Abuser stories: how we embedded a security mindset within our business - Jim van der Waal - Codemotion Amsterdam 2018
•Download as PPTX, PDF•
0 likes•263 views
How do you cope with the growth of security risks? Providing your IT teams with the right tools is one thing, but new features start way before it reaches the development phase. So how do you make security a responsibility of everyone? In this talk I will tell the strategy of bol.com, and the way we tried to cope with it in a fun way. Where in the latest stage we taught this mindset to our business by introducing the concept of "Abuser Stories". Instead of reasoning how a customer would use your feature, think about how someone would abuse it. As a hacker, I want.., So that...!
Recommended
Recommended
More Related Content
Similar to Abuser stories: how we embedded a security mindset within our business - Jim van der Waal - Codemotion Amsterdam 2018
Similar to Abuser stories: how we embedded a security mindset within our business - Jim van der Waal - Codemotion Amsterdam 2018 (20)
More from Codemotion
More from Codemotion (20)
Recently uploaded
Recently uploaded (20)
Abuser stories: how we embedded a security mindset within our business - Jim van der Waal - Codemotion Amsterdam 2018
- 1. Abuser Stories Jim van der Waal AMSTERDAM | MAY 8-9, 2018
- 2. Abuser Stories How we embedded a security mindset within our company 2
- 3. The last 4 years Me @ bol.com •Information Analyst •Scrum Master •IT Project Manager •Product Owner 3
- 4. The shop for everyone 4
- 5. 5 Where is bol.com now? > €1.5 billion in revenue > 95% brand awareness > 100.000 orders per day
- 6. IT-Security @ bol.com Creating one big security team 6
- 7. IT-Security Operations Development Its all about ownership 7 The Security Team IT-Security Operations Development
- 8. IT-Security Operations Development IT-Security Operations Development Its all about ownership 8 The Security Team
- 9. IT-Security Operations Development IT-Security Operations Development Its all about ownership 9 The Security Team
- 10. IT-Security Operations Development IT-Security Operations Development Its all about ownership 10 The Security Team Development Testing Engineers Testers
- 11. IT-Security Operations Development IT-Security Operations DevelopmentProduct Owners Analysts Its all about ownership 11 The Security Team 11 Business Analysis Information Analysis Development Testing Business Product Own Information Engineers Testers
- 12. As a successful strategy 12 Thinking like a hacker
- 13. Abuser Stories Thinking like a hacker 13
- 14. Developers write code, analysts write user stories. Hackers write hacks, analysts write abuser stories. 14
- 15. 15 User stories
- 16. 16 User stories
- 18. Example process 18 Inventory forecast Product in basket Checkout
- 19. Example process 19 Inventory forecast Product in basket Checkout
- 20. Example process 20 Inventory forecast Product in basket Checkout Reserve product in stock
- 21. Example process 21 Inventory forecast Product in basket Checkout Reserve product in stock
- 22. A simplified visualisation 22 The development process Business Analysis Information Analysis Development Testing
- 23. By giving workshops 23 Adopt this new way of thinking Hack Defense
- 24. The result Did it actually help? 24
- 25. 25 The results Ownership Agility A very big Security Team
- 26. Do It Yourself! 26 Abuse your stories
- 27. Jim van der Waal https://www.linkedin.com/in/jimvdwaal/ Thanks! till next bol.com
- 28. https://www.linkedin.com/in/jimvdwaal/ https://techlab.bol.com/abuser-stories-thinking-like-hacker/ Take a look at my slides or read my blog 28 Forgot to take notes?
Editor's Notes
- Wardrobe Different roles Among which IT Project Manager – Abuser stories Currently Product Owner
- Who knows bol.com? Biggest ecommerce company
- How big? Some numbers to illustrate. Security becomes more important – more interesting Money Known – impact/fame
- Grew a lot, and its becoming more important. Not scalable to let the IT security team with same rate. Strategy, security is a responsibility of everyone, which will create one big security team. Lets take a look at our IT department. Small IT security team – very much ownership. Operations, didn’t take that much convincing, they were aware.
- But what about the development teams. So we were moving towards DevOps and making teams take ownership of deploying and running their own code. In the beginning they didn’t feel the responsibility yet. Not that clear they needed to test for vulnerabilities and look for security bugs. So we thought of a strategy to make them more aware, giving hacker trainings. Strategy: think like a hacker. If you know how to hack it, you also know how to secure it. We actually hired hackers to train us. Frank Technical trainings, XSS, SQL injection This was fun!
- Job well done, now we are there! Most things in hindsight. Bugs/testing/etc. – stories on backlog. Security to give it priority. Personal story: I don’t look dangerous right? Walking by: oh no, there is that security guy that is going to ruin my sprint. have a point
- Focus of trainings on the engineers and testers. They were technical trainings.
- new functionality starts way before the development phase ownership needs to go beyond of the IT teams technical trainings are not suitable for them
- And then I started thinking how do we do that? Make it fun, security seems like its not fun but it is. The strategy: think like a hacker works well. Fun and effective. Hacker mindset for analysts.
- If developers write code… Then if…
- I hope everybody knows the concept of a user story. A way of writing down all cool ideas. Reasoning from a customer perspective.
- We think of really nice functionalities with a lot of business value. Think from perspective of the customer
- Now turn it around and think of how somebody can abuse this functionality. That is where the concept of Abuser stories comes in. Think from the perspective of an hacker. Not per se technical hacks, but more functional hacks. Thinking like this will help to map security requirements. If you know how it can be abused, you also can think on how to prevent this abuse.
- What could possibly go wrong? Take a few seconds to think about it.
- Think about it from functional perspective. It doesn’t need to get technical. Map the abuse case and the requirements how to prevent this. Later on you can think with the developers how you can technically implement this to prevent it. just like a user story. Doesn’t have to be technical functional hacks. The result Most important thing is that you look at it from the hacker perspective Whether it results in separate (ab)user stories, or whether it results in requirements for a certain user story.. That is just practicalities. Most important is that the mindset is embedeed within the culture.
- Started giving workshops to Product Owners and Business Analists. Explaning the concepts, but mostly getting your hands dirty. Making it fun!! Think evil, think like a hacker. Attack vs defense (abuser stories vs. user stories) Surprised by the evilness: for example. Someone had the idea with the previous proces to put a lot in the basket and hold it as ransom – so like ransomware. So then actually calling bol.com to threat of not letting it out of the basket until they pay up. Practically it would not work of course, but it’s a pretty evil thought.
- Ownership Next to that one of the biggest benefits is that also analysts and product owners feel ownership about security. This makes discussions so much easier. Agility Now that early in the process people already think of security, and think of requirements how to avoid risks a lot of security issues are prevented Now a business analyst is more aware and takes it into account. Big security team Next step in DevOps(Sec) More responsibility at the teams, which helps us to cope with the growing risks of security.
- Abuser stories was our way of creating that security mindset in our company. It’s a simple concept that everybody understands. Motivate to do it yourself. ITS FUN!
- Slides on linkedin