SlideShare a Scribd company logo

Farewell to the Security Sandwich

Thoughtworks
Thoughtworks

While some are still recovering from treating security as a second-class citizen, the rise of agile and lean methodologies have opened a door for information security into software development with an opportunity to arrange security along the team's value stream. Teams that write secure software often do so because of the efforts of individuals. This talk dives into the mindset, tools, and ceremonies necessary to systematically create a culture around information security.

Software
1 of 14
Download to read offline
Farewell to the Security Sandwich Felix Hammerl
News comes first ... … then comes the shock 2013 20142012 2015 2016 146 days 99 days416 days 205 days
The Security Sandwich INCEPTION DEVELOPMENT GO-LIVE Security Requirements, Infrastructure Hardening, Compliance & Policies Iterative Agile Methodology, Insights, Pivots Perpetual Requirement Renegotiation Code Reviews, Penetration Testing Security assurance often gets lost somewhere along this path.
Everybody wants to be secure – but from what?
Calculus of Negligence Probability Criticality Exposure Used to quantify disaster scenarios. Useful for exposure. Not directly actionable.
Your job is to facilitate the business to operate in an as-assured-as-possible manner, given the actual mission of the business [and] [...] providing that context for people that aren’t security professionals as well as those that are: “Here’s how important this thing is in the grand scheme of things.” - Bruce Potter
Assets Valuable goods of physical or immaterial nature. Have value for both the organization and the attacker. Targets for both deliberate and negligent threats ● SECURITY GOALS Stem from business, legal, and regulatory contexts ● DISASTER SCENARIOS Result from security goals being violated. ● EXPOSURE Experience, analogy from events at competitors, or jurisdiction.
Where does security “happen”?
EPIC ASK Analysis Breaking down epics into stories Development Where stories become deliverables QA Where deliverables are reviewed Deployment Deliverables become functionality NEED WISH REQUEST NEED REQUEST DEMAND Discussions Verbalization of functionality EPICEPIC STORYSTORY SPIKE STORY STORY COMMIT COMMIT COMMIT COMMIT COMMIT BUGFIX COMMIT BUGFIX Requirements Molding needs into epics ISSUE TICKET DOCKER DOCKER DOCKER DOCKER DOCKER SERVICE SPIKE SERVICE SERVICE SERVICE BUG SERVICE DOCKER SERVICE SERVICE COMMITCOMMIT COMMIT COMMIT Path to Production
Which assets do we touch? Does this change our attack surface? How valuable are the assets? What (new) components touch the assets? How could we be attacked? What would be the impact? How? Mitigate? Identify? Protect? Detect? Respond? Recover? Transfer? Avoid? Accept? What are the alternatives? Keep a record of the security debt! ASSETS THREAT MODELING ACTIONS (+ PO) FOLLOW UP Analysis: Definition of Ready
Analysis: Threat Modeling Add security requirements as CFRs to stories and epics. SCENARIO-BASED Uses the team’s collective experience of the product to be developed. EXPLORATORY Analysis of a fictional disaster scenario back to the asset based on Attack Trees AGILE Timeboxed STRIDE exercises to analyze the delta in functionality from the current or next period, e.g. a sprint.
New vulnerabilities are continuously discovered Automate scanning your libraries, frameworks Vulnerabilities also exist in containers Automate scanning your containers Fix-forward Automate keeping them up to date Test and aggressively integrate releases DEPENDENCIES CVEs CONTAINERS Development: Ease through automation
VISUALIZE HEALTH Visualize and aggressively pay off tech debt Rotate firefighter role Collective ownership for the ugly code bits Log indexable data structures, not strings Inspect logs faster Correlate logs across systems Important real-world metrics at a glance Create shared responsibility for your system’s fitness to deliver value Understand when things go wrong Standard Operating Procedures Use alerting STRUCTURE & CORRELATE LOGS NOMINAL vs ERRONEOUS BEHAVIOR SHIFT SECURITY LEFT Live: Know your system
Felix Hammerl Thank you @felixhammerl

