How to effectively plan and use people, process and technology controls within Information Security to influence Culture during a Digital Transformation
Shift Left Security – Guidance on embedding security for a Digital Transformation in the Financial Industry
1. Shift Left Security – Guidance on embedding security for a Digital
Transformation in the Financial Industry
Yazad Khandhadia, VP, Security Architecture & Engineering, Emirates NBD
@YazKay2
https://www.linkedin.com/in/yazadk/
2. Agenda
• Intro: Typical Digital Transformation Challenges in Security: The Dialogue
• Challenges & Solutions: A Snapshot (via a High Level View)
• Creating a Belief System: Shift Left/Rugged/Whatever You Wanna Call It
• Challenges & Solutions: Deep Dives – People, Process & Technology
• Measuring Success: Metrics & Our Success Story
• End Notes
• Outro – Q & A
3. Typical Digital Transformation Challenges in Security – Classic Dialogues
DEVELOPER + INFRA + DEVOPS + ARCH
“we don’t have the freedom to use our tools”
“we develop, deploy faster, you need to review
faster”
“we need to explore Open Source; licensing is
killing us”
“It’s release day, we need sign-offs!”
“ I have too much pressure”
CYBER/INFORMATION SECURITY
“some tools are dangerous; we deny”
“there is only so much we can do”
“open source is insecure”
“you came to me last minute”
“I have to answer to regulators, internal
audit and risk ”
5. Challenges & Solutions: A Snapshot
Phase 1
(Q4 2017)
Phase 2
(Q1-Q4 2018)
Phase 3
(Q1-Q4 2019)
Phase 4
(Q1 – Q4 2020)
AMBIGUITY/TOO MUCH FLUX / THINGS CHANGE VERY QUICKLY + LOTS OF NEW TECH
AGILITY + FLEXIBILITY + ECOSYSTEMS (LEGACY/HETEROGENOUS) + OPTIMIZE COSTS + DEVELOPER EXP
PEOPLE: UNLEARN TRADITIONAL + Hire Awesome Talent + Coach /Train Talent + Build Awareness
PROCESS: Agile Runbook (Socialize Security) + Security Engagement Model + Build Patterns
TECHNOLOGY/TOOLING: Interim State – Manual Reviews | Target State: e.g. 80% Security Automation
INNOVATE: THINK NEW + Embed Security as Code + Build Security as a Service (via APIs)
PLAN DO (EXECUTE)
CHECK
(MONITOR)
ACT
(IMPROVE)
6. We built our belief system within Security: Our Manifesto*
Leaning in over Always Saying “No”: Help the Developer solve the problem;
Data & Security Science over Fear, Uncertainty and Doubt (FUD): Convince using FACTS
Open Contribution & Collaboration over Security-Only Requirements: Don't say “its your problem” instead say "how
can I help you”
Consumable Security Services with APIs over Mandated Security Controls & Paperwork: Build Security APIs
Business Driven Security Scores over Rubber Stamp Security: Show real risk
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities: Convince with exploits
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident: Build this in patterns/stories
Shared Threat Intelligence over Keeping Info to Ourselves: With IT-Ops, Audit and Fraud/Risk & Business teams
Compliance Operations over Clipboards & Checklists: We are still trying to figure this out
* Taken from devsecops.org
7. Executing Our Belief System: Shift Left / Rugged DevOps
Key Takeaway: Finding flaws EARLY and Fixing them EARLY has massive benefits – Reducing
Risk & Cost
8. Shift Left : Hiring Good Talent KEY TAKEWAYS:
• TAKE MATTERS INTO YOUR OWN HANDS
• DESIGN YOUR OWN CUSTOM CRITERIA &
TESTS
• COMMUNICATION , COLLABORATION &
DECISION MAKING SKILLS ARE KEY
• PASSION & PERSEVERENCE ARE VITAL – TELL
PERSONNEL TO EXPECT LATE NIGHTS!
• HIRE JACK OF ALL – HELPS WITH ADAPTIBILITY
& AMBIGUITY
• HIRE EMPATHY/INNOVATIVE PERSONNEL
• ALL SECURITY PERSONNEL MUST KNOW HOW
AGILE WORKS & AGILE TERMINOLOGY (e.g.
