How does an individual change the application security culture of an organization? By deploying an application security awareness program with engaging content, humor and recognition. See the blueprint for how you can build an application security awareness program based on real life experience. Change the security DNA of everyone in your organization. (Source: RSA USA 2016-San Francisco)

1. SESSION ID:
#RSAC
Christopher Romeo
AppSec Awareness: A Blue Print
for Security Culture Change
HUM-T11
CEO / Principal Consultant
Security Journey
@edgeroute

2. #RSAC
My Commitment
2
Explain security culture and application security
awareness
Provide the process for how to build your own
application security awareness program
Share knowledge, experience, and best practices
building application security awareness programs

3. #RSAC
What is Security Culture?
3
“What happens {with
security} when people are
left to their own devices.”
--Tim Ferriss

4. #RSAC
Security is non-negotiable
4

5. #RSAC
What is Appsec Awareness?
5
Application Security Awareness
Anti-Phishing, Password Security, Safe Social Networking,
Physical Security, Social Engineering
General Security Awareness
Mastering
Security
Concepts
Coding
Securely
Performing
Security
Test
Planning for
Security

6. #RSAC
Knowledge & History
6

7. #RSAC
Role Based
7

8. #RSAC
Activity
8

9. #RSAC
Application Security Awareness is…
9
A program that instills a security foundation,
changing security culture from the inside out

10. #RSAC
Goals of AppSec Awareness
10
Disrupt

11. #RSAC
Goals of AppSec Awareness
11
Sustainable

12. #RSAC
Goals of AppSec Awareness
12
Secure

13. #RSAC
My Experience
13
http://blogs.cisco.com/security/the-cisco-security-dojo

14. #RSAC
14

15. #RSAC
15
Mission

16. #RSAC
Define the problem
16
Our organization lacks:
general application security knowledge
appreciation for the evolving threat landscape
experience with secure development practices and
tools
motivation to step up and improve security

17. #RSAC
Assess Security Culture
17

18. #RSAC
Program Objectives
18
S.E.C.U.R.I.T.Y Create a thriving program
Teach everyone the
importance of security
Generate activity towards
improving security
Build security community

19. #RSAC
Build a Team
19
SME

20. #RSAC
Apply: Mission
20
Define the problem as it exists in YOUR organization
Assess YOUR security culture, to determine how far
you have to go
Define what you are trying to accomplish (program
objectives)
Build a team of internal and external experts

21. #RSAC
A foundation…
21
Program Architecture

22. #RSAC
Theme
22

23. #RSAC
Levels
23
Learning
Applying
Doing
Leading
Leader

24. #RSAC
Roles
24
Development
• SW
Engineer
• Tester
• Manager
• HW
Engineer
Operations
• IT
• DevOps
Internal
• Sales
• Marketing
• Executives
Everyone

25. #RSAC
Activities
25
Build
• A security tool or process
• Partnerships
• Security community
Enrich
• Mentor
• Teach a course
• Deliver presentations
Explore
• Security issue analysis
• Security committee
• A vulnerable web app
Implement
• A security feature
• A security test
• Security strategy

26. #RSAC
Recognition
26

27. #RSAC
Recognition
27

28. #RSAC
Budget
28
Time
External production
partners
Could be shoestring,
could be millions

29. #RSAC
Schedule
29
2016 2017, 18, 19?

30. #RSAC
Apply: Program Architecture
30
Choose a theme that fits within the boundaries of YOUR
organization
Define your roles
Determine:
the number of levels
what activities will you promote (if any)
your recognition philosophy and implementation

31. #RSAC
31
Curriculum

32. #RSAC
Curriculum Development Process
32
Determine
basic lessons
Review
existing
content
Search the
product /
service history
Draft the
content maps
Argue
extensively
about content
maps
Gather
Community
Feedback and
Update

33. #RSAC
Level 1 Content Map
33
Security
Fundamentals
Threat
Landscape
Attacks &
Attackers
OWASP Top 10
Secure
Development
Life Cycle
Security Myths Cryptography
Secure Design
Principles
Security
Standards
Privacy

34. #RSAC
Level 2 Content Map -- Developer
34
Secure Coding
with Java
XSS
Threat
Modeling
Input
Validation
SQL Injection CSRF
Secure Code
Review
Using OpenSSL
Attacks Against
Human
Engineers
Testing Web
App Security

35. #RSAC
Apply: Curriculum
35
Develop:
a curriculum development process for
your program
a content map for each level of your
program

36. #RSAC
Content Creation

37. #RSAC
Content
37

38. #RSAC
Assessment
38

39. #RSAC
Resources
39

40. #RSAC
Content Creation Process
40
Outline
Instructional
Design Review
Rough Draft
Technical review
Instructional
Design Review
Final draft

41. #RSAC
Apply: Content Creation
41
Determine:
Content style
Assessment structure
Build your content development process

42. #RSAC

43. #RSAC
What is a security metaphor?
43

44. #RSAC
Examples
44
Still Cartoons
Full motion cartoons
Video

45. #RSAC
A word of caution…
45

46. #RSAC
Apply: Humor & Metaphor
46
Decide on your organization’s tolerance for
humor
Edgy to tame: where do you sit?
Brainstorm ideas for security metaphors
bring your production team into the loop

47. #RSAC
Tools

48. #RSAC
Gamification
48

49. #RSAC
Interface
49
Security
Fundamentals
Attacks &
Attackers
Threat
Landscape
Security Myths
Cryptography
Privacy

50. #RSAC
Dashboard
50

51. #RSAC
Apply: Tools
51
Decide how to model your theme and content in a
catchy interface that engages your learners
Study gamification principles and incorporate
HINT: Ask your kids!
Plan your dashboard; what is the hard hitting
information that will bring visibility to your program?

52. #RSAC
The finished product…
52
Curriculum
Program Architecture
Content Creation
Tools
Mission

53. #RSAC
Build Your Own
53

54. #RSAC
Q+A & Contact
Chris Romeo, CEO / Principal Consultant
chris_romeo@securityjourney.com
www.securityjourney.com
@edgeroute