SlideShare a Scribd company logo

Building an Application Security Program with Sun Tzu, The Dalai Lama and Honey Badger

Denim Group
Denim Group

Security pros love quoting Sun Tzu, but war-based metaphors fail with dev teams because, HONEY BADGER. Instead, security teams must understand how dev teams work. Accordingly, security managers should immerse themselves in the Dalai Lama's lessons. Understanding how developers manage themselves, tools they use and their rewards is crucial to building an effective application security program.

Technology
1 of 32
Download to read offline
#RSAC SESSION ID: Dan Cornell Building and AppSec Program with Sun Tzu, the Dalai Lama and Honey Badger CRWD-W02 CTO Denim Group @danielcornell
#RSAC Agenda 2 u  Housekeeping u  Sun Tzu and Information Security u  How About Application Security? u  The Dalai Lama and Application Security u  Summary u  Apply
#RSAC Housekeeping
#RSAC Simpsons Already Did It 4 u  As with any good topic information security… …Jericho covered it first h"p://a"ri)on.org/security/rant/fsck_sun_tzu/    
#RSAC Since Jericho Actually Reads Stuff. . . 5 http://www.denimgroup.com/blog/denim_group/2012/02/rsa-buzzword-bingo.html http://attrition.org/security/rebuttal/rebuttal-cornell_denimgroup_rsa_bingo.html http://www.denimgroup.com/blog/denim_group/2012/03/buzzword-bingo-all-my-words-come-back-to-me-in-shades-of-mediocrity.html
#RSAC . . .Clean Room Didn’t read the attrition.org article (Though I will have to check it out when the talk is over) 6
#RSAC What To Expect Cherry-picked quotes used in a context I find useful. . . . . .for both Sun Tzu and Dalai Lama If you were hoping to use this presentation to complete your doctoral dissertation. . . You will be disappointed or You will have a shaky dissertation 7
#RSAC That Said. . . I want to talk about perspective And some of the fundamental metaphors security professionals use to approach their work And the stories they use to communicate and inspire one another 8
#RSAC The Gold Standard Sun Tzu Quote for InfoSec If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. -Art of War, Chapter 3
#RSAC His (Supposed) Training Methods Training the king’s harem to be soldiers 10
#RSAC Some Advice Too Many Take (Halfway) To Heart “A military operation involves deception. Even though you are competent, appear to be incompetent. Though effective, appear to be ineffective” -Art of War, Chapter 1 “Pretend inferiority and encourage his arrogance” -Art of War, Chapter 1 11
#RSAC Sun Tzu and Information Security 12
#RSAC Thinking “Security” Has An End “What is essential in war is victory, not prolonged operations” Art of War, Chapter 2 13
#RSAC Thoughts on “Capturing” Attackers “In the practical art of war, the best thing of all is to take the enemy’s country whole and intact; to shatter and destroy it is not so good. So, to, it is better to recapture an army entire than to destroy it, to capture a regiment, a detachment or a company entire than to destroy them” Art of War, Chapter 3 14
#RSAC Hacking Back “One defends when his strength is inadequate, he attacks when it is abundant” Art of War, Chapter 4 “The quality of decision is like the well-timed swoop of a falcon which enables it to strike and destroy its victim” Art of War, Chapter 5 15
#RSAC Security Through Obscurity “Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness” Art of War, Chapter 6 16
#RSAC Problems Communicating With “The Business” “The general that hearkens to my counsel and acts upon it, will conquer: let such a one be retained in command! The general that hearkens not to my counsel nor acts upon it, will suffer defeat: - let such a one be dismissed!” -Art of War, Chapter 1 17
#RSAC How About Application Security? 18
#RSAC An InfoSec Perspective on Developers “If these developers would just stop writing such sh*tty code, all our lives would be a lot better” -Some Security Curmudgeon, BSides Austin, 2011
#RSAC Developers And Overzealous InfoSec Folks 20
#RSAC The Dalai Lama and Application Security 21
#RSAC Get Your Mind Right “My true religion is Kindness” -Kindness, Clarity and Insight, 1984 “I feel that the essence of spiritual practice is your attitude toward others” -Catherine Ingram interview, 1988 22
#RSAC Get Your Mind Right u  What are the true risks to your business? u  Physical, financial, strategic u  Not just information assets u  How well are developers’ activities aligned with the business u  Features, functions, timelines 23
#RSAC Empathy and Compassion “I believe all suffering is caused by ignorance” -Nobel acceptance speech, 1989 “Compassion and tolerance are not a sign of weakness, but a sign of strength” -Words of Wisdom, 2001 24
#RSAC Empathy and Compassion u  What are your developers actually doing? u  Why are they doing it? u  How can you support them and advance your goals? 25
#RSAC Understand Developer Tools u  Coding (IDE) u  Testing (Unit tests, acceptance tests) u  Workload tracking (Defect trackers, change management) u  Automation and orchestration (Continuous integration) u  Metrics 26
#RSAC Be Flexible and Data-Driven “My confidence in venturing into science lies in my basic belief that as in science so in Buddhism, understanding the nature of reality is pursued by means of critical investigation” -The Universe in a Single Atom, 2005 “If science proves some belief of Buddhism wrong, then Buddhism will have to change. In my view, science and Buddhism share a search for the truth and for understanding reality. By learning from science about aspects of reality where its understanding may be more advanced, I believe that Buddhism enriches its own worldview” -New York Times, 2005 27
#RSAC Be Flexible and Data-Driven u  What things are you doing “because we have always done it this way?” u  And how does that distort your budget and resourcing? u  What value are you getting from the technologies you have deployed? 28
#RSAC Apply 29
#RSAC Applying These Concepts u  When you get back to the office: u  Take a development manager to lunch u  Find out how they manage their workload u  Find out their big process/tool initiatives for the next quarter/year u  In the next 3-6 months: u  Run some lightweight metrics to see if your app security program “makes sense” u  Run some security “lunch and learn” events for developers 30
#RSAC And We’ll Close with This 31
#RSAC Contact Dan Cornell CTO, Denim Group dan@denimgroup.com @danielcornell 32

