SlideShare una empresa de Scribd logo

Farewell to the Security Sandwich

Thoughtworks
Thoughtworks

While some are still recovering from treating security as a second-class citizen, the rise of agile and lean methodologies have opened a door for information security into software development with an opportunity to arrange security along the team's value stream. Teams that write secure software often do so because of the efforts of individuals. This talk dives into the mindset, tools, and ceremonies necessary to systematically create a culture around information security.

Software
1 de 14
Descargar para leer sin conexión
Farewell to the Security Sandwich Felix Hammerl
News comes first ... … then comes the shock 2013 20142012 2015 2016 146 days 99 days416 days 205 days
The Security Sandwich INCEPTION DEVELOPMENT GO-LIVE Security Requirements, Infrastructure Hardening, Compliance & Policies Iterative Agile Methodology, Insights, Pivots Perpetual Requirement Renegotiation Code Reviews, Penetration Testing Security assurance often gets lost somewhere along this path.
Everybody wants to be secure – but from what?
Calculus of Negligence Probability Criticality Exposure Used to quantify disaster scenarios. Useful for exposure. Not directly actionable.
Your job is to facilitate the business to operate in an as-assured-as-possible manner, given the actual mission of the business [and] [...] providing that context for people that aren’t security professionals as well as those that are: “Here’s how important this thing is in the grand scheme of things.” - Bruce Potter
Assets Valuable goods of physical or immaterial nature. Have value for both the organization and the attacker. Targets for both deliberate and negligent threats ● SECURITY GOALS Stem from business, legal, and regulatory contexts ● DISASTER SCENARIOS Result from security goals being violated. ● EXPOSURE Experience, analogy from events at competitors, or jurisdiction.
Where does security “happen”?
EPIC ASK Analysis Breaking down epics into stories Development Where stories become deliverables QA Where deliverables are reviewed Deployment Deliverables become functionality NEED WISH REQUEST NEED REQUEST DEMAND Discussions Verbalization of functionality EPICEPIC STORYSTORY SPIKE STORY STORY COMMIT COMMIT COMMIT COMMIT COMMIT BUGFIX COMMIT BUGFIX Requirements Molding needs into epics ISSUE TICKET DOCKER DOCKER DOCKER DOCKER DOCKER SERVICE SPIKE SERVICE SERVICE SERVICE BUG SERVICE DOCKER SERVICE SERVICE COMMITCOMMIT COMMIT COMMIT Path to Production
Which assets do we touch? Does this change our attack surface? How valuable are the assets? What (new) components touch the assets? How could we be attacked? What would be the impact? How? Mitigate? Identify? Protect? Detect? Respond? Recover? Transfer? Avoid? Accept? What are the alternatives? Keep a record of the security debt! ASSETS THREAT MODELING ACTIONS (+ PO) FOLLOW UP Analysis: Definition of Ready
Analysis: Threat Modeling Add security requirements as CFRs to stories and epics. SCENARIO-BASED Uses the team’s collective experience of the product to be developed. EXPLORATORY Analysis of a fictional disaster scenario back to the asset based on Attack Trees AGILE Timeboxed STRIDE exercises to analyze the delta in functionality from the current or next period, e.g. a sprint.
New vulnerabilities are continuously discovered Automate scanning your libraries, frameworks Vulnerabilities also exist in containers Automate scanning your containers Fix-forward Automate keeping them up to date Test and aggressively integrate releases DEPENDENCIES CVEs CONTAINERS Development: Ease through automation
VISUALIZE HEALTH Visualize and aggressively pay off tech debt Rotate firefighter role Collective ownership for the ugly code bits Log indexable data structures, not strings Inspect logs faster Correlate logs across systems Important real-world metrics at a glance Create shared responsibility for your system’s fitness to deliver value Understand when things go wrong Standard Operating Procedures Use alerting STRUCTURE & CORRELATE LOGS NOMINAL vs ERRONEOUS BEHAVIOR SHIFT SECURITY LEFT Live: Know your system
Felix Hammerl Thank you @felixhammerl

Recomendados

A holistic view_of_enterprise_security
A holistic view_of_enterprise_securityA holistic view_of_enterprise_security
A holistic view_of_enterprise_securityehawk01
 
Carbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityCarbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityMighty Guides, Inc.
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...David Etue
 
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019Eturnti Consulting Pvt Ltd
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Threat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopThreat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopTy Sbano
 
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始Secview
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityPriyanka Aash
 

Recomendados

A holistic view_of_enterprise_security
A holistic view_of_enterprise_securityA holistic view_of_enterprise_security
A holistic view_of_enterprise_securityehawk01
 
Carbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityCarbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityMighty Guides, Inc.
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...David Etue
 
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019Eturnti Consulting Pvt Ltd
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Threat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopThreat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopTy Sbano
 
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始Secview
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityPriyanka Aash
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...Thierry Zoller
 
Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?nathan816428
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Mighty Guides, Inc.
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksIBM
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Yazad Khandhadia
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilitySafeNet
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
Justifying Security Investment
Justifying Security InvestmentJustifying Security Investment
Justifying Security InvestmentJojo Colina
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Eturnti Consulting Pvt Ltd
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containersartseremis
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksMighty Guides, Inc.
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSouth Tyrol Free Software Conference
 
Zero Trust vs Defense in Depth
Zero Trust vs Defense in DepthZero Trust vs Defense in Depth
Zero Trust vs Defense in DepthCIO Talk Network
 
Design System as a Product
Design System as a ProductDesign System as a Product
Design System as a ProductThoughtworks
 
Designers, Developers & Dogs
Designers, Developers & DogsDesigners, Developers & Dogs
Designers, Developers & DogsThoughtworks
 

Más contenido relacionado

Similar a Farewell to the Security Sandwich

NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...Thierry Zoller
 
Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?nathan816428
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Mighty Guides, Inc.
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksIBM
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Yazad Khandhadia
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilitySafeNet
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
Justifying Security Investment
Justifying Security InvestmentJustifying Security Investment
Justifying Security InvestmentJojo Colina
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Eturnti Consulting Pvt Ltd
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containersartseremis
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksMighty Guides, Inc.
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSouth Tyrol Free Software Conference
 
Zero Trust vs Defense in Depth
Zero Trust vs Defense in DepthZero Trust vs Defense in Depth
Zero Trust vs Defense in DepthCIO Talk Network
 

Similar a Farewell to the Security Sandwich (20)

NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
 
Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Justifying Security Investment
Justifying Security InvestmentJustifying Security Investment
Justifying Security Investment
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containers
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security Assurance
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
 
Zero Trust vs Defense in Depth
Zero Trust vs Defense in DepthZero Trust vs Defense in Depth
Zero Trust vs Defense in Depth
 

Más de Thoughtworks

Design System as a Product
Design System as a ProductDesign System as a Product
Design System as a ProductThoughtworks
 
Designers, Developers & Dogs
Designers, Developers & DogsDesigners, Developers & Dogs
Designers, Developers & DogsThoughtworks
 
Cloud-first for fast innovation
Cloud-first for fast innovationCloud-first for fast innovation
Cloud-first for fast innovationThoughtworks
 
More impact with flexible teams
More impact with flexible teamsMore impact with flexible teams
More impact with flexible teamsThoughtworks
 
Culture of Innovation
Culture of InnovationCulture of Innovation
Culture of InnovationThoughtworks
 
Developer Experience
Developer ExperienceDeveloper Experience
Developer ExperienceThoughtworks
 
When we design together
When we design togetherWhen we design together
When we design togetherThoughtworks
 
Hardware is hard(er)
Hardware is hard(er)Hardware is hard(er)
Hardware is hard(er)Thoughtworks
 
Customer-centric innovation enabled by cloud
Customer-centric innovation enabled by cloud Customer-centric innovation enabled by cloud
Customer-centric innovation enabled by cloudThoughtworks
 
Amazon's Culture of Innovation
Amazon's Culture of InnovationAmazon's Culture of Innovation
Amazon's Culture of InnovationThoughtworks
 
When in doubt, go live
When in doubt, go liveWhen in doubt, go live
When in doubt, go liveThoughtworks
 
Don't cross the Rubicon
Don't cross the RubiconDon't cross the Rubicon
Don't cross the RubiconThoughtworks
 
Your test coverage is a lie!
Your test coverage is a lie!Your test coverage is a lie!
Your test coverage is a lie!Thoughtworks
 
Docker container security
Docker container securityDocker container security
Docker container securityThoughtworks
 
Redefining the unit
Redefining the unitRedefining the unit
Redefining the unitThoughtworks
 
Technology Radar Webinar UK - Vol. 22
Technology Radar Webinar UK - Vol. 22Technology Radar Webinar UK - Vol. 22
Technology Radar Webinar UK - Vol. 22Thoughtworks
 
A Tribute to Turing
A Tribute to TuringA Tribute to Turing
A Tribute to TuringThoughtworks
 
Rsa maths worked out
Rsa maths worked outRsa maths worked out
Rsa maths worked outThoughtworks
 

Más de Thoughtworks (20)

Design System as a Product
Design System as a ProductDesign System as a Product
Design System as a Product
 
Designers, Developers & Dogs
Designers, Developers & DogsDesigners, Developers & Dogs
Designers, Developers & Dogs
 
Cloud-first for fast innovation
Cloud-first for fast innovationCloud-first for fast innovation
Cloud-first for fast innovation
 
More impact with flexible teams
More impact with flexible teamsMore impact with flexible teams
More impact with flexible teams
 
Culture of Innovation
Culture of InnovationCulture of Innovation
Culture of Innovation
 
Dual-Track Agile
Dual-Track AgileDual-Track Agile
Dual-Track Agile
 
Developer Experience
Developer ExperienceDeveloper Experience
Developer Experience
 
When we design together
When we design togetherWhen we design together
When we design together
 
Hardware is hard(er)
Hardware is hard(er)Hardware is hard(er)
Hardware is hard(er)
 
