Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Farewell to the Security Sandwich


Published on

While some are still recovering from treating security as a second-class citizen, the rise of agile and lean methodologies have opened a door for information security into software development with an opportunity to arrange security along the team's value stream. Teams that write secure software often do so because of the efforts of individuals. This talk dives into the mindset, tools, and ceremonies necessary to systematically create a culture around information security.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Farewell to the Security Sandwich

  1. 1. Farewell to the Security Sandwich Felix Hammerl
  2. 2. News comes first ... … then comes the shock 2013 20142012 2015 2016 146 days 99 days416 days 205 days
  3. 3. The Security Sandwich INCEPTION DEVELOPMENT GO-LIVE Security Requirements, Infrastructure Hardening, Compliance & Policies Iterative Agile Methodology, Insights, Pivots Perpetual Requirement Renegotiation Code Reviews, Penetration Testing Security assurance often gets lost somewhere along this path.
  4. 4. Everybody wants to be secure – but from what?
  5. 5. Calculus of Negligence Probability Criticality Exposure Used to quantify disaster scenarios. Useful for exposure. Not directly actionable.
  6. 6. Your job is to facilitate the business to operate in an as-assured-as-possible manner, given the actual mission of the business [and] [...] providing that context for people that aren’t security professionals as well as those that are: “Here’s how important this thing is in the grand scheme of things.” - Bruce Potter
  7. 7. Assets Valuable goods of physical or immaterial nature. Have value for both the organization and the attacker. Targets for both deliberate and negligent threats ● SECURITY GOALS Stem from business, legal, and regulatory contexts ● DISASTER SCENARIOS Result from security goals being violated. ● EXPOSURE Experience, analogy from events at competitors, or jurisdiction.
  8. 8. Where does security “happen”?
  9. 9. EPIC ASK Analysis Breaking down epics into stories Development Where stories become deliverables QA Where deliverables are reviewed Deployment Deliverables become functionality NEED WISH REQUEST NEED REQUEST DEMAND Discussions Verbalization of functionality EPICEPIC STORYSTORY SPIKE STORY STORY COMMIT COMMIT COMMIT COMMIT COMMIT BUGFIX COMMIT BUGFIX Requirements Molding needs into epics ISSUE TICKET DOCKER DOCKER DOCKER DOCKER DOCKER SERVICE SPIKE SERVICE SERVICE SERVICE BUG SERVICE DOCKER SERVICE SERVICE COMMITCOMMIT COMMIT COMMIT Path to Production
  10. 10. Which assets do we touch? Does this change our attack surface? How valuable are the assets? What (new) components touch the assets? How could we be attacked? What would be the impact? How? Mitigate? Identify? Protect? Detect? Respond? Recover? Transfer? Avoid? Accept? What are the alternatives? Keep a record of the security debt! ASSETS THREAT MODELING ACTIONS (+ PO) FOLLOW UP Analysis: Definition of Ready
  11. 11. Analysis: Threat Modeling Add security requirements as CFRs to stories and epics. SCENARIO-BASED Uses the team’s collective experience of the product to be developed. EXPLORATORY Analysis of a fictional disaster scenario back to the asset based on Attack Trees AGILE Timeboxed STRIDE exercises to analyze the delta in functionality from the current or next period, e.g. a sprint.
  12. 12. New vulnerabilities are continuously discovered Automate scanning your libraries, frameworks Vulnerabilities also exist in containers Automate scanning your containers Fix-forward Automate keeping them up to date Test and aggressively integrate releases DEPENDENCIES CVEs CONTAINERS Development: Ease through automation
  13. 13. VISUALIZE HEALTH Visualize and aggressively pay off tech debt Rotate firefighter role Collective ownership for the ugly code bits Log indexable data structures, not strings Inspect logs faster Correlate logs across systems Important real-world metrics at a glance Create shared responsibility for your system’s fitness to deliver value Understand when things go wrong Standard Operating Procedures Use alerting STRUCTURE & CORRELATE LOGS NOMINAL vs ERRONEOUS BEHAVIOR SHIFT SECURITY LEFT Live: Know your system
  14. 14. Felix Hammerl Thank you @felixhammerl