Recommended

Getting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUDGetting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUD
Denim Group
 
Building a Highly Secure S3 Bucket
Building a Highly Secure S3 BucketBuilding a Highly Secure S3 Bucket
Building a Highly Secure S3 Bucket
John Varghese
 
DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!
Stu Hirst
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
Become a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalBecome a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza Beghal
Null Singapore
 
Avkash_lesser known threat intel implementations
Avkash_lesser known threat intel implementationsAvkash_lesser known threat intel implementations
Avkash_lesser known threat intel implementations
Avkash Kathiriya
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the Cloud
ProtectWise
 

Recommended

Getting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUDGetting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUD
Denim Group
 
Building a Highly Secure S3 Bucket
Building a Highly Secure S3 BucketBuilding a Highly Secure S3 Bucket
Building a Highly Secure S3 Bucket
John Varghese
 
DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!
Stu Hirst
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
Become a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza BeghalBecome a Threat Hunter by Hamza Beghal
Become a Threat Hunter by Hamza Beghal
Null Singapore
 
Avkash_lesser known threat intel implementations
Avkash_lesser known threat intel implementationsAvkash_lesser known threat intel implementations
Avkash_lesser known threat intel implementations
Avkash Kathiriya
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
Redefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS KeynoteRedefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS Keynote
Saumil Shah
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
Brendon Macaraeg
 
Transitioning Government Technology
Transitioning Government TechnologyTransitioning Government Technology
Transitioning Government Technology
Sqrrl
 
The Seven Axioms Of Security
The Seven Axioms Of SecurityThe Seven Axioms Of Security
The Seven Axioms Of Security
Saumil Shah
 
Skeptics in the Church of Data: Getting Evangelical
Skeptics in the Church of Data: Getting EvangelicalSkeptics in the Church of Data: Getting Evangelical
Skeptics in the Church of Data: Getting Evangelical
Zenoss
 
Sqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch WebinarSqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch Webinar
Sqrrl
 
The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017
Saumil Shah
 
NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?
North Texas Chapter of the ISSA
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
CrowdStrike
 
Web hacking using Cyber range
Web hacking using Cyber rangeWeb hacking using Cyber range
Web hacking using Cyber range
Priyanka Aash
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
ThreatConnect
 
