How do you cope with the growth of security risks? Providing your IT teams with the right tools is one thing, but new features start way before it reaches the development phase. So how do you make security a responsibility of everyone? In this talk I will tell the strategy of bol.com, and the way we tried to cope with it in a fun way. Where in the latest stage we taught this mindset to our business by introducing the concept of "Abuser Stories". Instead of reasoning how a customer would use your feature, think about how someone would abuse it. As a hacker, I want.., So that...!
Wardrobe
Different roles
Among which IT Project Manager – Abuser stories
Currently Product Owner
Who knows bol.com?
Biggest ecommerce company
How big?
Some numbers to illustrate.
Security becomes more important – more interesting
Money
Known – impact/fame
Grew a lot, and its becoming more important. Not scalable to let the IT security team with same rate.
Strategy, security is a responsibility of everyone, which will create one big security team.
Lets take a look at our IT department.
Small IT security team – very much ownership.
Operations, didn’t take that much convincing, they were aware.
But what about the development teams.
So we were moving towards DevOps and making teams take ownership of deploying and running their own code.
In the beginning they didn’t feel the responsibility yet. Not that clear they needed to test for vulnerabilities and look for security bugs.
So we thought of a strategy to make them more aware, giving hacker trainings.
Strategy: think like a hacker. If you know how to hack it, you also know how to secure it.
We actually hired hackers to train us. Frank
Technical trainings, XSS, SQL injection
This was fun!
Job well done, now we are there!
Most things in hindsight. Bugs/testing/etc. – stories on backlog.
Security to give it priority.
Personal story: I don’t look dangerous right?
Walking by: oh no, there is that security guy that is going to ruin my sprint. have a point
Focus of trainings on the engineers and testers.
They were technical trainings.
new functionality starts way before the development phase
ownership needs to go beyond of the IT teams
technical trainings are not suitable for them
And then I started thinking how do we do that?
Make it fun, security seems like its not fun but it is.
The strategy: think like a hacker works well. Fun and effective.
Hacker mindset for analysts.
If developers write code…
Then if…
I hope everybody knows the concept of a user story.
A way of writing down all cool ideas.
Reasoning from a customer perspective.
We think of really nice functionalities with a lot of business value.
Think from perspective of the customer
Now turn it around and think of how somebody can abuse this functionality.
That is where the concept of Abuser stories comes in.
Think from the perspective of an hacker.
Not per se technical hacks, but more functional hacks.
Thinking like this will help to map security requirements.
If you know how it can be abused, you also can think on how to prevent this abuse.
What could possibly go wrong?
Take a few seconds to think about it.
Think about it from functional perspective. It doesn’t need to get technical. Map the abuse case and the requirements how to prevent this. Later on you can think with the developers how you can technically implement this to prevent it. just like a user story.
Doesn’t have to be technical functional hacks.
The result
Most important thing is that you look at it from the hacker perspective
Whether it results in separate (ab)user stories, or whether it results in requirements for a certain user story.. That is just practicalities.
Most important is that the mindset is embedeed within the culture.
Started giving workshops to Product Owners and Business Analists.
Explaning the concepts, but mostly getting your hands dirty.
Making it fun!!
Think evil, think like a hacker.
Attack vs defense (abuser stories vs. user stories)
Surprised by the evilness: for example. Someone had the idea with the previous proces to put a lot in the basket and hold it as ransom – so like ransomware. So then actually calling bol.com to threat of not letting it out of the basket until they pay up. Practically it would not work of course, but it’s a pretty evil thought.
Ownership
Next to that one of the biggest benefits is that also analysts and product owners feel ownership about security.
This makes discussions so much easier.
Agility
Now that early in the process people already think of security, and think of requirements how to avoid risks a lot of security issues are prevented
Now a business analyst is more aware and takes it into account.
Big security team
Next step in DevOps(Sec)
More responsibility at the teams, which helps us to cope with the growing risks of security.
Abuser stories was our way of creating that security mindset in our company. It’s a simple concept that everybody understands. Motivate to do it yourself.
ITS FUN!