security and compliance theater the seventh deadly
play

Security and Compliance Theater The Seventh Deadly Disease John - PowerPoint PPT Presentation

Apr 18, 2023 •108 likes •534 views

Security and Compliance Theater The Seventh Deadly Disease John Willis @botchagalupe botchagalupe@gmail.com https://github.com/botchagalupe/my-presentations You cant Lean, Agile, SAFE, Devops or even SRE your way around a bad

  1. Security and Compliance Theater “The Seventh Deadly Disease”

  2. John Willis @botchagalupe botchagalupe@gmail.com

  3. https://github.com/botchagalupe/my-presentations

  5. You can’t Lean, Agile, SAFE, Devops or even SRE your way around a bad organizational culture.

  6. What We Did Organizational Anthropology

  12. Conway’s Law An adage named after computer programmer Melvin Conway, who introduced the idea in 1967. It states that. "organizations which design systems ... are constrained to produce designs which are copies of the communication structures of these organizations.”

  17. Organizational Anthropology • 10 to 20 Pre-Assessment Calls • 30 to 50 Assessment Meetings • Interview 150-200 People • Over 400 Pages of Notes • 300 Summarized Observations

  18. Two Days With Leadership

  19. Common Top Three • Toil • Risk • Inconsistency

  20. General Toil • Downstream Dependancies • ITIL Processing Toil • A Lot of Signoff’s • Only High Priority Get Fixed • High Technical Debt • Product and Team Silos

  21. General Risk • Permitter Based Risk Models • Subjective Governance Models • Inconsistent Policies for Dev/Test/QA • Low Attestation Efficacy • Configuration Blind Spots

  22. General Consistency • Inconsistent Environments • Unclear Roles and Responsibilities • CD Anti-Patterns • Cross Function Chaos

  23. The Deadliest Disease!

  25. Devops (Shift Left Auditors) • Review Boards (ARB, PRB,CAB) • Check Box Compliance • Workarounds and Hidden Work • Auditor Workarounds • Vulnerability Theater • Negative Risk RIO • Policy Theater

  26. DevSecOps Detective Preventative Interval Requirements Development CI Trigger Production & Design Assessment Perimeter SCM Application Risk Assessment Classification Dynamic Web Application Static Analysis/IDE Static Analysis (CI) Assessments Firewalls Security Requirement Definition Automated Attack/ Open Source Threat-Based Pen Secure Libraries Bot Defense Governance(CI) Test Container Security Threat modeling Secure Coding Container Security Management Standards Compliance (CI) Security Mavens (Security-Trained Developers and Operations) Role Based Software Security Training Continuous Monitoring, Analytics and KPI Gathering

  27. DevSecOps Operational Tips • Work with and educate your auditors • Move Subjective Attestation to Objective Attestation • Ruthlessly eliminate false positives to Developers • Explain the vulnerabilities in business impact terms • Devops the vulnerability (JIRA, backlog, Kanban) • Open the code base to everyone in the organization • Educate on how to fix

  28. Changing subjective attestation into objective attestation

  29. Devops Automated Governance • Attestation of the integrity of assets in the delivery pipeline • Automated Attestation in CI/ CD • Transform CAB (Change Advisory Board) • Reduce Effort w/ Compliance Activities - “Continuous Compliance”

  31. The Delivery Pipeline

  32. Constructing an Attestation

  33. Attestation Database

  34. Basic Governance Model

  35. Source Code Repository Stage

  36. Build Stage

  37. Dependency Management Stage

  38. Package Stage

  39. Artifact Stage

  40. Prod Stage

Recommend

Fox Theater

Fox Theater

THE WALSENBURG Fox Theater ______________________________________________________________________________________________________ University Technical Assistance PROGRAM CONSIDERATIONS Need to better monetize theater: Flexibility (Movies

883 views • 52 slides
Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security Specialists M. ANGELA SASSE, RUHR UNIVERSITY BOCHUM & UCL The problem MENSCHLICH WELTOFFEN LEISTUNGSSTARK 2 ENISA Report December 2018

362 views • 33 slides
Be Deadly Get Healthy An Opportunity for Exercise in the Aboriginal Community KRISTY

Be Deadly Get Healthy An Opportunity for Exercise in the Aboriginal Community KRISTY

Be Deadly Get Healthy An Opportunity for Exercise in the Aboriginal Community KRISTY DOUGHENEY PHYSIOTHERAPIST WEST GIPPSLAND HEALTHCARE GROUP What is Be Deadly Get Healthy? Be Deadly Get Healthy is a community driven exercise