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital SovereigntyCross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Saumil Shah
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
Webinar: eCommerce Compliance - PCI meets GDPR
Webinar: eCommerce Compliance - PCI meets GDPRWebinar: eCommerce Compliance - PCI meets GDPR
Webinar: eCommerce Compliance - PCI meets GDPR
Sucuri
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
Saumil Shah
 
SOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPONSOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPON
Sylvain Martinez
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE - ATT&CKcon
 
The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016
Saumil Shah
 
Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)
DNIF
 
The Art of War - A Lesson in Critical Thinking, Creativity, and Collaboration
The Art of War - A Lesson in Critical Thinking, Creativity, and CollaborationThe Art of War - A Lesson in Critical Thinking, Creativity, and Collaboration
The Art of War - A Lesson in Critical Thinking, Creativity, and CollaborationAndy Wassel
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
Denim Group
 

More Related Content

What's hot

Redefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS KeynoteRedefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS Keynote
Saumil Shah
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
Brendon Macaraeg
 
Transitioning Government Technology
Transitioning Government TechnologyTransitioning Government Technology
Transitioning Government Technology
Sqrrl
 
The Seven Axioms Of Security
The Seven Axioms Of SecurityThe Seven Axioms Of Security
The Seven Axioms Of Security
Saumil Shah
 
Skeptics in the Church of Data: Getting Evangelical
Skeptics in the Church of Data: Getting EvangelicalSkeptics in the Church of Data: Getting Evangelical
Skeptics in the Church of Data: Getting Evangelical
Zenoss
 
Sqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch WebinarSqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch Webinar
Sqrrl
 
The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017
Saumil Shah
 
NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?
North Texas Chapter of the ISSA
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
CrowdStrike
 
Web hacking using Cyber range
Web hacking using Cyber rangeWeb hacking using Cyber range
Web hacking using Cyber range
Priyanka Aash
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
ThreatConnect
 
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital SovereigntyCross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Saumil Shah
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
Webinar: eCommerce Compliance - PCI meets GDPR
Webinar: eCommerce Compliance - PCI meets GDPRWebinar: eCommerce Compliance - PCI meets GDPR
Webinar: eCommerce Compliance - PCI meets GDPR
Sucuri
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
Saumil Shah
 
SOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPONSOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPON
Sylvain Martinez
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE - ATT&CKcon
 
The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016
Saumil Shah
 
Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)
DNIF
 

What's hot (20)

Redefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS KeynoteRedefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS Keynote
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
 
Transitioning Government Technology
Transitioning Government TechnologyTransitioning Government Technology
Transitioning Government Technology
 
The Seven Axioms Of Security
The Seven Axioms Of SecurityThe Seven Axioms Of Security
The Seven Axioms Of Security
 
Skeptics in the Church of Data: Getting Evangelical
Skeptics in the Church of Data: Getting EvangelicalSkeptics in the Church of Data: Getting Evangelical
Skeptics in the Church of Data: Getting Evangelical
 
Sqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch WebinarSqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch Webinar
 
The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017
 
NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
 
Web hacking using Cyber range
Web hacking using Cyber rangeWeb hacking using Cyber range
Web hacking using Cyber range
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
 
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital SovereigntyCross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital Sovereignty
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
Webinar: eCommerce Compliance - PCI meets GDPR
Webinar: eCommerce Compliance - PCI meets GDPRWebinar: eCommerce Compliance - PCI meets GDPR
Webinar: eCommerce Compliance - PCI meets GDPR
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
 
SOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPONSOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPON
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
 
The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016
 
Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)
 

Viewers also liked

The Art of War - A Lesson in Critical Thinking, Creativity, and Collaboration
The Art of War - A Lesson in Critical Thinking, Creativity, and CollaborationThe Art of War - A Lesson in Critical Thinking, Creativity, and Collaboration
The Art of War - A Lesson in Critical Thinking, Creativity, and CollaborationAndy Wassel
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 

Viewers also liked (20)

The Art of War - A Lesson in Critical Thinking, Creativity, and Collaboration
The Art of War - A Lesson in Critical Thinking, Creativity, and CollaborationThe Art of War - A Lesson in Critical Thinking, Creativity, and Collaboration
The Art of War - A Lesson in Critical Thinking, Creativity, and Collaboration
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 

