SlideShare a Scribd company logo

Product Security Journey

Steven Carlson
Steven Carlson

This talk will be focused on discussing war stories from a product architect/engineer who lives within an information security department and is passionate about driving change. Attendees will get to experience a few different routes that have lead to success and others that might need to avoided. As an ever-evolving space, when reducing risk and deploy safe products to the market, we all have to find the correct gear to get us down the road.

Technology
1 of 36
Download to read offline
Steven Carlson - 2023 Shift Gears within Information Security Product Security Journey
Software Engineer who is passionate about clean secure code. Helpdesk -> Software Engineer -> Security -> DevOps -> Product Security https://about.me/rockrunner Steven Carlson
The Talk Are you in the correct room? “This talk will be focused on discussing war stories from a product architect/engineer who lives within an information security department and is passionate about driving change. Attendees will get to experience a few different routes that have lead to success and others that might need to avoided. As an ever-evolving space, when reducing risk and deploy safe products to the market, we all have to fi nd the correct gear to get us down the road.”
Keeping Security Top of Mind Forethought vs Afterthought
Terms Common Language • AppSec is about securing the application. • DevSec is about securing the developer and their actions. • DevSecOps is about securing the application build chain. • Product Security is about the end-to-end security of their organization’s software products.
Product Security
We, the Security Team Recognize That Engineering Teams • Want to do the right thing • Are closer to the business context and will make trade-o ff decisions between security and other tasks • Want information and advice so those trade-o ff decisions are more informed • Lower the cost/e ff ort side of any investment in developer security tools or practices • Assist with preventative initiatives as we beg for your assistance reacting to security incidents Pledge to Understand that • We are no longer gate keepers, but rather tool-smiths and advisors
War Stories
Overview The plan • Development Onboarding • Empowering Champions • Automation? • Executive Buy-in • Reporting Security Findings
Development Onboarding
K.I.S.S Keep It Simple, Stupid • People • Process • Technology • Governance
Gitlab SDK https://python-gitlab.readthedocs.io • People: Pure Dev • Process: GitOps • Technology: • GitLab • Docker • Python
Gitlab Template https://docs.gitlab.com/ee/user/admin_area/custom_project_templates.html • People: GitLab Access • Process: Merge Requests • Technology: • GitLab https://gitlab.com/nebraska-code-conference/gitlab-standard/gitlab-template
Empowering Champions
Shared Partnership Not just knighting someone • Create a clear picture • Share ownership of the product’s security score • Establish a threat intel feed • Recommend policy and standard modi fi cation
Threat Dragon https://owasp.org/www-project-threat-dragon/ • People: Architect • Process: Manual Review • Technology: • Source Control • IDE • Threat Dragon https://github.com/RockRunner007/security-programs/tree/master/threat-models
IriusRisk https://community.iriusrisk.com/ui#!login • People: Product Sta ff • Process: Life Cycle • Technology: • IDP • IriusRisk
Automation?
Context is Key Build the case with Product team(s) • Training and Education • Build Relationships • Regular Feedback Loops
Postman + Burp https://www.postman.com/api-platform/api-testing/ • People: Security Team • Process: Internal PEN test • Technology: • Postman Enterprise • Burp Suite Professional https://github.com/RockRunner007/crAPI
Noname Security https://nonamesecurity.com/ • People: Dev and Security Team • Process: SDLC + Review • Technology: • Noname Platform • OpenAPI Speci fi cation
Executive Buy-in
Shift Left and Extend Right Oldie but a goodie • Embedding a security engineer within a product team • Accept work that is achievable and generally understood • Establish a position within leadership and engineering
Enablement Team Team Structure and their actions • People: Product Leadership • Process: Workshopping • Technology: • Text editor of choice
Product Security Program Risk vs Threat Organization • People: Security Leadership • Process: Workshopping • Technology: • Text editor of choice https://github.com/RockRunner007/security-programs/blob/master/product-security.md
Reporting Security Findings
Proof is in the Pudding Find out the truth before spending money • Should we partner with this vendor? • Should we use this vendor’s software? • How often should we require 3rd party PEN tests? • How will this software e ff ect our network?
N+1 Tools Tools for everyone!!! • People: Security • Process: Manual Review • Technology: • ASM • Security Headers • SSL Tester • N+1
GitLab Automation Sbom is like the car fax for your 3rd party software • People: Dev + Security • Process: CI • Technology: • CI Tool • Cyclonedx CLI • Snyk or SBOM Vendor https://github.com/RockRunner007/gitlab-templates/blob/main/sbom/sbom.gitlab-ci.yml
Manual
Manual Linux Command: man man • Build security, as more than bolt it on. • Rely on empowered product teams, more than security specialists. • Implement features securely, more than security features. • Rely on continuously learning, more than end-of-phase gates. • Adopt a few key practices deeply and universally, more than a comprehensive set poorly and sporadically. • Build on culture change, more than policy enforcement.
Resources Books, Website, and more Books & Publications • Application Security Program Handbook by Derek Fisher • Designing Secure Software by Loren Kohnfelder • Clean Code by Robert Martin • Software Transparency by Chris Hugh and Tony Turner • Threats by Adam Shostack Online • SecurityChampionSuccessGuide.org • attack.mitre.org • nist.gov/itl/csd/secure-systems-and- applications • hockeyinjune.medium.com/product- security-14127b5838ba • santikris2003.medium.com/product- security-dev-sec-tips-2fdb1698a3b3 • https://media.defense.gov/2023/Jun/ 28/2003249466/-1/-1/0/ CSI_DEFENDING_CI_CD_ENVIRONMENT S.PDF
Glossary Words and things • Application Security - the process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats. • Infrastructure Security - the security provided to protect infrastructure, especially critical infrastructure such as cloud or datacenter resources. • Security Operations - a centralized unit that deals with security issues on an organizational and technical level. • Software Development Life Cycle (SDLC) - a conceptual framework describing all activities in a software development project from planning to maintenance. This process is associated with several models, each including a variety of tasks and activities.
Software Engineer who is passionate about clean secure code. Helpdesk -> Software Engineer -> Security -> DevOps -> Product Security https://about.me/rockrunner Steven Carlson
Feedback Please remember to fi ll out the evaluation forms

