While some are still recovering from treating security as a second-class citizen, the rise of agile and lean methodologies have opened a door for information security into software development with an opportunity to arrange security along the team's value stream. Teams that write secure software often do so because of the efforts of individuals. This talk dives into the mindset, tools, and ceremonies necessary to systematically create a culture around information security.
5. Calculus of Negligence
Probability Criticality
Exposure
Used to quantify disaster scenarios.
Useful for exposure.
Not directly actionable.
6. Your job is to facilitate the business to operate in an
as-assured-as-possible manner, given the actual
mission of the business [and] [...] providing that
context for people that aren’t security professionals as
well as those that are: “Here’s how important this thing
is in the grand scheme of things.”
- Bruce Potter
7. Assets
Valuable goods of physical or immaterial nature.
Have value for both the organization and the attacker.
Targets for both deliberate and negligent threats
● SECURITY GOALS
Stem from business, legal, and regulatory contexts
● DISASTER SCENARIOS
Result from security goals being violated.
● EXPOSURE
Experience, analogy from events at competitors, or
jurisdiction.
9. EPIC
ASK
Analysis
Breaking down epics
into stories
Development
Where stories
become deliverables
QA
Where deliverables
are reviewed
Deployment
Deliverables become
functionality
NEED
WISH
REQUEST
NEED
REQUEST
DEMAND
Discussions
Verbalization of
functionality
EPICEPIC STORYSTORY
SPIKE
STORY
STORY
COMMIT
COMMIT
COMMIT COMMIT
COMMIT BUGFIX COMMIT
BUGFIX
Requirements
Molding needs
into epics
ISSUE
TICKET
DOCKER DOCKER
DOCKER
DOCKER DOCKER
SERVICE
SPIKE
SERVICE
SERVICE
SERVICE
BUG
SERVICE
DOCKER SERVICE
SERVICE
COMMITCOMMIT
COMMIT
COMMIT
Path to Production
10. Which assets do we touch?
Does this change our attack
surface?
How valuable are the assets?
What (new) components
touch the assets?
How could we be
attacked?
What would be the
impact?
How?
Mitigate? Identify? Protect?
Detect? Respond?
Recover?
Transfer?
Avoid?
Accept?
What are the
alternatives?
Keep a record of the
security debt!
ASSETS
THREAT
MODELING
ACTIONS
(+ PO)
FOLLOW UP
Analysis: Definition of Ready
11. Analysis: Threat Modeling
Add security requirements as CFRs to stories and epics.
SCENARIO-BASED
Uses the team’s collective
experience of the product to
be developed.
EXPLORATORY
Analysis of a fictional disaster
scenario back to the asset
based on Attack Trees
AGILE
Timeboxed STRIDE exercises
to analyze the delta in
functionality from the current
or next period, e.g. a sprint.
12. New vulnerabilities
are continuously
discovered
Automate scanning
your libraries,
frameworks
Vulnerabilities also
exist in containers
Automate scanning
your containers
Fix-forward
Automate keeping
them up to date
Test and aggressively
integrate releases
DEPENDENCIES CVEs CONTAINERS
Development: Ease through automation
13. VISUALIZE
HEALTH
Visualize and
aggressively pay off
tech debt
Rotate firefighter role
Collective ownership
for the ugly code bits
Log indexable data
structures, not strings
Inspect logs faster
Correlate logs across
systems
Important real-world
metrics at a glance
Create shared
responsibility for your
system’s fitness to
deliver value
Understand when
things go wrong
Standard Operating
Procedures
Use alerting
STRUCTURE &
CORRELATE
LOGS
NOMINAL vs
ERRONEOUS
BEHAVIOR
SHIFT
SECURITY
LEFT
Live: Know your system