Similar to Building an Application Security Program with Sun Tzu, The Dalai Lama and Honey Badger

How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security people
Priyanka Aash
 
Measuring security culture is different from counting employees
Measuring security culture is different from counting employeesMeasuring security culture is different from counting employees
Measuring security culture is different from counting employees
Kai Roer
 
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security DollarsHacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Denim Group
 
Opening the Door to DoD Perspectives on Cyber Threat Intelligence
Opening the Door to DoD Perspectives on Cyber Threat IntelligenceOpening the Door to DoD Perspectives on Cyber Threat Intelligence
Opening the Door to DoD Perspectives on Cyber Threat Intelligence
Priyanka Aash
 
Less tech more talk the future of the ciso role
Less tech more talk the future of the ciso roleLess tech more talk the future of the ciso role
Less tech more talk the future of the ciso role
Priyanka Aash
 
Sophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecuritySophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent Security
Priyanka Aash
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
Priyanka Aash
 
Briefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directorsBriefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directors
Priyanka Aash
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
SeniorStoryteller
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
 
Securing the “Weakest Link”
Securing the “Weakest Link”Securing the “Weakest Link”
Securing the “Weakest Link”
Priyanka Aash
 
The Art of Hacking a Human
The Art of Hacking a HumanThe Art of Hacking a Human
The Art of Hacking a Human
Priyanka Aash
 
Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Secu...
Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Secu...Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Secu...
Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Secu...
Dana Gardner
 
Everyone is an IA - World IA Day 2015 (Bristol, UK)
Everyone is an IA - World IA Day 2015 (Bristol, UK)Everyone is an IA - World IA Day 2015 (Bristol, UK)
Everyone is an IA - World IA Day 2015 (Bristol, UK)Dan Ramsden
 
Disruption in a VUCA World
Disruption in a VUCA WorldDisruption in a VUCA World
Disruption in a VUCA World
Gar Mac Críosta
 
Cybersecurity Strategy, Law, and Policy Group Assignment
Cybersecurity Strategy, Law, and Policy Group AssignmentCybersecurity Strategy, Law, and Policy Group Assignment
Cybersecurity Strategy, Law, and Policy Group Assignment
OllieShoresna
 
Gamification Using “Science of Habit Cycle” to Transform User Behavior
Gamification Using “Science of Habit Cycle” to Transform User BehaviorGamification Using “Science of Habit Cycle” to Transform User Behavior
Gamification Using “Science of Habit Cycle” to Transform User Behavior
Priyanka Aash
 
Building an enterprise security knowledge graph to fuel better decisions, fas...
Building an enterprise security knowledge graph to fuel better decisions, fas...Building an enterprise security knowledge graph to fuel better decisions, fas...
Building an enterprise security knowledge graph to fuel better decisions, fas...
Jon Hawes
 
ScrumRio 2015 - Agile: The Power of i(n)teration
ScrumRio 2015 - Agile: The Power of i(n)terationScrumRio 2015 - Agile: The Power of i(n)teration
ScrumRio 2015 - Agile: The Power of i(n)teration
Nuno Rafael Gomes
 
10 Coolest Jobs In Cybersecurity hhhh .pdf
10 Coolest Jobs In Cybersecurity hhhh .pdf10 Coolest Jobs In Cybersecurity hhhh .pdf
10 Coolest Jobs In Cybersecurity hhhh .pdf
bhuvaneswarpallapu85
 

Similar to Building an Application Security Program with Sun Tzu, The Dalai Lama and Honey Badger (20)

How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security people
 
Measuring security culture is different from counting employees
Measuring security culture is different from counting employeesMeasuring security culture is different from counting employees
Measuring security culture is different from counting employees
 
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security DollarsHacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
 
Opening the Door to DoD Perspectives on Cyber Threat Intelligence
Opening the Door to DoD Perspectives on Cyber Threat IntelligenceOpening the Door to DoD Perspectives on Cyber Threat Intelligence
Opening the Door to DoD Perspectives on Cyber Threat Intelligence
 
Less tech more talk the future of the ciso role
Less tech more talk the future of the ciso roleLess tech more talk the future of the ciso role
Less tech more talk the future of the ciso role
 
Sophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecuritySophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent Security
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
 
Briefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directorsBriefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directors
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
 
Securing the “Weakest Link”
Securing the “Weakest Link”Securing the “Weakest Link”
Securing the “Weakest Link”
 
The Art of Hacking a Human
The Art of Hacking a HumanThe Art of Hacking a Human
The Art of Hacking a Human
 
Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Secu...
Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Secu...Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Secu...
Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Secu...
 