Recommended

Product Security
Product SecurityProduct Security
Product SecuritySteven Carlson
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}opsSteven Carlson
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
New Technology for Modern Development Challenges
New Technology for Modern Development ChallengesNew Technology for Modern Development Challenges
New Technology for Modern Development ChallengesPerforce
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 

Recommended

Product Security
Product SecurityProduct Security
Product SecuritySteven Carlson
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}opsSteven Carlson
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
New Technology for Modern Development Challenges
New Technology for Modern Development ChallengesNew Technology for Modern Development Challenges
New Technology for Modern Development ChallengesPerforce
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Agile and Secure
Agile and SecureAgile and Secure
Agile and SecureDenim Group
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetessparkfabrik
 
Enterprise-Grade DevOps Solutions for a Start Up Budget
Enterprise-Grade DevOps Solutions for a Start Up BudgetEnterprise-Grade DevOps Solutions for a Start Up Budget
Enterprise-Grade DevOps Solutions for a Start Up BudgetDevOps.com
 
Shifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istioShifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istioChristian Melendez
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing ApplicationsMark Harrison
 
Supply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfSupply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfssuserc5b30e
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 
Introducing Perforce Helix
Introducing Perforce HelixIntroducing Perforce Helix
Introducing Perforce HelixPerforce
 
DevOps intro
DevOps introDevOps intro
DevOps introAbdelrhman Shawky
 
Node.js Module: I Choose You!
Node.js Module: I Choose You!Node.js Module: I Choose You!
Node.js Module: I Choose You!Bethany Nicolle Griggs
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksTim Mackey
 
Cybersecurity Roadmap for Beginners
Cybersecurity Roadmap for BeginnersCybersecurity Roadmap for Beginners
Cybersecurity Roadmap for BeginnersSanjeev Kumar Jaiswal
 
