Steven Carlson, profile picture
Uploaded bySteven Carlson
PDF, PPTX211 views

ShiftGearsWithInformationSecurity.pdf

Steven Carlson's talk focuses on sharing experiences in product security and driving change within information security. He emphasizes the importance of collaboration between security teams and engineering to prioritize security throughout the software development process, encouraging knowledge sharing and responsive strategies. Key topics include onboarding, empowering teams, automation, and executive buy-in for effective security practices.

Technology
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
Steven Carlson - 2023 Shift Gears within Information Security Product Security Journey
Software Engineer who is passionate about clean secure code. Helpdesk -> Software Engineer -> Security -> DevOps -> Product Security https://about.me/rockrunner Steven Carlson
The Talk Are you in the correct room? “This talk will be focused on discussing war stories from a product architect/engineer who lives within an information security department and is passionate about driving change. Attendees will get to experience a few different routes that have lead to success and others that might need to avoided. As an ever-evolving space, when reducing risk and deploy safe products to the market, we all have to fi nd the correct gear to get us down the road.”
Keeping Security Top of Mind Forethought vs Afterthought
Terms Common Language • AppSec is about securing the application. • DevSec is about securing the developer and their actions. • DevSecOps is about securing the application build chain. • Product Security is about the end-to-end security of their organization’s software products.
Product Security
We, the Security Team Recognize That Engineering Teams • Want to do the right thing • Are closer to the business context and will make trade-o ff decisions between security and other tasks • Want information and advice so those trade-o ff decisions are more informed • Lower the cost/e ff ort side of any investment in developer security tools or practices • Assist with preventative initiatives as we beg for your assistance reacting to security incidents Pledge to Understand that • We are no longer gate keepers, but rather tool-smiths and advisors
War Stories
Overview The plan • Development Onboarding • Empowering Champions • Automation? • Executive Buy-in • Reporting Security Findings
Development Onboarding
K.I.S.S Keep It Simple, Stupid • People • Process • Technology • Governance
Gitlab SDK https://python-gitlab.readthedocs.io • People: Pure Dev • Process: GitOps • Technology: • GitLab • Docker • Python
Gitlab Template https://docs.gitlab.com/ee/user/admin_area/custom_project_templates.html • People: GitLab Access • Process: Merge Requests • Technology: • GitLab https://gitlab.com/nebraska-code-conference/gitlab-standard/gitlab-template
Empowering Champions
Shared Partnership Not just knighting someone • Create a clear picture • Share ownership of the product’s security score • Establish a threat intel feed • Recommend policy and standard modi fi cation
Threat Dragon https://owasp.org/www-project-threat-dragon/ • People: Architect • Process: Manual Review • Technology: • Source Control • IDE • Threat Dragon https://github.com/RockRunner007/security-programs/tree/master/threat-models
IriusRisk https://community.iriusrisk.com/ui#!login • People: Product Sta ff • Process: Life Cycle • Technology: • IDP • IriusRisk
Automation?
Context is Key Build the case with Product team(s) • Training and Education • Build Relationships • Regular Feedback Loops
Postman + Burp https://www.postman.com/api-platform/api-testing/ • People: Security Team • Process: Internal PEN test • Technology: • Postman Enterprise • Burp Suite Professional https://github.com/RockRunner007/crAPI
Noname Security https://nonamesecurity.com/ • People: Dev and Security Team • Process: SDLC + Review • Technology: • Noname Platform • OpenAPI Speci fi cation
Executive Buy-in
Shift Left and Extend Right Oldie but a goodie • Embedding a security engineer within a product team • Accept work that is achievable and generally understood • Establish a position within leadership and engineering
Enablement Team Team Structure and their actions • People: Product Leadership • Process: Workshopping • Technology: • Text editor of choice
Product Security Program Risk vs Threat Organization • People: Security Leadership • Process: Workshopping • Technology: • Text editor of choice https://github.com/RockRunner007/security-programs/blob/master/product-security.md
Reporting Security Findings
Proof is in the Pudding Find out the truth before spending money • Should we partner with this vendor? • Should we use this vendor’s software? • How often should we require 3rd party PEN tests? • How will this software e ff ect our network?
N+1 Tools Tools for everyone!!! • People: Security • Process: Manual Review • Technology: • ASM • Security Headers • SSL Tester • N+1
GitLab Automation Sbom is like the car fax for your 3rd party software • People: Dev + Security • Process: CI • Technology: • CI Tool • Cyclonedx CLI • Snyk or SBOM Vendor https://github.com/RockRunner007/gitlab-templates/blob/main/sbom/sbom.gitlab-ci.yml
Manual
Manual Linux Command: man man • Build security, as more than bolt it on. • Rely on empowered product teams, more than security specialists. • Implement features securely, more than security features. • Rely on continuously learning, more than end-of-phase gates. • Adopt a few key practices deeply and universally, more than a comprehensive set poorly and sporadically. • Build on culture change, more than policy enforcement.
Resources Books, Website, and more Books & Publications • Application Security Program Handbook by Derek Fisher • Designing Secure Software by Loren Kohnfelder • Clean Code by Robert Martin • Software Transparency by Chris Hugh and Tony Turner • Threats by Adam Shostack Online • SecurityChampionSuccessGuide.org • attack.mitre.org • nist.gov/itl/csd/secure-systems-and- applications • hockeyinjune.medium.com/product- security-14127b5838ba • santikris2003.medium.com/product- security-dev-sec-tips-2fdb1698a3b3 • https://media.defense.gov/2023/Jun/ 28/2003249466/-1/-1/0/ CSI_DEFENDING_CI_CD_ENVIRONMENT S.PDF
Glossary Words and things • Application Security - the process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats. • Infrastructure Security - the security provided to protect infrastructure, especially critical infrastructure such as cloud or datacenter resources. • Security Operations - a centralized unit that deals with security issues on an organizational and technical level. • Software Development Life Cycle (SDLC) - a conceptual framework describing all activities in a software development project from planning to maintenance. This process is associated with several models, each including a variety of tasks and activities.
Software Engineer who is passionate about clean secure code. Helpdesk -> Software Engineer -> Security -> DevOps -> Product Security https://about.me/rockrunner Steven Carlson
Feedback Please remember to fi ll out the evaluation forms

