security is an awesome product feature
play

Security is an Awesome Product Feature Mark P. Hahn Director of - PowerPoint PPT Presentation

Security is an Awesome Product Feature Mark P. Hahn Director of Cloud Strategies and DevOps Ciber Global, LLC , an HTC Global Company 425-749-9501, mhahn@ciber.com, https://www.linkedin.com/in/markphahn/ DevSecOpsDays Pittsburgh 2020 This


  1. Security is an Awesome Product Feature Mark P. Hahn Director of Cloud Strategies and DevOps Ciber Global, LLC , an HTC Global Company 425-749-9501, mhahn@ciber.com, https://www.linkedin.com/in/markphahn/ DevSecOpsDays Pittsburgh 2020

  2. This talk was presented at DevSecOpsDays in July of 2020 https://devsecopsdayspittsburgh2020.sched.com/ Security is an The event was hosted by the Software Engineering Institute at CMU https://www.sei.cmu.edu/ Awesome Product These are the annotated slides with my speaker notes to make it readable as a standalone document. Additional references are also included. Feature Mark Hahn is Ciber's Practice Director for Cloud and Dev/Ops Frameworks. He has 25+ years of experience as a Principal Architect delivering large-scale systems, including Wall Street trading systems, multinational retail payments systems and supply chain systems. Mark practices and coaches continuous delivery techniques that improve delivery timelines and increase system reliability, including Lean Mark P. Hahn software development and continuous improvement. A rare high-level professional who maintains excellent hands-on technical proficiency, Director of Cloud Strategies and DevOps Mark has been with Ciber for 8 years. Ciber Global, LLC , an HTC Global Company 425-749-9501, mhahn@ciber.com, https://www.linkedin.com/in/markphahn/ DevSecOpsDays Pittsburgh 2020

  3. Brakeing Down Security Podcast “teams want to work on awesome features, not security, and they don't realize that security is an awesome feature” - @noid https://brakeingsecurity.com/2019-044-noid-and-dave-dittrich-discusses-recent-keybase-woes-part-1 DevSecOpsDays Pittsburgh 2020

  4. Brakeing Down Security Podcast The origin for this talk was this quote from the Brakeing Down Security podcast in December 2019 by Brian ”@Noid” Harden. Brian had recently “teams want to work on awesome given a presentation at Seattle BSides about how to find security champions in development teams so one person on the team understands the concerns of the information security team. features, not security, and they don't My thought was that the whole development team should understand that security is an awesome feature. In fact, it is the development team’s responsibility to lead the charge for security in their product. realize that security is an awesome Empowered DevOps teams should not only be responsible for creating viable features, they are also responsible for product stability and feature” trustworthiness. Hence, they need to shift left on security, and make it a first class product feature. - @noid https://brakeingsecurity.com/2019-044-noid-and-dave-dittrich-discusses-recent-keybase-woes-part-1 DevSecOpsDays Pittsburgh 2020

  5. https://en.wiktionary.org/wiki/ awesome Etymology From awe + -some ; compare Old English eġeful (“fearful; inspiring awe”). Adjective awesome ( comparative more awesome or awesomer , superlative most awesome or awesomest ) (dated) Causing awe or terror; inspiring wonder or excitement. [from 1590– 1600.] The waterfall in the middle of the rainforest was an awesome sight. The tsunami was awesome in its destructive power. (colloquial) Excellent, exciting, remarkable. That was awesome ! Awesome , dude! DevSecOpsDays Pittsburgh 2020

  6. https://en.wiktionary.org/wiki/ awesome The word “awesome” is an adjective for comparison, which implies that we are making a choice about relative Etymology value of something. In this case it is the relative value of working on application security versus work on some other product feature. From awe + -some ; compare Old English eġeful (“fearful; inspiring awe”). Adjective awesome ( comparative more awesome or awesomer , superlative most awesome or awesomest ) (dated) Causing awe or terror; inspiring wonder or excitement. [from 1590– 1600.] The waterfall in the middle of the rainforest was an awesome sight. The tsunami was awesome in its destructive power. (colloquial) Excellent, exciting, remarkable. That was awesome ! Awesome , dude! DevSecOpsDays Pittsburgh 2020