389 views • 17 slides
Security and Compliance in Clouds Jan Jrjens , Kristian Beckers Fraunhofer Institute for

Security and Compliance in Clouds Jan Jrjens , Kristian Beckers Fraunhofer Institute for

Security and Compliance in Clouds Jan Jrjens , Kristian Beckers Fraunhofer Institute for Software and Systems Engineering ISST (Dortmund, Germany) http://jan.jurjens.de Security is the Major Show-Stopper Jan Jrjens: Security and Compliance

768 views • 18 slides
THE ROYAL THEATER Hogansville, Georgia THE HISTORIC 1937 ROYAL THEATER Hogansville, Georgia

THE ROYAL THEATER Hogansville, Georgia THE HISTORIC 1937 ROYAL THEATER Hogansville, Georgia

THE ROYAL THEATER Hogansville, Georgia THE HISTORIC 1937 ROYAL THEATER Hogansville, Georgia THE ROYAL THEATER - 1937 THE ROYAL THEATER - 1937 The Royal Theater was built by Mr. O.C. Lam, a local whose brother, C.O. Lam was Troup County

544 views • 42 slides
The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help make compliance secure Fen Labalme TOC How did I get here What is CivicActions What is compliance Making compliance fun Culture

1.24k views • 89 slides
why are the 7 deadly? 1) They are difficult to shake. 2) The y are endemic (common) to humanity.

why are the 7 deadly? 1) They are difficult to shake. 2) The y are endemic (common) to humanity.

why are the 7 deadly? 1) They are difficult to shake. 2) The y are endemic (common) to humanity. 3) They are often the necessary first step to another sin. pride envy wrath sloth greed lust gluttony what is so DEADLY about SLOTH ?

352 views • 17 slides
Substation Security Blake Beale - Manager, CIP Compliance & Security Systems Jeff Imsdahl

Substation Security Blake Beale - Manager, CIP Compliance & Security Systems Jeff Imsdahl

Substation Security Blake Beale - Manager, CIP Compliance & Security Systems Jeff Imsdahl Director, Physical Security & Deputy CSO October 31, 2018 Substation Security Program Project established fall 2013 On site evaluations

235 views • 6 slides
IT Security Compliance Management can be done right! (and make sense doing so) 1 Hi. My name

IT Security Compliance Management can be done right! (and make sense doing so) 1 Hi. My name

IT Security Compliance Management can be done right! (and make sense doing so) 1 Hi. My name is Adrian Wiesmann. I work as an IT Security Officer for a Swiss Financial Institute and my daywork is to bother, to pester and to annoy to help

638 views • 39 slides
Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS

Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS

Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS ROCK CK S STEVENS, KEVIN HALLIDAY, MICHELLE MAZUREK // UNIV IVERSIT ITY O OF M MARYLAND JOSIAH DYKSTRA, JAMES CHAPMAN, ALEX FARMER //

290 views • 27 slides
Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards

Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards

LASER Workshop 2020 Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards Rock Stevens , Kevin Halliday, Michelle Mazurek / / University of Maryland Josiah Dykstra, James Chapman, Alexander F armer

345 views • 22 slides
Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A security breach/attack is defined as an event in which a corporations network is compromised or an individuals name plus Social Security Name (SSN),

890 views • 12 slides
CIP 101 Training CIP-007-3a Cyber Security System Security Management Overview September

CIP 101 Training CIP-007-3a Cyber Security System Security Management Overview September

Eric Weston Wally Magda, CISSP, PSP, CISA Compliance Auditor, Cyber Compliance Auditor, Cyber Security Security CIP 101 Training CIP-007-3a Cyber Security System Security Management Overview September 24-25, 2013 Salt Lake City, UT No

2.02k views • 198 slides
Why assess acting? The Theater Arts/Soft Skills Unit Level Assessment Fall 2016: What *else* do

Why assess acting? The Theater Arts/Soft Skills Unit Level Assessment Fall 2016: What *else* do

Why assess acting? The Theater Arts/Soft Skills Unit Level Assessment Fall 2016: What *else* do our students learn? Collect syllabi from current English, Speech, & Theater fine arts classes (literature, creative writing, theater arts)

680 views • 15 slides
Theater Pharmacy Overview MAJ (P) Steven Barr Pharm D BCPS Theater Enabling Medical Command

