Maslow’s Pyramid of Code Review (after Charles-Axel Dein)
  • 24. Build a Path of Least Resistance ● Give concrete guidance on code reviews and production-readiness ● Integrate Static Code Analysis in Continuous Integration ● Warn about high-risk area changes ● Continuously run tests against business-critical security failures ● Give other teams access to visibility tools ● Offer internal and external code audits ● Build carrots, not sticks
  • 26. Communication How to feel comfortable with saying ‘Yes’ ● Before thinking “OMG”, get all the information ● Understand both risks and benefits of a solution for the business from their point of view - they’re the experts on their products ● Don’t jump to the What: Tell a good story about Why, in their language ● Make it easy to communicate and compare risks and/or cost ● Change the nature of the conversation, organization-wide ● No blame, no shame ● It’s all about impact
  • 27. Building the Right Thing, at the Right Time
  • 28. The Challenges ● There’s never enough time! ● Security teams’ tasks are often highly operational, easily leading to employee burnout ● Everything constantly changes ● There’s a new team working on a new service every other new week ● Auditing itself doesn’t secure anything ● KPIs are hard ● Law is hard
  • 29. The Challenges ● There’s never enough time! ● Security teams’ tasks are often highly operational, easily leading to employee burnout ● Everything constantly changes ● There’s a new team working on a new service every other new week ● Auditing itself doesn’t secure anything ● KPIs are hard ● Law is hard ● That’s definitely not all of them, but I’m running out of space here...
  • 30. Some Solutions ● Give your team a purpose that is worthwhile ● As a team, prioritize. Then, prioritize again. ● Dedicate time for research as much as for addressing tech debt ● Work on one (1!) thing at a time ● Automate, automate, automate, iterate… ● Know when shit is hitting the fan, vs. when the house is burning down ● Cherish how quickly bug fixes can be deployed through CI/CD/IAC ● Schedule end-of-month wrap-ups with your team
  • 31. Solutions Outside of Your Team ● Teach leadership to ask the right questions ● Curate a risk matrix, with them ● Make sure security has a seat at any table where strategy is discussed ● Ask teams to rate their own risk stance, data classification level, etc. ● Let every team own their DFDs and threat models, and keep them as artifacts others can learn from
  • 32.
  • 33. Measuring Success … and making teams happy, healthy, and sustainable ● Key Performance vs. Risk Indicators ● The Net Promoter Score ● You might start with… ○ Number of security incidents above threat score x, MoM ○ % of logging coverage (prioritize according to your top risks) ○ % of staff trained
  • 34. Measuring Success … and making teams happy, healthy, and sustainable ● And then aim at… ○ % of test coverage ○ % of vulnerabilities discovered during testing ○ Mean Time To Detect ○ Mean Time To Repair ○ % of outage due to security incidents ○ Visualizing risk reduction
  • 35.
  • 36. Thank y’all I would’ve had nothing to talk about here if it wasn’t for... ● everyone on my teams, present and past - you teach me something new every day! ● @zanelackey ● @benjammingh ● @mousemke ● AG
  • 37. Safety first! astera@soundcloud.com | security@soundcloud.com