Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Security Differently - DevSecOps Days Austin 2019

154 visualizaciones

Publicado el

Security Differently Session from DevSecOps Days Austin 2019

Publicado en: Software
  • Sé el primero en comentar

Security Differently - DevSecOps Days Austin 2019

  1. 1. SECURITY DIFFERENTLY
  2. 2. $WHOAMI
  3. 3. WHY SECURITY DIFFERENTLY?
  4. 4. SAFETY AND SECURITY HAVE A LOT IN COMMON
  5. 5. SAFETY DIFFERENTLY ORIGINS "Safety differently' is about relying on people’s expertise, insights and the dignity of work as actually done to improve safety and efficiency. It is about halting or pushing back on the ever-expanding bureaucratization and compliance of work." -- Sydney Dekker
  6. 6. "SECURITY DIFFERENTLY’ IS ABOUT RELYING ON PEOPLE’S EXPERTISE, INSIGHTS AND THE DIGNITY OF WORK AS ACTUALLY DONE TO IMPROVE SECURITY AND EFFICIENCY. IT IS ABOUT HALTING OR PUSHING BACK ON THE EVER-EXPANDING BUREAUCRATIZATION AND COMPLIANCE OF WORK."
  7. 7. SECURITY CURRENTLY VS. SECURITY DIFFERENTLY Security Currently Security Differently People are the Source of Problems People are the Solution Tell them what to do Ask them what they need (Control & Compliance) Competency & Common Sense Count absence of Negative events Count Presence of Positives
  8. 8. FACT: NO SYSTEM IS SECURE ON ITS OWN, IT REQUIRES HUMANS TO CREATE IT
  9. 9. SECURITY CURRENTLY > Are we doing the things that really matter? > What is the best measurement of performance? > How much are we learning from our past performance? > How do we know when we’re doing well?
  10. 10. OUTCOMES ARE THE ULTIMATE MEASUREMENT OF EFFECTIVENESS
  11. 11. WHY DO OUTAGES AND BREACHES SEEM TO BE HAPPENING MORE OFTEN?
  12. 12. FLAWED UNDERSTANDINGOUR UNDERSTANDING OF OUR SYSTEMS
  13. 13. SYSTEM ENGINEERING IS A MESSY AFFAIR
  14. 14. COMPLEX SYSTEMS ARE CHALLENGING
  15. 15. COMPLEX SYSTEMS TRAITS • Cascading Failures • Di!cult to determine boundaries • Difficult to Model Behavior • Dynamic network of multiplicity • May produce emergent phenomena • Relationships are non-linear • Relationships contain feedback loops
  16. 16. EXAMPLES OF COMPLEX SYSTEMS • Global Financial Markets • Nation-State PoliicS • Weather Patterns • The Human Body • Bird Patterns • Distributed Computing Systems (aka your systems)
  17. 17. FACT: OUTAGES & BREACHES WILL CONTINUE TO GET WORSE
  18. 18. UNLESS WE BEGIN THINKING DIFFERENTLY
  19. 19. SOFTWARE HAS TAKEN OVER EVERYTHING
  20. 20. AREAS OF POTENTIAL IMPROVEMENT
  21. 21. ARCHITECTURE VS. ARCHINEERING
  22. 22. "Scaffolding is never intended to be permanent" -- Dave Snowden
  23. 23. ARCHITECTURE PATTERNS
  24. 24. THREAT INTEL
  25. 25. ALL THE INTEL FEEDS IN THE WORLD WON'T MEAN MUCH IF YOU DON’T HAVE YOUR HOUSE IN ORDER
  26. 26. DECEPTION TECHNIQUES = MORE ATTACK SURFACE MANAGEMENT
  27. 27. AI/ML/DL/RL & QUANTUM ENTANGLEMENT WILL NOT MAGICALLY SOLVE YOUR PROBLEMS
  28. 28. ARE YOU KIDDING ME?
  29. 29. AI DOES NOT YET EXIST, JUST STOP
  30. 30. SECURITY POLICIES
  31. 31. IF THE SECURITY POLICIES AREN’T UNDERSTOOD OR CANT BE EXPLAINED EFFECTIVELY BY SECURITY HOW ARE ENGINEERS EXPECTED TO TRANSLATE THEM INTO REAL-LIFE PRODUCT?
  32. 32. RISK MANAGEMENT
  33. 33. MEASUREMENT AND MANAGEMENT OF RISK IS FUNDAMENTALLY IN NEED OF CHANGE
  34. 34. SOFTWARE HAS DISRUPTED OUR TRADITIONAL AND SUBJECTIVE METHODS OF IDENTIFYING, MEASURING AND MANAGING SYSTEM RISKS.
  35. 35. NEW WAYS OF THINKING
  36. 36. DEVOPS & DEVSECOPS IS NOW THE NEW NORM
  37. 37. SECURITY LOVES CHAOS ENGINEERING
  38. 38. POSTMORTEMS = PREPARATION
  39. 39. INCIDENT RESPONSE
  40. 40. SOLUTIONS ARCHITECTURE
  41. 41. CREATE OBJECTIVE FEEDBACK LOOPS ABOUT SECURITY EFFECTIVENESS
  42. 42. FOCUS ON WHAT YOU HAVE THE ABILITY TO CONTROL
  43. 43. RESILIENCE DOESN’T MEAN WHAT YOU THINK IT MEANS
  44. 44. RESILIENCE != DR/BCP
  45. 45. Resilience is the ability of systems to prevent or adapt to changing conditions in order to maintain control over a system property…to ensure safety… and to avoid failure. -- Hollnagel, Woods, & Leveson
  46. 46. FAILURE IS THE NORMAL CONDITION
  47. 47. HUMANS AREN’T THE PROBLEM, THEY ARE THE SOLUTION
  48. 48. ROOT CAUSES DONT EXIST
  49. 49. FIELD GUIDE TO 'HUMAN- ERROR' INVESTIGATIONS BY SYDNEY DEKKER
  50. 50. OLD VIEW > Human Error is a cause of trouble > You need to find people’s mistakes, bad judgements and inaccurate assessments > Complex Systems are basically safe > Unreliable, erratic humans undermine systems safety > Make systems safer by restricting the human condition
  51. 51. NEW VIEW > Human error is a symptom of deeper system trouble > Instead, understand how their assessment and actions made sense at the time - context matters > Complex systems are basically unsafe > Complex systems are tradeoffs between competing goals safety vs. efficiency
  52. 52. AUTOMATION ISN’T A MAGIC ANSWER
  53. 53. FOCUS ON WHAT MATTERS MOST.
  54. 54. VALUE CHAINAS A SECURITY PROFESSIONAL CAN YOU CLEARLY ARTICULATE WHERE YOU SIT IN YOUR COMPANY’S VALUE CHAIN?
  55. 55. DOES THE COMPANY EXIST TO DELIVER PRODUCT AND SERVICES OR EMPLOYEE DESKTOPS?
  56. 56. EVERYONE MUST CODE
  57. 57. GOING FORWARD EVERYONE MUST UNDERSTAND HOW TO WRITE SOFTWARE IS A MUST
  58. 58. PYTHON IS A GOOD START, IT WAS ORIGINALLY DESIGNED FOR CHILDREN
  59. 59. Everyone is responsible for the engineering not just the security.
  60. 60. THANK YOU AUSTIN!

×