Theater Pharmacy Overview MAJ (P) Steven Barr Pharm D BCPS Theater Enabling Medical Command

Theater Pharmacy Overview MAJ (P) Steven Barr Pharm D BCPS Theater Enabling Medical Command (TEMC) Pharmacist TF 1 st Medical Brigade (TF1MED) FWD. CPE Information and Disclosures [MAJ (P) Steven BARR declare(s) no conflicts of interest,

593 views • 21 slides
The Seven (More) DEADLY SINS OF Microservices Daniel Bryant @ danielbryantuk OpencRedo

The Seven (More) DEADLY SINS OF Microservices Daniel Bryant @ danielbryantuk OpencRedo

The Seven (More) DEADLY SINS OF Microservices Daniel Bryant @ danielbryantuk OpencRedo Previously, AT QCON NYC 2015... https://www.infoq.com/presentations/7-sins-microservices 14/06/2016 @danielbryantuk The Seven (more) Deadly Sins of

979 views • 60 slides
Alameda Theater Restoration Project The Alameda complex was completed in 1949 as a

Alameda Theater Restoration Project The Alameda complex was completed in 1949 as a

Alameda Theater Restoration Project The Alameda complex was completed in 1949 as a Mexican-American entertainment venue. For the next thirty years, the Theater featured major artists from throughout the United States, Spain, Mexico, and other

447 views • 15 slides
The Seven (More) DEADLY SINS OF Microservices @ danielbryantuk @ spectolabs Previously, AT Devoxx

The Seven (More) DEADLY SINS OF Microservices @ danielbryantuk @ spectolabs Previously, AT Devoxx

The Seven (More) DEADLY SINS OF Microservices @ danielbryantuk @ spectolabs Previously, AT Devoxx UK & QCON NYC 2015... https://www.infoq.com/presentations/7-sins-microservices 01/05/2017 @danielbryantuk The Seven (more) Deadly Sins of

939 views • 53 slides
Compliance T Training: g: Under nderstanding t the he Revi view P Process ess Compliance

Compliance T Training: g: Under nderstanding t the he Revi view P Process ess Compliance

Compliance T Training: g: Under nderstanding t the he Revi view P Process ess Compliance and Security Division U.S. Agricultural Export Development Council Monday, November 18, 2019 Overview ew Welcome Global Programs: Curt Alt

386 views • 34 slides
1 Thus the heavens and the earth were completed in all their vast array. 2 By the seventh day God

1 Thus the heavens and the earth were completed in all their vast array. 2 By the seventh day God

Genesis 2:1-3 NIV 1 Thus the heavens and the earth were completed in all their vast array. 2 By the seventh day God had finished the work he had been doing; so on the seventh day he rested from all his work. 3 Then God blessed the seventh day

468 views • 18 slides
The 7 Deadly Sins of Running a Ministry (and how

The 7 Deadly Sins of Running a Ministry (and how

The 7 Deadly Sins of Running a Ministry (and how not to let your human nature throw your call from God down the toilet) presented

756 views • 57 slides
Identity Powers Adaptive Security Robert MacDonald #MicroFocusCyberSummit security leaders

Identity Powers Adaptive Security Robert MacDonald #MicroFocusCyberSummit security leaders

Identity Powers Adaptive Security Robert MacDonald #MicroFocusCyberSummit security leaders regard achieving and 68 % REGULATORY maintaining regulatory compliance as COMPLIANCE a critical priority. (Forrester 2017) 59 % technology

503 views • 24 slides
6. (3 pts) What three things form the deadly triad the three things that cannot be

6. (3 pts) What three things form the deadly triad the three things that cannot be

6. (3 pts) What three things form the deadly triad the three things that cannot be combined in the same learning situation without risking divergence? (circle three) (a) eligibility traces (b) bootstrapping (c) sample backups (d)

146 views • 14 slides
Distracted Driving--A Deadly and Preventable Risk NCOIL July 14, 2018 David F. Snyder, PCI

Distracted Driving--A Deadly and Preventable Risk NCOIL July 14, 2018 David F. Snyder, PCI

Distracted Driving--A Deadly and Preventable Risk NCOIL July 14, 2018 David F. Snyder, PCI david.snyder@pciaa.net 1 2 Unanimous View that Distracted Driving Is Deadly and Must Be Prevented National Highway Traffic Safety Administration:

441 views • 8 slides

More recommend