Everyone is an IA - World IA Day 2015 (Bristol, UK)
Everyone is an IA - World IA Day 2015 (Bristol, UK)Everyone is an IA - World IA Day 2015 (Bristol, UK)
Everyone is an IA - World IA Day 2015 (Bristol, UK)
 
Disruption in a VUCA World
Disruption in a VUCA WorldDisruption in a VUCA World
Disruption in a VUCA World
 
Cybersecurity Strategy, Law, and Policy Group Assignment
Cybersecurity Strategy, Law, and Policy Group AssignmentCybersecurity Strategy, Law, and Policy Group Assignment
Cybersecurity Strategy, Law, and Policy Group Assignment
 
Gamification Using “Science of Habit Cycle” to Transform User Behavior
Gamification Using “Science of Habit Cycle” to Transform User BehaviorGamification Using “Science of Habit Cycle” to Transform User Behavior
Gamification Using “Science of Habit Cycle” to Transform User Behavior
 
Building an enterprise security knowledge graph to fuel better decisions, fas...
Building an enterprise security knowledge graph to fuel better decisions, fas...Building an enterprise security knowledge graph to fuel better decisions, fas...
Building an enterprise security knowledge graph to fuel better decisions, fas...
 
ScrumRio 2015 - Agile: The Power of i(n)teration
ScrumRio 2015 - Agile: The Power of i(n)terationScrumRio 2015 - Agile: The Power of i(n)teration
ScrumRio 2015 - Agile: The Power of i(n)teration
 
10 Coolest Jobs In Cybersecurity hhhh .pdf
10 Coolest Jobs In Cybersecurity hhhh .pdf10 Coolest Jobs In Cybersecurity hhhh .pdf
10 Coolest Jobs In Cybersecurity hhhh .pdf
 

More from Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 

More from Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Recently uploaded

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 

Recently uploaded (20)

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 

Building an Application Security Program with Sun Tzu, The Dalai Lama and Honey Badger