Customer-centric innovation enabled by cloud
Customer-centric innovation enabled by cloud Customer-centric innovation enabled by cloud
Customer-centric innovation enabled by cloud
 
Amazon's Culture of Innovation
Amazon's Culture of InnovationAmazon's Culture of Innovation
Amazon's Culture of Innovation
 
When in doubt, go live
When in doubt, go liveWhen in doubt, go live
When in doubt, go live
 
Don't cross the Rubicon
Don't cross the RubiconDon't cross the Rubicon
Don't cross the Rubicon
 
Error handling
Error handlingError handling
Error handling
 
Your test coverage is a lie!
Your test coverage is a lie!Your test coverage is a lie!
Your test coverage is a lie!
 
Docker container security
Docker container securityDocker container security
Docker container security
 
Redefining the unit
Redefining the unitRedefining the unit
Redefining the unit
 
Technology Radar Webinar UK - Vol. 22
Technology Radar Webinar UK - Vol. 22Technology Radar Webinar UK - Vol. 22
Technology Radar Webinar UK - Vol. 22
 
A Tribute to Turing
A Tribute to TuringA Tribute to Turing
A Tribute to Turing
 
Rsa maths worked out
Rsa maths worked outRsa maths worked out
Rsa maths worked out
 

Último

Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 

Último (20)

Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 

Farewell to the Security Sandwich

  • 1. Farewell to the Security Sandwich Felix Hammerl
  • 2. News comes first ... … then comes the shock 2013 20142012 2015 2016 146 days 99 days416 days 205 days
  • 3. The Security Sandwich INCEPTION DEVELOPMENT GO-LIVE Security Requirements, Infrastructure Hardening, Compliance & Policies Iterative Agile Methodology, Insights, Pivots Perpetual Requirement Renegotiation Code Reviews, Penetration Testing Security assurance often gets lost somewhere along this path.
  • 4. Everybody wants to be secure – but from what?
  • 5. Calculus of Negligence Probability Criticality Exposure Used to quantify disaster scenarios. Useful for exposure. Not directly actionable.
  • 6. Your job is to facilitate the business to operate in an as-assured-as-possible manner, given the actual mission of the business [and] [...] providing that context for people that aren’t security professionals as well as those that are: “Here’s how important this thing is in the grand scheme of things.” - Bruce Potter
  • 7. Assets Valuable goods of physical or immaterial nature. Have value for both the organization and the attacker. Targets for both deliberate and negligent threats ● SECURITY GOALS Stem from business, legal, and regulatory contexts ● DISASTER SCENARIOS Result from security goals being violated. ● EXPOSURE Experience, analogy from events at competitors, or jurisdiction.
  • 9. EPIC ASK Analysis Breaking down epics into stories Development Where stories become deliverables QA Where deliverables are reviewed Deployment Deliverables become functionality NEED WISH REQUEST NEED REQUEST DEMAND Discussions Verbalization of functionality EPICEPIC STORYSTORY SPIKE STORY STORY COMMIT COMMIT COMMIT COMMIT COMMIT BUGFIX COMMIT BUGFIX Requirements Molding needs into epics ISSUE TICKET DOCKER DOCKER DOCKER DOCKER DOCKER SERVICE SPIKE SERVICE SERVICE SERVICE BUG SERVICE DOCKER SERVICE SERVICE COMMITCOMMIT COMMIT COMMIT Path to Production
  • 10. Which assets do we touch? Does this change our attack surface? How valuable are the assets? What (new) components touch the assets? How could we be attacked? What would be the impact? How? Mitigate? Identify? Protect? Detect? Respond? Recover? Transfer? Avoid? Accept? What are the alternatives? Keep a record of the security debt! ASSETS THREAT MODELING ACTIONS (+ PO) FOLLOW UP Analysis: Definition of Ready
  • 11. Analysis: Threat Modeling Add security requirements as CFRs to stories and epics. SCENARIO-BASED Uses the team’s collective experience of the product to be developed. EXPLORATORY Analysis of a fictional disaster scenario back to the asset based on Attack Trees AGILE Timeboxed STRIDE exercises to analyze the delta in functionality from the current or next period, e.g. a sprint.
  • 12. New vulnerabilities are continuously discovered Automate scanning your libraries, frameworks Vulnerabilities also exist in containers Automate scanning your containers Fix-forward Automate keeping them up to date Test and aggressively integrate releases DEPENDENCIES CVEs CONTAINERS Development: Ease through automation
  • 13. VISUALIZE HEALTH Visualize and aggressively pay off tech debt Rotate firefighter role Collective ownership for the ugly code bits Log indexable data structures, not strings Inspect logs faster Correlate logs across systems Important real-world metrics at a glance Create shared responsibility for your system’s fitness to deliver value Understand when things go wrong Standard Operating Procedures Use alerting STRUCTURE & CORRELATE LOGS NOMINAL vs ERRONEOUS BEHAVIOR SHIFT SECURITY LEFT Live: Know your system