DOD, MVP, etc.)
9. Shift Left: Help Developers & DevOps
KEY TAKEWAYS:
• DEVSECOPS MUST TALK TO DEVS MORE OFTEN WITHIN
SQUADS
• DEVSECOPS SIT IN THE SQUAD THE WHOLE TIME – IT’S
LIKE THEIR FAMILY
• DEVSECOPS MUST “GUIDE” DEVELOPERS – NOT JUST
DUMP REPORTS ON THEM
• DEVSECOPS MUST NOT “BE CONDESCENDING” ; THEY
NEED TO “BE UNDERSTANDING & EMPATHETIC”
• DEVSECOPS MUST COMMUNICATE KEY SECURITY
REQUIREMENTS, DECISIONS & RISKS EARLY
• DEVSECOPS MUST TRACK DEFECTS & REPORT THEM SO
THAT SECURITY AWARENESS CAN BE “TARGETTED”
“We will operate like developers to make security and
compliance available to be consumed as services. We
will unlock and unblock new paths to help others see
their ideas become a reality”
“We will learn the loopholes, look for weaknesses, and
we will work with you to provide remediation actions
instead of long lists of problems for you to solve on your
own”
“Rugged organizations create secure code as a
byproduct of their culture”
“Rugged describes software development organizations
that have a culture of rapidly evolving their ability to
create available, survivable, defensible, secure, and
resilient software. Rugged organizations use
competition, cooperation, and experimentation to learn
and improve rather than making the same mistakes
over and over”
* Quotes from https://www.devsecops.org/ & https://ruggedsoftware.org/
10. Shift Left: Help Developers & DevOps – Educating Developers
Gamified
Learning
KEY TAKEWAYS:
• GET BUY-IN FROM HEAD OF DEVELOPMENT /
DEV CHAPTER HEAD & LEARNING &
DEVELOPMENT DEPARTMENTS FOR BUDGETS
• RUN REGULAR ASSESSMENTS FOR DEVS
(WHITE, YELLOW, ORANGE, BLACK BELT
ASSESSMENTS)
• START SLOW AND GRADUALLY INCREASE
DIFFICULTY
• REWARD DEVS WHO DO WELL !!
• TIE DEFECTS FROM SQUADS BACK TO SPECIFIC
DEV TRAINING; SO THAT THEY SPEND MORE
TIME ON IMPROVING WHAT THEY MAY DO
WRONG
Hands On
Learn @ Ur Own
Pace
11. Shift Left: Develop, Implement & Fine-Tune Processes – Key Takeaways
BUILD AN ENGAGEMENT
MODEL (e.g. We built 7 gates
and included all lines of
defense)
CONSULT RED & BLUE TEAMS
ON NEW THREATS AND EMBED
THEM BACK INTO YOUR
PATTERNS
PARTICIPATE OR LEAD A
CHANGE IN PROCESSES FOR
PRE-GO LIVE SIGN OFFS
BUILD A ENTERPRISE
SECURTITY REFERENCE
ARCHITECTURE (ESA)
BUILD RE-USABLE
SECURITY
PATTERNS/CONTROLS
CODIFY PATTERNS (SECURITY
AS CODE); REQUEST A
SQUAD FOR IT !!
BUILD RE-USABLE SECURITY
PATTERNS
CONTRIBUTE TO THE AGILE
RUN BOOK
SOCIALIZE SECURITY IN AGILE
VIA WORKSHOPS (I DID 6-7 IN
2019 ALONE!!)
ENSURE OPS SECURITY (LAST
GATE!!) -
BE THERE FOR ALL CHANGE
APPROVAL BOARD MTGS !