Kube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPAKube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPAHaggai Philip Zagury
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

More Related Content

Similar to Product Security Journey

Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Agile and Secure
Agile and SecureAgile and Secure
Agile and SecureDenim Group
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetessparkfabrik
 
Enterprise-Grade DevOps Solutions for a Start Up Budget
Enterprise-Grade DevOps Solutions for a Start Up BudgetEnterprise-Grade DevOps Solutions for a Start Up Budget
Enterprise-Grade DevOps Solutions for a Start Up BudgetDevOps.com
 
Shifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istioShifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istioChristian Melendez
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing ApplicationsMark Harrison
 
Supply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfSupply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfssuserc5b30e
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 
Introducing Perforce Helix
Introducing Perforce HelixIntroducing Perforce Helix
Introducing Perforce HelixPerforce
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksTim Mackey
 
Kube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPAKube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPAHaggai Philip Zagury
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 

Similar to Product Security Journey (20)

Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Agile and Secure
Agile and SecureAgile and Secure
Agile and Secure
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
 
Enterprise-Grade DevOps Solutions for a Start Up Budget
Enterprise-Grade DevOps Solutions for a Start Up BudgetEnterprise-Grade DevOps Solutions for a Start Up Budget
Enterprise-Grade DevOps Solutions for a Start Up Budget
 
Shifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istioShifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istio
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing Applications
 
Supply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfSupply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdf
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
 
Introducing Perforce Helix
Introducing Perforce HelixIntroducing Perforce Helix
Introducing Perforce Helix
 
DevOps intro
DevOps introDevOps intro
DevOps intro
 
Node.js Module: I Choose You!
Node.js Module: I Choose You!Node.js Module: I Choose You!
Node.js Module: I Choose You!
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risks
 
Cybersecurity Roadmap for Beginners
Cybersecurity Roadmap for BeginnersCybersecurity Roadmap for Beginners
Cybersecurity Roadmap for Beginners
 
Kube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPAKube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPA
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Product Security Journey

