How does an individual change the application security culture of an organization? By deploying an application security awareness program with engaging content, humor and recognition. See the blueprint for how you can build an application security awareness program based on real life experience. Change the security DNA of everyone in your organization.
(Source: RSA USA 2016-San Francisco)
2. #RSAC
My Commitment
2
Explain security culture and application security
awareness
Provide the process for how to build your own
application security awareness program
Share knowledge, experience, and best practices
building application security awareness programs
3. #RSAC
What is Security Culture?
3
“What happens {with
security} when people are
left to their own devices.”
--Tim Ferriss
5. #RSAC
What is Appsec Awareness?
5
Application Security Awareness
Anti-Phishing, Password Security, Safe Social Networking,
Physical Security, Social Engineering
General Security Awareness
Mastering
Security
Concepts
Coding
Securely
Performing
Security
Test
Planning for
Security
16. #RSAC
Define the problem
16
Our organization lacks:
general application security knowledge
appreciation for the evolving threat landscape
experience with secure development practices and
tools
motivation to step up and improve security
20. #RSAC
Apply: Mission
20
Define the problem as it exists in YOUR organization
Assess YOUR security culture, to determine how far
you have to go
Define what you are trying to accomplish (program
objectives)
Build a team of internal and external experts
30. #RSAC
Apply: Program Architecture
30
Choose a theme that fits within the boundaries of YOUR
organization
Define your roles
Determine:
the number of levels
what activities will you promote (if any)
your recognition philosophy and implementation
32. #RSAC
Curriculum Development Process
32
Determine
basic lessons
Review
existing
content
Search the
product /
service history
Draft the
content maps
Argue
extensively
about content
maps
Gather
Community
Feedback and
Update
33. #RSAC
Level 1 Content Map
33
Security
Fundamentals
Threat
Landscape
Attacks &
Attackers
OWASP Top 10
Secure
Development
Life Cycle
Security Myths Cryptography
Secure Design
Principles
Security
Standards
Privacy
34. #RSAC
Level 2 Content Map -- Developer
34
Secure Coding
with Java
XSS
Threat
Modeling
Input
Validation
SQL Injection CSRF
Secure Code
Review
Using OpenSSL
Attacks Against
Human
Engineers
Testing Web
App Security
46. #RSAC
Apply: Humor & Metaphor
46
Decide on your organization’s tolerance for
humor
Edgy to tame: where do you sit?
Brainstorm ideas for security metaphors
bring your production team into the loop
51. #RSAC
Apply: Tools
51
Decide how to model your theme and content in a
catchy interface that engages your learners
Study gamification principles and incorporate
HINT: Ask your kids!
Plan your dashboard; what is the hard hitting
information that will bring visibility to your program?