More Related Content

PPTX
Product Security
bySteven Carlson
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PDF
Webinar – Software Security 2019–Embrace Velocity
bySynopsys Software Integrity Group
 
PDF
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
bySynopsys Software Integrity Group
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PPTX
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
PPTX
Dev{sec}ops
bySteven Carlson
 
Product Security
bySteven Carlson
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
AppSec in an Agile World
byDavid Lindner
 
Webinar – Software Security 2019–Embrace Velocity
bySynopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
bySynopsys Software Integrity Group
 
The Future of DevSecOps
byStefan Streichsbier
 
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
Dev{sec}ops
bySteven Carlson
 

Similar to ShiftGearsWithInformationSecurity.pdf

PDF
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
PPTX
Дмитро Терещенко, "How to secure your application with Secure SDLC"
bySigma Software
 
PDF
JavaOne2013: Secure Engineering Practices for Java
byChris Bailey
 
PDF
Secure Engineering Practices for Java
byTim Ellison
 
PPT
AMI Security 101 - Smart Grid Security East 2011
bydma1965
 
PDF
ProdSec: A Technical Approach
byJeremy Brown
 
PPTX
2016 - Safely Removing the Last Roadblock to Continuous Delivery
bydevopsdaysaustin
 
PDF
Building Security Into Your Cloud IT Practices
byMighty Guides, Inc.
 
