MIKE SHEMA Effective appsec emerges from DevSecOps tactics like feedback loops, automation, and the flexibility to respond to situations quickly. These tactics emphasize process and tools, sometimes neglecting the knowledge and skills of working with others to build and maintain apps. And the solutions they strive for don’t always catch the importance of how different users can have different threat models. On the technology side of appsec we have clouds, top 10 lists, and tools. But we haven’t built up equivalent resources, references, or models for the people we build apps with and who we build them for. This presentation dives into specific techniques and references for working with people and building threat models that go beyond basic technical concerns. Tabletop role-playing games are a great model for understanding and building skills that are important to DevSecOps teams. They encourage communication, collaboration, and the achievement of shared goals. And they also face the same challenges in solving conflicts, avoiding derailing behaviors, and ensuring everyone participates. Come discover how RPGs can positively influence your security teams. Security is an integral part of DevSecOps. And, yes, it’s made of people.

1. LONDON 18-19 OCT 2018
Mike Shema
@CodexWebSecurum
Building Effective DevSecOps
Teams Through Role-Playing Games

3. The Masquerade: Second Edition. White Wolf Game Studio. 1997.

4. Monstrously Manual
As we treat infrastructure as code and
make code more human-readable, we
must still find ways to read humans.

5. DevOps
Automation
Required to scale.
Establishes consistency.
Enables confident iteration.

6. Dev[Sec]Ops
People
Working with them.
Working for them.
Building for them.

7. Actual Problem Ignored
Users are stupid.
Devs are lazy.
Vuln equals risk.
https://www.usenix.org/legacy/publications/library/proceedings/sec99/whitten.html

8. Fantasy Campaign Setting
User Intelligence -2; Wisdom -2
Developer Intelligence -2; Wisdom -2

9. Collaborative
story-telling
Shared goals
Communication
exercises

10. Barbarian
Fighter
Magic-User
Thief
Cleric
Ranger
Bard
Coder, Sysadmin
DevOps
DevOps at scale
Red Team
Blue Team
Threat Hunting
CISO

11. The Masquerade: Second Edition. White Wolf Game Studio. 1997.

12. Communication
Empathy
Threats
Shared
Vocabulary

13. Communication
Listen
Acknowledge
Repeat back

14. Empathy
Broaden understanding
Reconsider viewpoints
Improve solutions
Constructive feedback

15. Threats
Ambiguity
Blame
Erasure
Essentializing

16. Codes of Conduct
Set expectations, standards of behavior.
Describe a path for conflict resolution,
define consequences.
Foster participation.
Example: https://golang.org/conduct

17. https://captainawkward.com

18. RPG
Threat
Models

19. Roll for initiative.
Split the party.
Touch the statue.
Attack the darkness.

20. A Fiendish Folio
Abuse, directed or distributed
Asymmetric costs of effort or attention
Forced participation
Security as a cost
Privacy*
*Summons 2d6 more privacy demons

21. …and more fiends
Asymmetric features
Unexpected design
AR and VR vectors

22. DevTruSafOps
Ratings without context or with irrelevant
context.
Reputational damage. Reputational abuse.
Involuntary participation, added to list of X,
added to repo of Y.

23. DevPrivOps
Metadata leaks
De-anonymization
of identity
De-aggregation of
cohorts

24. Privacy by
Design
Coarseness of data.
Storage of data.
Use of data.

25. Protocols &
Ceremonies

26. Ceremonies
How are users included in the system?
How are they modeled, what is expected
of them?
Do they have the tools, knowledge, skills
to accomplish what’s expected?
https://eprint.iacr.org/2007/399.pdf

27. Attacking the Darkness
Ambiguity in design, omitting the user.
Assuming a uniform user.
Not perceiving a user’s threat model.
Not measuring a ceremony’s effectiveness.

28. Metrics: The Observation

29. Build a Story (Cautiously)
Ask an interesting & relevant question.
Collect signals, beware silence.
Create metrics, beware tunnel vision.
Create a story, beware myth.

31. 50% of Findings

32. Threats
Lack of signals
Unrepresentative signals
Tunnel vision
Information bias & many more cognitive
biases
https://www.businessinsider.com/cognitive-biases-affect-decisions-2015-8/

33. Unearthing Arcana
What we measure also reflects what we
care about.
What we care about also reflects on our
environment.

34. Mind Flayer
RPGs continue to evolve.
Cliques, in-groups, and gate-
keeping are threats to any
social group.
Not everyone is familiar with
RPGs.

35. Tabletop Exercises
Scenario
Objectives
Participants
Rules & Scope
Referee
Reduces stress
Enables learning
Practices ceremonies
Generates feedback

36. The CTO directs a DevOps team member to
improve analytics. They export a production
DB into a 3rd-party business intelligence tool
for a proof-of-concept.
They grant access to every team member.
The data includes password hashes.

37. Create relevant scenarios.
Attack the objective, not
the scenario.
Review feedback on
people, process, & tools.
Review feedback on rules
& rulings.

38. RPG Interpersonal Skills
Compromise
Negotiation
Patience
Team-building

39. Made by people
Made for people
Made of people
Soylent
Soylent
Soylent

41. @CodexWebSecurum

42. Appendix N
https://www.usenix.org/legacy/publications/library/proceedings/sec99/
whitten.html
https://eprint.iacr.org/2007/399.pdf
https://captainawkward.com
https://www.crashoverridenetwork.com
https://geekfeminism.wikia.com/wiki/Category:Concepts
https://tallpoppy.io
https://businessinsider.com/cognitive-biases-affect-decisions-2015-8/
https://www.contributor-covenant.org/version/1/4/code-of-conduct

43. –Tron, TRON
“I don't wanna bust out of here
and find nothing but a lot of
cold circuits waiting for me.”

44. LONDON 18-19 OCT 2018
end of line.