Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Creating a graph based security organisation - Apr 2019 (OWASP London chapter meeting)

2,778 views

Published on

Presented at OWASP London chapter meeting - April 2019

Published in: Internet

Creating a graph based security organisation - Apr 2019 (OWASP London chapter meeting)

  1. 1. Creating a graph-based security organisation Dinis Cruz dinis.cruz@photobox.com OWASP London Chapter meeting April / 2019
  2. 2. 2
  3. 3. What are Security’s meta objectives ● Allowing the business to execute it’s mission and objectives within their ‘accepted risk level’ ● Allowing the business to make FACT and RISK based decisions ● Improving the business’ ability to deploy changes and enabling it to ‘move faster’ ● Allowing the business to understand better how it behaves and what are the side effects of it’s actions/decisions ● Increasing the cost of malicious entities to execute their objectives ● Effectively handling incidents and preventing crisis ● Making compliance easy ● Enabling the business to think in ‘Graphs’ 3
  4. 4. Security is a major agent of change (just about everything we do requires a change request) 4
  5. 5. Security is at the epicentre of data (we can get data feeds from everywhere) 5
  6. 6. Data is not linear or tabular Data is hyperlinked and relational 6
  7. 7. Only effective solution is to: Manage and visualise data as a Graph … 7
  8. 8. …and to create a Graph based security organisation 8
  9. 9. How we did it 9
  10. 10. 10 It all started with this RISK Workflow
  11. 11. 11 Now refactored to
  12. 12. 12 We use JIRA as a Graph Database
  13. 13. We created a serverless workflow Graph database Queryable data store Lambda functions Command line / feedback loop Our hyperlinked security taxonomy... ...is dumped every few seconds into ELK... ...made queryable by code functions... ...with the user journey all in Slack.
  14. 14. 14 We sync all JIRA data into Elastic Stack
  15. 15. 15 We use a Slack bot to access the data
  16. 16. 16 Searching Jira and rendering plantuml
  17. 17. 17 PlantUML graphs from JIRA data
  18. 18. 19 Mapping projects to OKRs
  19. 19. 20 Mapping Services to Roles
  20. 20. 2 Multiple ways to Visualise data
  21. 21. 22 The Universe
  22. 22. Work done yesterday
  23. 23. Work done last week
  24. 24. ‘ The Bicycle
  25. 25. ‘ Spot the bad mappings
  26. 26. 27 A sail of a boat or Music Equalizer
  27. 27. ‘ My Brain on Friday
  28. 28. Where is Everybody?
  29. 29. Funny ones
  30. 30. ‘Wardley Maps’
  31. 31. Automatic generation of Slides 3
  32. 32. 33 Creating slides and pdfs from GS Bot
  33. 33. 34
  34. 34. 35
  35. 35. 36
  36. 36. 37
  37. 37. 38
  38. 38. 39
  39. 39. Syncing Google Sheets with Jira 4
  40. 40. Meet Maeve
  41. 41. Demo 42
  42. 42. Syncing Google Sheets With Jira OWASP Demo Maeve Scarry 4th April 2019
  43. 43. 1 Create ticket in Jira
  44. 44. 2 Create tasks
  45. 45. 3 Column view
  46. 46. 4 Spider view
  47. 47. 5 Graph view
  48. 48. 6 Table view
  49. 49. 7 Creating a Google Sheet
  50. 50. 8 Google Sheet
  51. 51. 9 Editing the Sheet
  52. 52. 10 Editing the Sheet
  53. 53. 11 Syncing Google Sheets to Jira
  54. 54. 12 Final Jira View
  55. 55. Rendering Sheets and Slides in Slack 5
  56. 56. Consume materials created in Slack
  57. 57. Empowering the business to make Fact based Security Decisions 5
  58. 58. 59 Risk Dashboards (from Jira Data) Maturity DEMO DATA
  59. 59. 60 Show Risk evolution FY18 (score of 45) FY18 (score of 55) Maturity DEMO DATA
  60. 60. 61 Show Risk Delta (Risk impact of decisions) DEMO DATA
  61. 61. Show me the code 62
  62. 62. Most of the code is on GitHub
  63. 63. Broken down in modules(build using AWS CodeBuild)
  64. 64. Please contribute and participante in the conversation 6
  65. 65. Ok, how can I learn more about this? And where can I try it? 66
  66. 66. Open Security Summit 2019 https://docs.google.com/presentation/d/1GlCvPmBHqcn_VA1ciVirgkoP1RSkSccHhd_Wx1BaG4s/edit#slide=id.p1
  67. 67. The place to be to collaborate https://docs.google.com/presentation/d/1GlCvPmBHqcn_VA1ciVirgkoP1RSkSccHhd_Wx1BaG4s/edit#slide=id.p1
  68. 68. Last year’s action
  69. 69. Buy your ticket now! (we are running out of villas) https://open-security-summit.org/
  70. 70. Also available at https://z-developers.com/ Read the ‘Generation Z Developers’ https://leanpub.com/generation-z/ https://github.com/DinisCruz/Book_Generation_Z_Developer
  71. 71. 72 Further reading https://www.youtube.com/watch?v=xwuXz1ZEnhA https://leanpub.com/secdevops
  72. 72. Thanks 73

×