Why Struggle? More Secure Less Secure
Tool: System Diagrams
Wanna skip to Ninjas part?
1. Choose methodology
Technology specific OWASP
Task specific PTES
Domain specific OSSTMM
1 Security Ninja wasted. Continue [ y/N] _
Tool: Mindmap, brainstorm. Don’t read it all now – I made it for lols
Some Hack-o-sophy then?
*Technical expertise is required anyway
When are you? Understand Their protocols
Enterprise runs hundreds of projects
and processes when you happen’
… not going to stop
Plan – Identify & Analyze
Do- Develop Solution
Check- …and Improve Solution
Act – Implement Solution
You better know Their context
Tool: Deming cycle and whatever follows PMBOK, TIL, ISO9000
Pareto-zation. The benefit of hindsight
Proves to be correct over and over
Rarely used in planning
Tool: Pareto, Knapsack problem
Log don’t memorize
Work out logs and use in planning
Suggest Project/Teamwork Strategy
Waterfall – stages, WBS
Team work on component
Tasks not assigned – taken
Scope change tolerance
Tool: WBS, T-Shirt estimate, Burndown
Broken communication – any project’s issue
Phone call – I’ll call you back
E-mail – ignored, maybe in spam?
Checklist – too big – please e-mail
Interview –please send checklist
Discussion – I will do my way
Communicating in and out tricks
Appreciative Inquiry (5Ds)
Too sweet? Criticize!
Tool: Communications scenarios. It’s not always the same
“Fairytale” Editor’s cut includes section
Other Extremely Effective Communication tips
Don’t read or rewrite or annotate
Review and analyze
Structure - what’s there, not there
Any logic in bundle?
How up-to-date documents are?
Authors available for comments?
Tool: Structure schemes, Sequence Diagrams
Track and Log *
List of received documents
List of created documents for the project
UID * – use ID’s across artifacts
ID’s used by customer are inconsistent… often
ID!=UID IP is not UID, MAC -?
Don’t stop hallway through:
Brainstorm Mindmap? Actions!
Tool: Affinity Diagram & workflow
Almost there? Report.Create
Outline first – don’t generate texts
List items and give Definitions
Structure and facts
Width/Depth Switching prototyping
Tool: Outline & Example first, WDS Prototype (am)
Data and trends Visualization
Full description Screenshots/logs only
Boasting vulns Hug problems
Hack Slang Baby talk
Demonstrate. Communicate. Avoid
Tool: Standard vis tools in excel/calc etc. RTFM please!
Simple standard things. Use them right!
Even if You can explain it – it’s too much
Tool: No idea. shrooms??
Tool: Visualization Taxonomy (give it a look here)
Powerful complex general tools for fast
analysis and check ideas. Don’t over engineer
Tool: Grid analysis (services up/vulns found excel by am)
Got idea? Prototype. Don’t over engineer
Tool: treemap (for services vis by am)
Report.Automate – Build your System
Store Data (received/generated)
Edit, Snippets takings
Manage and service
Report.Repeat – They think they are all the same?
Hurling results to “Them”
Pitches that should’ve made it
but could as well fail
SQLi up to RCE for any registered
Any scary words like XSS
Database vulnerability leads to
Critical vulnerability in AAA
Doh! You’re gonna get hacked
Master “Their” language
Tool: MindTools.com for reference
Impact (Organization) analysis
That’s all, folks!
Philosophy and high-level concepts
Planning and management
Organize chaos and keep tracking
Craft tools and build Your own System
Interpret results for presentation
IT Security R&D Cooperation Worldwide
Russia – Europe - Americas – Asia
Alexey Kachalin, COO