  • 1. #RSAC SESSION ID: Dan Cornell Building and AppSec Program with Sun Tzu, the Dalai Lama and Honey Badger CRWD-W02 CTO Denim Group @danielcornell
  • 2. #RSAC Agenda 2 u  Housekeeping u  Sun Tzu and Information Security u  How About Application Security? u  The Dalai Lama and Application Security u  Summary u  Apply
  • 4. #RSAC Simpsons Already Did It 4 u  As with any good topic information security… …Jericho covered it first h"p://a"ri)on.org/security/rant/fsck_sun_tzu/    
  • 5. #RSAC Since Jericho Actually Reads Stuff. . . 5 http://www.denimgroup.com/blog/denim_group/2012/02/rsa-buzzword-bingo.html http://attrition.org/security/rebuttal/rebuttal-cornell_denimgroup_rsa_bingo.html http://www.denimgroup.com/blog/denim_group/2012/03/buzzword-bingo-all-my-words-come-back-to-me-in-shades-of-mediocrity.html
  • 6. #RSAC . . .Clean Room Didn’t read the attrition.org article (Though I will have to check it out when the talk is over) 6
  • 7. #RSAC What To Expect Cherry-picked quotes used in a context I find useful. . . . . .for both Sun Tzu and Dalai Lama If you were hoping to use this presentation to complete your doctoral dissertation. . . You will be disappointed or You will have a shaky dissertation 7
  • 8. #RSAC That Said. . . I want to talk about perspective And some of the fundamental metaphors security professionals use to approach their work And the stories they use to communicate and inspire one another 8
  • 9. #RSAC The Gold Standard Sun Tzu Quote for InfoSec If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. -Art of War, Chapter 3
  • 10. #RSAC His (Supposed) Training Methods Training the king’s harem to be soldiers 10
  • 11. #RSAC Some Advice Too Many Take (Halfway) To Heart “A military operation involves deception. Even though you are competent, appear to be incompetent. Though effective, appear to be ineffective” -Art of War, Chapter 1 “Pretend inferiority and encourage his arrogance” -Art of War, Chapter 1 11
  • 12. #RSAC Sun Tzu and Information Security 12
  • 13. #RSAC Thinking “Security” Has An End “What is essential in war is victory, not prolonged operations” Art of War, Chapter 2 13
  • 14. #RSAC Thoughts on “Capturing” Attackers “In the practical art of war, the best thing of all is to take the enemy’s country whole and intact; to shatter and destroy it is not so good. So, to, it is better to recapture an army entire than to destroy it, to capture a regiment, a detachment or a company entire than to destroy them” Art of War, Chapter 3 14
  • 15. #RSAC Hacking Back “One defends when his strength is inadequate, he attacks when it is abundant” Art of War, Chapter 4 “The quality of decision is like the well-timed swoop of a falcon which enables it to strike and destroy its victim” Art of War, Chapter 5 15
  • 16. #RSAC Security Through Obscurity “Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness” Art of War, Chapter 6 16
  • 17. #RSAC Problems Communicating With “The Business” “The general that hearkens to my counsel and acts upon it, will conquer: let such a one be retained in command! The general that hearkens not to my counsel nor acts upon it, will suffer defeat: - let such a one be dismissed!” -Art of War, Chapter 1 17
  • 19. #RSAC An InfoSec Perspective on Developers “If these developers would just stop writing such sh*tty code, all our lives would be a lot better” -Some Security Curmudgeon, BSides Austin, 2011
  • 21. #RSAC The Dalai Lama and Application Security 21
  • 22. #RSAC Get Your Mind Right “My true religion is Kindness” -Kindness, Clarity and Insight, 1984 “I feel that the essence of spiritual practice is your attitude toward others” -Catherine Ingram interview, 1988 22
  • 23. #RSAC Get Your Mind Right u  What are the true risks to your business? u  Physical, financial, strategic u  Not just information assets u  How well are developers’ activities aligned with the business u  Features, functions, timelines 23
  • 24. #RSAC Empathy and Compassion “I believe all suffering is caused by ignorance” -Nobel acceptance speech, 1989 “Compassion and tolerance are not a sign of weakness, but a sign of strength” -Words of Wisdom, 2001 24
  • 25. #RSAC Empathy and Compassion u  What are your developers actually doing? u  Why are they doing it? u  How can you support them and advance your goals? 25
  • 26. #RSAC Understand Developer Tools u  Coding (IDE) u  Testing (Unit tests, acceptance tests) u  Workload tracking (Defect trackers, change management) u  Automation and orchestration (Continuous integration) u  Metrics 26
  • 27. #RSAC Be Flexible and Data-Driven “My confidence in venturing into science lies in my basic belief that as in science so in Buddhism, understanding the nature of reality is pursued by means of critical investigation” -The Universe in a Single Atom, 2005 “If science proves some belief of Buddhism wrong, then Buddhism will have to change. In my view, science and Buddhism share a search for the truth and for understanding reality. By learning from science about aspects of reality where its understanding may be more advanced, I believe that Buddhism enriches its own worldview” -New York Times, 2005 27
  • 28. #RSAC Be Flexible and Data-Driven u  What things are you doing “because we have always done it this way?” u  And how does that distort your budget and resourcing? u  What value are you getting from the technologies you have deployed? 28
  • 30. #RSAC Applying These Concepts u  When you get back to the office: u  Take a development manager to lunch u  Find out how they manage their workload u  Find out their big process/tool initiatives for the next quarter/year u  In the next 3-6 months: u  Run some lightweight metrics to see if your app security program “makes sense” u  Run some security “lunch and learn” events for developers 30
  • 31. #RSAC And We’ll Close with This 31
  • 32. #RSAC Contact Dan Cornell CTO, Denim Group dan@denimgroup.com @danielcornell 32