12. Shift Left: Peoplee & Process: MESHED
EVERY SECURITY
SQUAD HAS ATLEAST
ONE SECURITY
PERSONNEL
(DEVSECOPS)
GET INVOLVED
IMMEDIATELY POST
BUDGET APPROVAL
ATTEND BACKLOG
GROOMING &SPRINT
PLANNING
DESIGN SECURITY
REQUIREMENTS IN THE
FORM OF EVIL
STORIES
---- USER STORY ---
AS A “CUSTOMER” I
WOULD LIKE TO “ ADD
A BENEFECIARY TO
TRANSFER MONEY”
---- EVIL STORY 1 ---
AS AN ATTACKER I
WILL PHISH YOU AND
GET YOUR PASSWORD
AND SMS OTP
---- EVIL STORY 2 ---
AS AN ATTACKER I
WILL….. XXXXXXXX
--CONTROL 1 (PREV)--
MANDATE IN-APP
NOTIFICATION AS
PRIMARY AUTH
---CONTROL 2 (DET)--
ALERT CUST WHEN
BENEFICIARY IS ADDED
PUBLISH EVIL
STORIES ON
COLLABORATION
SOFTWARE (e.g. JIRA)
FOR ENTIRE SQUAD
TO SEE AND
IMPLEMENT
14. Shift Left: Technology – Key Takeaways
KEY TAKEWAYS:
• INSERT “THRESHOLDS” IN
AUTOMATION PIPELINES (e.g. ZERO
HIGH, 5 MEDIUM, 10 LOW)
• SECURE ALL ELEMENTS OF THE
PIPELINE – BASE OS, IMAGE,
CONTAINER, ORCHESTRATION
ENGINE, THE ACTUAL CODE
• ENSURE DEVS ALWAYS PULL SECURE
LIBRARIES AND USE ONLY SECURE
CONTAINERS
• USE WIKIS FOR PATTERNS / COLLAB
TOOLS FOR SECURITY OBSERVATIONS
• USE CHAT TOOLS (WITH AUDITING)
FOR CHANGE CONTROL / APPROVALS
15. Key Takeaways: People, Process & Technology – Metrics
Ask every Team/Squad to rate
security personnel in their squad
Measure developer education
using stats on gamified
platforms
Map all your KPIs to a cyber
security maturity model (think
NIST or others)
Take a count of how many
automated pipelines have
security thresholds built in
Gauge how well security
personnel make autonomous
decisions (on their own)
Check how many initiatives did
not follow your engagement
model (aka “gates skipped”)
Measure how many developers
are attending secure coding
induction and tournaments
Check how often & well you
document on a Wiki in order to
pass your Audits
Track Defects: Observe how
often you see the same coding
defects being repeated; re-
educate developers
Measure how many squads are
meeting your patterns / non-
negotiables
Measure how busy security
personnel are in Squads – add
more to prevent burnout
Measure how many security
personnel completed trainings
on new tech (e.g. kubernetes)
16. Key Takeaways: People, Process & Technology – Measuring Success
Our Architects/DevSecOps
Engineers are rated highly by
squads
Our developer security education
is working well – defects have
reduced over time
We contributed to our overall
Cyber Security Maturity Score
Team Awards – “Best Agile
Supporters”
Individual Awards – Top
Performers/Potential Leaders
We adapt amazingly to Waterfall
& Agile methods
Our security checks are
embedded in all pipelines
(where applicable)
We win by Influencing not by
Authority aka we have built trust
with DevOps
We fared exceptionally well on all
our Audits
We are building “security as a
service”; we automate security
via APIs (where possible)
We reduced the time for security
sign offs thanks to inclusion from
all lines of defense
Adherence to our 7 gates is
model is very high
17. End Note
CULTURE CHANGE TAKES TIME AND TONS OF EFFORT !! KEEP AT IT!
COLLABORATE: DROP THE FINGERPOINTING! FOCUS ON THE SOLUTION
SOCIALIZE: INFORM & EDUCATE ALL LINES OF DEFENSE/STAKEHOLDERS
CHANGE YOUR MINDSET / UNLEARN: DON’T APPLY TRAD’L THINK TO AGILE
DON’T TRY & BE PERFECT YOU WILL FAIL! FAIL QUICK, LEARN FROM IT &
MOVE ON!
BE PATIENT & PREPARED: IT’S A LONG & TIRING ROAD! A LOT OF
CONVINCING TO BE DONE! PUSH YOURSELF & YOUR TEAM! STAY HEALTHY!
TALENT: HIRE PEOPLE WHO WILL BUY INTO YOUR VISION! NO PASSION, NO
SUCCESS!
18. Outro – Q & A
@YazKay2
https://www.linkedin.com/in/yazadk/