Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building a security team without becoming “the bad guy”

30 views

Published on

Ben Abrams has had various developer roles in his career where security teams got in the way and got bad reputations as the NO team, and now he's in the process of building his own security team. In this Sensu Summit 2019 talk, he'll discuss some tips on avoiding this and engineering seeing security as an asset rather than something to work around.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Building a security team without becoming “the bad guy”

  1. 1. How to build a security team without becoming the “bad guy”. Follow along at: http://bit.ly/2zz3py0
  2. 2. $ /usr/bin/whoami ● Ben Abrams / @majormoses ● Lead the Infrastructure security team @doximity ● Doximity: Medical Social Network serving over 1 Million medical professionals ● Sensu History ○ 2014: started a pet project to replace Nagios with Sensu ○ 2015: Sensu was in production, started giving back to the community ○ 2017: Became a maintainer for various areas across sensu ecosystem ■ Plugins ■ Chef Cookbooks ■ Slack ■ Documentation ■ OSS Mentorship ○ Maintain 200+ plugins for the sensu community
  3. 3. Where to start ● Tools ● Knowledge ● Monitoring ● Alerting ● Service Ownership ● Triage Risk ● Red / Blue Teams ● Culture
  4. 4. Core Cultural Philosophies
  5. 5. Some Cultural Items ● Transparency ○ Open slack channels ○ SLA on pull request reviews ○ Security monitoring is available to other teams. ● Make access easier where possible without compromising needs. https://sso.tax/ ○ Moved 40+ apps to SSO ○ Another 30+ to go ● Incremental Improvement ● Secure By default
  6. 6. “The only secure system is one that does not exist”
  7. 7. Secure By Default ● Automation ○ Chef libraries, and recipes ○ Terraform modules ■ AWS Account Level ● Cloudtrail ● Password Policies ■ Resource Level ● S3 ● EC2 ● ... ● Monitoring and Auditing are not afterthoughts
  8. 8. Q&A ● Github / Slack: @majormoses ● Email: me@benabrams.it ● Open Positions at doximity: ○ https://workat.doximity.com/positions

×