  • 1. Steven Carlson - 2023 Shift Gears within Information Security Product Security Journey
  • 2. Software Engineer who is passionate about clean secure code. Helpdesk -> Software Engineer -> Security -> DevOps -> Product Security https://about.me/rockrunner Steven Carlson
  • 3. The Talk Are you in the correct room? “This talk will be focused on discussing war stories from a product architect/engineer who lives within an information security department and is passionate about driving change. Attendees will get to experience a few different routes that have lead to success and others that might need to avoided. As an ever-evolving space, when reducing risk and deploy safe products to the market, we all have to fi nd the correct gear to get us down the road.”
  • 4. Keeping Security Top of Mind Forethought vs Afterthought
  • 5. Terms Common Language • AppSec is about securing the application. • DevSec is about securing the developer and their actions. • DevSecOps is about securing the application build chain. • Product Security is about the end-to-end security of their organization’s software products.
  • 7. We, the Security Team Recognize That Engineering Teams • Want to do the right thing • Are closer to the business context and will make trade-o ff decisions between security and other tasks • Want information and advice so those trade-o ff decisions are more informed • Lower the cost/e ff ort side of any investment in developer security tools or practices • Assist with preventative initiatives as we beg for your assistance reacting to security incidents Pledge to Understand that • We are no longer gate keepers, but rather tool-smiths and advisors
  • 8.
  • 10. Overview The plan • Development Onboarding • Empowering Champions • Automation? • Executive Buy-in • Reporting Security Findings
  • 12. K.I.S.S Keep It Simple, Stupid • People • Process • Technology • Governance
  • 13. Gitlab SDK https://python-gitlab.readthedocs.io • People: Pure Dev • Process: GitOps • Technology: • GitLab • Docker • Python
  • 14. Gitlab Template https://docs.gitlab.com/ee/user/admin_area/custom_project_templates.html • People: GitLab Access • Process: Merge Requests • Technology: • GitLab https://gitlab.com/nebraska-code-conference/gitlab-standard/gitlab-template
  • 16. Shared Partnership Not just knighting someone • Create a clear picture • Share ownership of the product’s security score • Establish a threat intel feed • Recommend policy and standard modi fi cation
  • 17. Threat Dragon https://owasp.org/www-project-threat-dragon/ • People: Architect • Process: Manual Review • Technology: • Source Control • IDE • Threat Dragon https://github.com/RockRunner007/security-programs/tree/master/threat-models
  • 18. IriusRisk https://community.iriusrisk.com/ui#!login • People: Product Sta ff • Process: Life Cycle • Technology: • IDP • IriusRisk
  • 20. Context is Key Build the case with Product team(s) • Training and Education • Build Relationships • Regular Feedback Loops
  • 21. Postman + Burp https://www.postman.com/api-platform/api-testing/ • People: Security Team • Process: Internal PEN test • Technology: • Postman Enterprise • Burp Suite Professional https://github.com/RockRunner007/crAPI
  • 22. Noname Security https://nonamesecurity.com/ • People: Dev and Security Team • Process: SDLC + Review • Technology: • Noname Platform • OpenAPI Speci fi cation
  • 24. Shift Left and Extend Right Oldie but a goodie • Embedding a security engineer within a product team • Accept work that is achievable and generally understood • Establish a position within leadership and engineering
  • 25. Enablement Team Team Structure and their actions • People: Product Leadership • Process: Workshopping • Technology: • Text editor of choice
  • 26. Product Security Program Risk vs Threat Organization • People: Security Leadership • Process: Workshopping • Technology: • Text editor of choice https://github.com/RockRunner007/security-programs/blob/master/product-security.md
  • 28. Proof is in the Pudding Find out the truth before spending money • Should we partner with this vendor? • Should we use this vendor’s software? • How often should we require 3rd party PEN tests? • How will this software e ff ect our network?
  • 29. N+1 Tools Tools for everyone!!! • People: Security • Process: Manual Review • Technology: • ASM • Security Headers • SSL Tester • N+1
  • 30. GitLab Automation Sbom is like the car fax for your 3rd party software • People: Dev + Security • Process: CI • Technology: • CI Tool • Cyclonedx CLI • Snyk or SBOM Vendor https://github.com/RockRunner007/gitlab-templates/blob/main/sbom/sbom.gitlab-ci.yml
  • 32. Manual Linux Command: man man • Build security, as more than bolt it on. • Rely on empowered product teams, more than security specialists. • Implement features securely, more than security features. • Rely on continuously learning, more than end-of-phase gates. • Adopt a few key practices deeply and universally, more than a comprehensive set poorly and sporadically. • Build on culture change, more than policy enforcement.
  • 33. Resources Books, Website, and more Books & Publications • Application Security Program Handbook by Derek Fisher • Designing Secure Software by Loren Kohnfelder • Clean Code by Robert Martin • Software Transparency by Chris Hugh and Tony Turner • Threats by Adam Shostack Online • SecurityChampionSuccessGuide.org • attack.mitre.org • nist.gov/itl/csd/secure-systems-and- applications • hockeyinjune.medium.com/product- security-14127b5838ba • santikris2003.medium.com/product- security-dev-sec-tips-2fdb1698a3b3 • https://media.defense.gov/2023/Jun/ 28/2003249466/-1/-1/0/ CSI_DEFENDING_CI_CD_ENVIRONMENT S.PDF
  • 34. Glossary Words and things • Application Security - the process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats. • Infrastructure Security - the security provided to protect infrastructure, especially critical infrastructure such as cloud or datacenter resources. • Security Operations - a centralized unit that deals with security issues on an organizational and technical level. • Software Development Life Cycle (SDLC) - a conceptual framework describing all activities in a software development project from planning to maintenance. This process is associated with several models, each including a variety of tasks and activities.
  • 35. Software Engineer who is passionate about clean secure code. Helpdesk -> Software Engineer -> Security -> DevOps -> Product Security https://about.me/rockrunner Steven Carlson
  • 36. Feedback Please remember to fi ll out the evaluation forms