This document discusses creating a graph-based security organization. It outlines security's objectives like allowing business operations while managing risk. Security is a driver of change and sits at the center of organizational data. The only effective way to manage and understand this relational data is as a graph. The presenter's organization refactored their risk workflow and JIRA implementation to represent data as a graph stored in a queryable database. They use tools like ELK, Slack bots, and plantUML diagrams to visualize and interact with the security graph. This empower's data-driven security decisions and risk management. The presenter provides examples of risk dashboards and encourages collaboration to further develop these graph-based approaches.

1. Creating a graph-based
security organisation
Dinis Cruz
dinis.cruz@photobox.com
OWASP London Chapter meeting
April / 2019

2. 2

3. What are Security’s meta objectives
● Allowing the business to execute it’s mission and objectives within their ‘accepted
risk level’
● Allowing the business to make FACT and RISK based decisions
● Improving the business’ ability to deploy changes and enabling it to ‘move faster’
● Allowing the business to understand better how it behaves and what are the side
effects of it’s actions/decisions
● Increasing the cost of malicious entities to execute their objectives
● Effectively handling incidents and preventing crisis
● Making compliance easy
● Enabling the business to think in ‘Graphs’
3

4. Security is a major
agent of change
(just about everything we do requires a change request)
4

5. Security is at the
epicentre of data
(we can get data feeds from everywhere)
5

6. Data is not linear or tabular
Data is hyperlinked and
relational
6

7. Only effective solution is to:
Manage and visualise data
as a Graph …
7

8. …and to create a
Graph based security
organisation
8

9. How we did it
9

10. 10
It all started with this RISK Workflow

11. 11
Now refactored to

12. 12
We use JIRA as a Graph Database

13. We created a serverless workflow
Graph
database
Queryable
data store
Lambda
functions
Command line /
feedback loop
Our hyperlinked
security taxonomy...
...is dumped every few
seconds into ELK...
...made queryable by
code functions...
...with the user
journey all in Slack.

14. 14
We sync all JIRA data into Elastic Stack

15. 15
We use a Slack bot to access the data

16. 16
Searching Jira and rendering plantuml

17. 17
PlantUML graphs from JIRA data

19. 19
Mapping projects to OKRs

20. 20
Mapping Services to Roles

21. 2
Multiple ways to
Visualise data

22. 22
The Universe

23. Work done yesterday

24. Work done last week

25. ‘
The Bicycle

26. ‘
Spot the bad mappings

27. 27
A sail of a boat or Music Equalizer

28. ‘
My Brain on Friday

29. Where is Everybody?

30. Funny ones

31. ‘Wardley Maps’

32. Automatic generation of
Slides
3

33. 33
Creating slides and pdfs from GS Bot

34. 34

35. 35

36. 36

37. 37

38. 38

39. 39

40. Syncing Google Sheets
with Jira
4

41. Meet Maeve

42. Demo
42

43. Syncing Google Sheets With Jira
OWASP Demo
Maeve Scarry 4th April 2019

44. 1 Create ticket in Jira

45. 2 Create tasks

46. 3 Column view

47. 4 Spider view

48. 5 Graph view

49. 6 Table view

50. 7 Creating a Google Sheet

51. 8 Google Sheet

52. 9 Editing the Sheet

53. 10 Editing the Sheet

54. 11 Syncing Google Sheets to Jira

55. 12 Final Jira View

56. Rendering Sheets and Slides
in Slack
5

57. Consume materials created in Slack

58. Empowering the
business to make
Fact based Security Decisions
5

59. 59
Risk Dashboards (from Jira Data)
Maturity
DEMO DATA

60. 60
Show Risk evolution
FY18
(score of 45)
FY18
(score of 55)
Maturity
DEMO DATA

61. 61
Show Risk Delta (Risk impact of decisions)
DEMO DATA

62. Show me the code
62

63. Most of the code is on GitHub

64. Broken down in modules(build using AWS CodeBuild)

65. Please contribute
and participante in the
conversation
6

66. Ok, how can I learn more
about this?
And where can I try it?
66

67. Open Security Summit 2019
https://docs.google.com/presentation/d/1GlCvPmBHqcn_VA1ciVirgkoP1RSkSccHhd_Wx1BaG4s/edit#slide=id.p1

68. The place to be to collaborate
https://docs.google.com/presentation/d/1GlCvPmBHqcn_VA1ciVirgkoP1RSkSccHhd_Wx1BaG4s/edit#slide=id.p1

69. Last year’s action

70. Buy your ticket now! (we are running out of villas)
https://open-security-summit.org/

71. Also available at
https://z-developers.com/
Read the ‘Generation Z Developers’
https://leanpub.com/generation-z/
https://github.com/DinisCruz/Book_Generation_Z_Developer

72. 72
Further reading
https://www.youtube.com/watch?v=xwuXz1ZEnhA https://leanpub.com/secdevops

73. Thanks
73