PDF
Maturing DevSecOps: From Easy to High Impact
bySBWebinars
 
PPTX
Security and DevOps Overview
byAdrian Sanabria
 
PPTX
Safely Removing the Last Roadblock to Continuous Delivery
bySeniorStoryteller
 
PPTX
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
PPTX
Integrate Security into DevOps - SecDevOps
byUlf Mattsson
 
PDF
The Evolution of Cybersecurity in Software Development for 2025
byScalaCode
 
PPTX
State of DevSecOps - DevOpsDays Jakarta 2019
byStefan Streichsbier
 
PDF
The State of DevSecOps
byDevOps Indonesia
 
ODP
CISSP Week 12
byjemtallon
 
PDF
Security as Code (Second Early Release) Bk Sarthak Das
bymagaudzontar
 
PDF
Security as Code (Second Early Release) Bk Sarthak Das
byminroyallugg
 
PPTX
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
bySigma Software
 
JavaOne2013: Secure Engineering Practices for Java
byChris Bailey
 
Secure Engineering Practices for Java
byTim Ellison
 
AMI Security 101 - Smart Grid Security East 2011
bydma1965
 
ProdSec: A Technical Approach
byJeremy Brown
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
bydevopsdaysaustin
 
Building Security Into Your Cloud IT Practices
byMighty Guides, Inc.
 
Maturing DevSecOps: From Easy to High Impact
bySBWebinars
 
Security and DevOps Overview
byAdrian Sanabria
 
Safely Removing the Last Roadblock to Continuous Delivery
bySeniorStoryteller
 
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
Integrate Security into DevOps - SecDevOps
byUlf Mattsson
 
The Evolution of Cybersecurity in Software Development for 2025
byScalaCode
 
State of DevSecOps - DevOpsDays Jakarta 2019
byStefan Streichsbier
 
The State of DevSecOps
byDevOps Indonesia
 
CISSP Week 12
byjemtallon
 
Security as Code (Second Early Release) Bk Sarthak Das
bymagaudzontar
 
Security as Code (Second Early Release) Bk Sarthak Das
byminroyallugg
 
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 

Recently uploaded

PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
final.pdf
byomarbishtawi04
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 