Recommended

A holistic view_of_enterprise_security
A holistic view_of_enterprise_securityA holistic view_of_enterprise_security
A holistic view_of_enterprise_security
ehawk01
 
Carbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityCarbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint Security
Mighty Guides, Inc.
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
David Etue
 
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Eturnti Consulting Pvt Ltd
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
SafeNet
 
Threat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopThreat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshop
Ty Sbano
 
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始
Secview
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring Security
Priyanka Aash
 

Recommended

A holistic view_of_enterprise_security
A holistic view_of_enterprise_securityA holistic view_of_enterprise_security
A holistic view_of_enterprise_security
ehawk01
 
Carbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityCarbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint Security
Mighty Guides, Inc.
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
David Etue
 
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Fixing security in the cloud, you can't secure what you cannot see 11 oct2019
Eturnti Consulting Pvt Ltd
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
SafeNet
 
Threat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopThreat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshop
Ty Sbano
 
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始
DevOpsDays Taipei 2019 - 新創導入資安?從 DevSecOps 開始
Secview
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring Security
Priyanka Aash
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
Priyanka Aash
 
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
Thierry Zoller
 
Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?
nathan816428
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Mighty Guides, Inc.
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
manoharparakh
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
IBM
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Yazad Khandhadia
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
SafeNet
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
Justifying Security Investment
Justifying Security InvestmentJustifying Security Investment
Justifying Security InvestmentJojo Colina
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
PECB
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
Arthur Donkers
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containers
artseremis
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
Mighty Guides, Inc.
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
Mighty Guides, Inc.
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security Assurance
Rafal Los
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
Tripwire
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
South Tyrol Free Software Conference
 
Zero Trust vs Defense in Depth
Zero Trust vs Defense in DepthZero Trust vs Defense in Depth
Zero Trust vs Defense in Depth
CIO Talk Network
 
Design System as a Product
Design System as a ProductDesign System as a Product
Design System as a Product
Thoughtworks
 
Designers, Developers & Dogs
Designers, Developers & DogsDesigners, Developers & Dogs
Designers, Developers & Dogs
Thoughtworks
 

More Related Content

Similar to Farewell to the Security Sandwich

NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
Priyanka Aash
 
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
Thierry Zoller
 
Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?
nathan816428
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Mighty Guides, Inc.
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
manoharparakh
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
IBM
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Yazad Khandhadia
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
SafeNet
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
Justifying Security Investment
Justifying Security InvestmentJustifying Security Investment
Justifying Security InvestmentJojo Colina
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
PECB
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
Arthur Donkers
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containers
artseremis
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
Mighty Guides, Inc.
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
Mighty Guides, Inc.
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security Assurance
Rafal Los
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
Tripwire
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
South Tyrol Free Software Conference
 
Zero Trust vs Defense in Depth
Zero Trust vs Defense in DepthZero Trust vs Defense in Depth
Zero Trust vs Defense in Depth
CIO Talk Network
 

Similar to Farewell to the Security Sandwich (20)

NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
 
Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and MobilityNot Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Justifying Security Investment
Justifying Security InvestmentJustifying Security Investment
Justifying Security Investment
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containers
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security Assurance
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
 
Zero Trust vs Defense in Depth
Zero Trust vs Defense in DepthZero Trust vs Defense in Depth
Zero Trust vs Defense in Depth
 

More from Thoughtworks

Design System as a Product
Design System as a ProductDesign System as a Product
Design System as a Product
Thoughtworks
 
Designers, Developers & Dogs
Designers, Developers & DogsDesigners, Developers & Dogs
Designers, Developers & Dogs
Thoughtworks
 
Cloud-first for fast innovation
Cloud-first for fast innovationCloud-first for fast innovation
Cloud-first for fast innovation
Thoughtworks
 
More impact with flexible teams
More impact with flexible teamsMore impact with flexible teams
More impact with flexible teams
Thoughtworks
 
Culture of Innovation
Culture of InnovationCulture of Innovation
Culture of Innovation
Thoughtworks
 