  7. DevOps / DevSecOps Drives Business Value DevOps Toolchain Idea! Product. Plan Build Monitor Continuous DevSecOps Toolchain Integration Create Plan Configure Detect Continuous Continuous Monitoring Improvement Configuration Monitoring Continuous Continuous And And Integration Monitoring Analytics Analytics Continuous Continuous Deployment Learning Deploy Test Verify Preproduction Predict Respond DevSecOpsDays Pittsburgh 2020

  8. DevOps / DevSecOps Drives Business Value DevOps Toolchain Idea! Product. Plan The reason for the product is to create some business value for an organization. DevOps, or DevSecOps is a method (or a collection of methods) for focusing on business value and agreeing on a set of work to create or enhance business value. Which ever model you use for managing your work, the key is the value Build Monitor that the organization derives. Continuous DevSecOps Toolchain I prefer the simpler wheel on the right over the more complex models Integration on the right. Development teams need to complete trips around the wheel to deliver running software, and working on security features are Create Plan Configure Detect simply circuits around the wheel. Continuous Continuous Monitoring Improvement Configuration Monitoring Continuous Continuous And And Integration Monitoring Analytics Analytics Continuous Continuous Deployment Learning Deploy Test Verify Preproduction Predict Respond DevSecOpsDays Pittsburgh 2020

  9. Empowered Teams Drive Business Value Idea! Product. Plan P O D L D V D V D V D V D V Build Monitor Continuous Empowered teams are Integration responsible for all phases of software development. Deploy Test DevSecOpsDays Pittsburgh 2020

  10. Empowered Teams Drive Business Value Development teams working to deliver business value must Idea! Product. recognize that “Cybersecurity is a business problem, not a technical problem.” That phrase is the title of the first chapter in the book Fire Doesn’t Innovate by Kip Boyle, ISBN-10: 1544513194. Plan P O D L D V D V D V D V D V Build Monitor Continuous Empowered teams are Integration responsible for all phases of software development. Deploy Test DevSecOpsDays Pittsburgh 2020

  11. Automated Delivery Toolchain Business Owners End Users Senior Leadership P M B A P D U S U S U S E C V P D R P O D L D V D V D V D V D V I A C P S A S R T 1 O P Information Security SRE and Operations DevSecOpsDays Pittsburgh 2020

  12. Automated Delivery Toolchain P M = Product Management B A = Business Analyst P D = Product Designer Business Owners End Users Senior Leadership E C = Executive U S = User V P = Vice President P M B A P D D R = Director U S U S U S E C V P D R Development teams need to evaluate the input and needs of many different constituencies when ranking security features versus business features. This is a negotiation process which developments may not be good at. The tool that teams can use to risk modeling and threat analysis to P O D L D V D V D V D V D V help quality and then quantify the security risk to their system. The book Threat Modeling: Designing for Security by Adam Shostack, ISBN: 9781118809990 is a good staring point. The STRIDE model provides a workable starting point for analysis that can easily be used by development teams. I A = InfoSec Analyst C P = Compliance S R = SRE S A = Security Analyst I A C P S A T 1 = Tier 1 S R T 1 O P O P = Operations Information Security SRE and Operations DevSecOpsDays Pittsburgh 2020

  13. Relative Valuations • Hard Requirements • Regulatory mandates • Important Requirements • TLS and up to date cypher suites • OAuth2 • Good Ideas • Multifactor Authentication • Encryption at rest • Correct Session Timeouts • Nice to Haves • Application Firewall DevSecOpsDays Pittsburgh 2020

  14. One way to set priorities is to use a qualitative Relative Valuations ranking and make judgements between different features. The quality descriptors can vary. When threat modeling, security risks are often described with qualifiers likelihood and for impact. The qualifiers can then be used to sort • Hard Requirements and rank security risks, and choose mitigations to work on. • Regulatory mandates However, the qualitive rankings for security may • Important Requirements be difficult to compare to the qualifiers used to describe and rank business features. • TLS and up to date cypher suites • OAuth2 • Good Ideas • Multifactor Authentication • Encryption at rest • Correct Session Timeouts • Nice to Haves • Application Firewall DevSecOpsDays Pittsburgh 2020

  15. Monetary Valuation 2019 IBM / Ponemon Data Breach Report Average size of a data breach 25,575 record Average Cost of a data breach $3.92 million Cost per lost record Time to identify and contain a data breach $150 279 days GDPR CCPA €20 million $62.5 million or up to 4% of the annual worldwide turnover ($2,500 pre consumer) + Lawsuits DevSecOpsDays Pittsburgh 2020

Recommend


More recommend