ShiftGearsWithInformationSecurity.pdf

  • 1.
    Steven Carlson -2023 Shift Gears within Information Security Product Security Journey
  • 2.
    Software Engineer whois passionate about clean secure code. Helpdesk -> Software Engineer -> Security -> DevOps -> Product Security https://about.me/rockrunner Steven Carlson
  • 3.
    The Talk Are youin the correct room? “This talk will be focused on discussing war stories from a product architect/engineer who lives within an information security department and is passionate about driving change. Attendees will get to experience a few different routes that have lead to success and others that might need to avoided. As an ever-evolving space, when reducing risk and deploy safe products to the market, we all have to fi nd the correct gear to get us down the road.”
  • 4.
    Keeping Security Top ofMind Forethought vs Afterthought
  • 5.
    Terms Common Language • AppSecis about securing the application. • DevSec is about securing the developer and their actions. • DevSecOps is about securing the application build chain. • Product Security is about the end-to-end security of their organization’s software products.
  • 6.
  • 7.
    We, the SecurityTeam Recognize That Engineering Teams • Want to do the right thing • Are closer to the business context and will make trade-o ff decisions between security and other tasks • Want information and advice so those trade-o ff decisions are more informed • Lower the cost/e ff ort side of any investment in developer security tools or practices • Assist with preventative initiatives as we beg for your assistance reacting to security incidents Pledge to Understand that • We are no longer gate keepers, but rather tool-smiths and advisors
  • 9.
  • 10.
    Overview The plan • DevelopmentOnboarding • Empowering Champions • Automation? • Executive Buy-in • Reporting Security Findings
  • 11.
  • 12.
    K.I.S.S Keep It Simple,Stupid • People • Process • Technology • Governance
  • 13.
    Gitlab SDK https://python-gitlab.readthedocs.io • People:Pure Dev • Process: GitOps • Technology: • GitLab • Docker • Python
  • 14.
    Gitlab Template https://docs.gitlab.com/ee/user/admin_area/custom_project_templates.html • People:GitLab Access • Process: Merge Requests • Technology: • GitLab https://gitlab.com/nebraska-code-conference/gitlab-standard/gitlab-template
  • 15.
  • 16.
    Shared Partnership Not justknighting someone • Create a clear picture • Share ownership of the product’s security score • Establish a threat intel feed • Recommend policy and standard modi fi cation
  • 17.
    Threat Dragon https://owasp.org/www-project-threat-dragon/ • People:Architect • Process: Manual Review • Technology: • Source Control • IDE • Threat Dragon https://github.com/RockRunner007/security-programs/tree/master/threat-models
  • 18.
    IriusRisk https://community.iriusrisk.com/ui#!login • People: ProductSta ff • Process: Life Cycle • Technology: • IDP • IriusRisk
  • 19.
  • 20.
    Context is Key Buildthe case with Product team(s) • Training and Education • Build Relationships • Regular Feedback Loops
  • 21.
    Postman + Burp https://www.postman.com/api-platform/api-testing/ •People: Security Team • Process: Internal PEN test • Technology: • Postman Enterprise • Burp Suite Professional https://github.com/RockRunner007/crAPI
  • 22.
    Noname Security https://nonamesecurity.com/ • People:Dev and Security Team • Process: SDLC + Review • Technology: • Noname Platform • OpenAPI Speci fi cation
  • 23.
  • 24.
    Shift Left andExtend Right Oldie but a goodie • Embedding a security engineer within a product team • Accept work that is achievable and generally understood • Establish a position within leadership and engineering
  • 25.
    Enablement Team Team Structureand their actions • People: Product Leadership • Process: Workshopping • Technology: • Text editor of choice
  • 26.
    Product Security Program Riskvs Threat Organization • People: Security Leadership • Process: Workshopping • Technology: • Text editor of choice https://github.com/RockRunner007/security-programs/blob/master/product-security.md
  • 27.
  • 28.
    Proof is inthe Pudding Find out the truth before spending money • Should we partner with this vendor? • Should we use this vendor’s software? • How often should we require 3rd party PEN tests? • How will this software e ff ect our network?
  • 29.
    N+1 Tools Tools foreveryone!!! • People: Security • Process: Manual Review • Technology: • ASM • Security Headers • SSL Tester • N+1
  • 30.
    GitLab Automation Sbom islike the car fax for your 3rd party software • People: Dev + Security • Process: CI • Technology: • CI Tool • Cyclonedx CLI • Snyk or SBOM Vendor https://github.com/RockRunner007/gitlab-templates/blob/main/sbom/sbom.gitlab-ci.yml
  • 31.
  • 32.
    Manual Linux Command: manman • Build security, as more than bolt it on. • Rely on empowered product teams, more than security specialists. • Implement features securely, more than security features. • Rely on continuously learning, more than end-of-phase gates. • Adopt a few key practices deeply and universally, more than a comprehensive set poorly and sporadically. • Build on culture change, more than policy enforcement.
  • 33.
    Resources Books, Website, andmore Books & Publications • Application Security Program Handbook by Derek Fisher • Designing Secure Software by Loren Kohnfelder • Clean Code by Robert Martin • Software Transparency by Chris Hugh and Tony Turner • Threats by Adam Shostack Online • SecurityChampionSuccessGuide.org • attack.mitre.org • nist.gov/itl/csd/secure-systems-and- applications • hockeyinjune.medium.com/product- security-14127b5838ba • santikris2003.medium.com/product- security-dev-sec-tips-2fdb1698a3b3 • https://media.defense.gov/2023/Jun/ 28/2003249466/-1/-1/0/ CSI_DEFENDING_CI_CD_ENVIRONMENT S.PDF
  • 34.
    Glossary Words and things •Application Security - the process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats. • Infrastructure Security - the security provided to protect infrastructure, especially critical infrastructure such as cloud or datacenter resources. • Security Operations - a centralized unit that deals with security issues on an organizational and technical level. • Software Development Life Cycle (SDLC) - a conceptual framework describing all activities in a software development project from planning to maintenance. This process is associated with several models, each including a variety of tasks and activities.
  • 35.
    Software Engineer whois passionate about clean secure code. Helpdesk -> Software Engineer -> Security -> DevOps -> Product Security https://about.me/rockrunner Steven Carlson
  • 36.
    Feedback Please remember to fi llout the evaluation forms