Dual-Track Agile
Dual-Track AgileDual-Track Agile
Dual-Track Agile
Thoughtworks
 
Developer Experience
Developer ExperienceDeveloper Experience
Developer Experience
Thoughtworks
 
When we design together
When we design togetherWhen we design together
When we design together
Thoughtworks
 
Hardware is hard(er)
Hardware is hard(er)Hardware is hard(er)
Hardware is hard(er)
Thoughtworks
 
Customer-centric innovation enabled by cloud
Customer-centric innovation enabled by cloud Customer-centric innovation enabled by cloud
Customer-centric innovation enabled by cloud
Thoughtworks
 
Amazon's Culture of Innovation
Amazon's Culture of InnovationAmazon's Culture of Innovation
Amazon's Culture of Innovation
Thoughtworks
 
When in doubt, go live
When in doubt, go liveWhen in doubt, go live
When in doubt, go live
Thoughtworks
 
Don't cross the Rubicon
Don't cross the RubiconDon't cross the Rubicon
Don't cross the Rubicon
Thoughtworks
 
Error handling
Error handlingError handling
Error handling
Thoughtworks
 
Your test coverage is a lie!
Your test coverage is a lie!Your test coverage is a lie!
Your test coverage is a lie!
Thoughtworks
 
Docker container security
Docker container securityDocker container security
Docker container security
Thoughtworks
 
Redefining the unit
Redefining the unitRedefining the unit
Redefining the unit
Thoughtworks
 
Technology Radar Webinar UK - Vol. 22
Technology Radar Webinar UK - Vol. 22Technology Radar Webinar UK - Vol. 22
Technology Radar Webinar UK - Vol. 22
Thoughtworks
 
A Tribute to Turing
A Tribute to TuringA Tribute to Turing
A Tribute to Turing
Thoughtworks
 
Rsa maths worked out
Rsa maths worked outRsa maths worked out
Rsa maths worked out
Thoughtworks
 

More from Thoughtworks (20)

Design System as a Product
Design System as a ProductDesign System as a Product
Design System as a Product
 
Designers, Developers & Dogs
Designers, Developers & DogsDesigners, Developers & Dogs
Designers, Developers & Dogs
 
Cloud-first for fast innovation
Cloud-first for fast innovationCloud-first for fast innovation
Cloud-first for fast innovation
 
More impact with flexible teams
More impact with flexible teamsMore impact with flexible teams
More impact with flexible teams
 
Culture of Innovation
Culture of InnovationCulture of Innovation
Culture of Innovation
 
Dual-Track Agile
Dual-Track AgileDual-Track Agile
Dual-Track Agile
 
Developer Experience
Developer ExperienceDeveloper Experience
Developer Experience
 
When we design together
When we design togetherWhen we design together
When we design together
 
Hardware is hard(er)
Hardware is hard(er)Hardware is hard(er)
Hardware is hard(er)
 
Customer-centric innovation enabled by cloud
Customer-centric innovation enabled by cloud Customer-centric innovation enabled by cloud
Customer-centric innovation enabled by cloud
 
Amazon's Culture of Innovation
Amazon's Culture of InnovationAmazon's Culture of Innovation
Amazon's Culture of Innovation
 
When in doubt, go live
When in doubt, go liveWhen in doubt, go live
When in doubt, go live
 
Don't cross the Rubicon
Don't cross the RubiconDon't cross the Rubicon
Don't cross the Rubicon
 
Error handling
Error handlingError handling
Error handling
 
Your test coverage is a lie!
Your test coverage is a lie!Your test coverage is a lie!
Your test coverage is a lie!
 
Docker container security
Docker container securityDocker container security
Docker container security
 
Redefining the unit
Redefining the unitRedefining the unit
Redefining the unit
 
Technology Radar Webinar UK - Vol. 22
Technology Radar Webinar UK - Vol. 22Technology Radar Webinar UK - Vol. 22
Technology Radar Webinar UK - Vol. 22
 
A Tribute to Turing
A Tribute to TuringA Tribute to Turing
A Tribute to Turing
 
Rsa maths worked out
Rsa maths worked outRsa maths worked out
Rsa maths worked out
 

Recently uploaded

Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
QuickwayInfoSystems3
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
ShamsuddeenMuhammadA
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaTop 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
Yara Milbes
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 

Recently uploaded (20)

Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaTop 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 

Farewell to the Security Sandwich

  • 1. Farewell to the Security Sandwich Felix Hammerl
  • 2. News comes first ... … then comes the shock 2013 20142012 2015 2016 146 days 99 days416 days 205 days
  • 3. The Security Sandwich INCEPTION DEVELOPMENT GO-LIVE Security Requirements, Infrastructure Hardening, Compliance & Policies Iterative Agile Methodology, Insights, Pivots Perpetual Requirement Renegotiation Code Reviews, Penetration Testing Security assurance often gets lost somewhere along this path.
  • 4. Everybody wants to be secure – but from what?
  • 5. Calculus of Negligence Probability Criticality Exposure Used to quantify disaster scenarios. Useful for exposure. Not directly actionable.
  • 6. Your job is to facilitate the business to operate in an as-assured-as-possible manner, given the actual mission of the business [and] [...] providing that context for people that aren’t security professionals as well as those that are: “Here’s how important this thing is in the grand scheme of things.” - Bruce Potter
  • 7. Assets Valuable goods of physical or immaterial nature. Have value for both the organization and the attacker. Targets for both deliberate and negligent threats ● SECURITY GOALS Stem from business, legal, and regulatory contexts ● DISASTER SCENARIOS Result from security goals being violated. ● EXPOSURE Experience, analogy from events at competitors, or jurisdiction.
  • 9. EPIC ASK Analysis Breaking down epics into stories Development Where stories become deliverables QA Where deliverables are reviewed Deployment Deliverables become functionality NEED WISH REQUEST NEED REQUEST DEMAND Discussions Verbalization of functionality EPICEPIC STORYSTORY SPIKE STORY STORY COMMIT COMMIT COMMIT COMMIT COMMIT BUGFIX COMMIT BUGFIX Requirements Molding needs into epics ISSUE TICKET DOCKER DOCKER DOCKER DOCKER DOCKER SERVICE SPIKE SERVICE SERVICE SERVICE BUG SERVICE DOCKER SERVICE SERVICE COMMITCOMMIT COMMIT COMMIT Path to Production
  • 10. Which assets do we touch? Does this change our attack surface? How valuable are the assets? What (new) components touch the assets? How could we be attacked? What would be the impact? How? Mitigate? Identify? Protect? Detect? Respond? Recover? Transfer? Avoid? Accept? What are the alternatives? Keep a record of the security debt! ASSETS THREAT MODELING ACTIONS (+ PO) FOLLOW UP Analysis: Definition of Ready
  • 11. Analysis: Threat Modeling Add security requirements as CFRs to stories and epics. SCENARIO-BASED Uses the team’s collective experience of the product to be developed. EXPLORATORY Analysis of a fictional disaster scenario back to the asset based on Attack Trees AGILE Timeboxed STRIDE exercises to analyze the delta in functionality from the current or next period, e.g. a sprint.
  • 12. New vulnerabilities are continuously discovered Automate scanning your libraries, frameworks Vulnerabilities also exist in containers Automate scanning your containers Fix-forward Automate keeping them up to date Test and aggressively integrate releases DEPENDENCIES CVEs CONTAINERS Development: Ease through automation
  • 13. VISUALIZE HEALTH Visualize and aggressively pay off tech debt Rotate firefighter role Collective ownership for the ugly code bits Log indexable data structures, not strings Inspect logs faster Correlate logs across systems Important real-world metrics at a glance Create shared responsibility for your system’s fitness to deliver value Understand when things go wrong Standard Operating Procedures Use alerting STRUCTURE & CORRELATE LOGS NOMINAL vs ERRONEOUS BEHAVIOR SHIFT SECURITY LEFT Live: Know your system