building secure cultures
play

Building Secure Cultures Leigh Honeywell @hypatiadotca about me - PowerPoint PPT Presentation

Apr 13, 2023 •194 likes •445 views

Building Secure Cultures Leigh Honeywell @hypatiadotca about me Canadian ex-Symantec, Microsoft Rebooted your Windows machines a few times in 2012 Now at Heroku, a Salesforce.com company move fast and break things. until this happens

  1. Building Secure Cultures Leigh Honeywell @hypatiadotca

  2. about me Canadian ex-Symantec, Microsoft Rebooted your Windows machines a few times in 2012 Now at Heroku, a Salesforce.com company

  3. move fast and break things….

  4. until this happens

  5. red flags ● “blameful” interactions between security + engineering ● disconnect between severity of security findings and what gets fixed ● long lag between engineering changes and policy changes

  6. green flags Some signs you have a healthy security culture: ● devs reach out to the security team when stuck or unsure ● devs find security bugs in eachothers’ code ● people self-report security issues (cred leaks etc.)

  7. how do you get to green?

  8. transparency + accountability = trust

  9. transparency

  10. accountability

  11. trust

  12. “impacting and influencing” in a breach situation it’s rarely the CEO who gets fired

  13. feigned surprise “The first rule means you shouldn't act surprised when people say they don't know something. This applies to both technical things ("What?! I can't believe you don't know what the stack is!") and non-technical things ("You don't know who RMS is?!"). Feigning surprise has absolutely no social or educational benefit: When people feign surprise, it's usually to make them feel better about themselves and others feel worse. And even when that's not the intention, it's almost always the effect. As you've probably already guessed, this rule is tightly coupled to our belief in the importance of people feeling comfortable saying "I don't know" and "I don't understand."” https://www.hackerschool.com/manual#sub-sec-social-rules

  14. secure development

  15. microsoft.com/sdl

  16. minimum viable SDL ● self-assessment to determine if a project needs security team review or not ● up-front threat modeling that is kept up to date as things evolve ● security review checklist o stay tuned on this one

  17. extra credit ● security tooling in your CI process o codeclimate o ??? others o there is a huge gap in the market here

  18. bug bounty

  19. bug bounty problems ● lots of work in progress with external inputs and dependencies ● emotional labour involved in negotiating severity and reproducibility of bugs ● initially, a lot of low-hanging fruit - which tapers off as you fix stuff

  20. pre-bug-bounty checklist ● communicate the importance of prioritizing bounty bugs ● establish a weekly time bounty work session: o ping bounty work items o communicate with external researchers o review bugs for things that need adding to your SDL

  22. security through play ctftime.org all you need is a google doc and an irc/hipchat/ slack room https://speakerdeck.com/hypatia/ctf-for-mortals

  23. thanks and links Thanks to Jacob Kaplan-Moss and Owen Jacobson for reviewing this deck, and to everyone who’s listened to me babble about security and emotional labour over the past few weeks. http://hypatia.ca will have this deck later today leigh@hypatia.ca / @hypatiadotca

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BUILDING INTENTIONAL AWESOME CULTURES THAT HELP ORGANIZATIONS AND THE PEOPLE WITHIN THEM THRIVE

BUILDING INTENTIONAL AWESOME CULTURES THAT HELP ORGANIZATIONS AND THE PEOPLE WITHIN THEM THRIVE

BUILDING INTENTIONAL AWESOME CULTURES THAT HELP ORGANIZATIONS AND THE PEOPLE WITHIN THEM THRIVE TOGETHER DEVIN CRAIG CCG WHO IS THIS GUY? Husband, father, leader coach, manager developer, culture consultant, author, trainer THE BIG IDEA

373 views • 13 slides
K-12 Professional Development Abroad: Building Bridges Across Disciplines and Cultures Teacher

K-12 Professional Development Abroad: Building Bridges Across Disciplines and Cultures Teacher

K-12 Professional Development Abroad: Building Bridges Across Disciplines and Cultures Teacher Summer Institute Belize Mandy Monroe University of Florida Center for Latin American Studies 16 October 2014 FFLA Conference Overview Latin

745 views • 18 slides
CSE 291 Building Secure Systems using Programming Languages and Analysis Fall 2016 Tue/Thurs

CSE 291 Building Secure Systems using Programming Languages and Analysis Fall 2016 Tue/Thurs

CSE 291 Building Secure Systems using Programming Languages and Analysis Fall 2016 Tue/Thurs 5:00-6:20PM Deian Stefan UC San Diego Who am I? New assistant professor PhD at Stanford (Mazieres & Mitchell) I like to build secure

896 views • 50 slides
Global strategy amidst the globes cultures: Cultures in individual cognition, states and the

Global strategy amidst the globes cultures: Cultures in individual cognition, states and the

Global strategy amidst the globes cultures: Cultures in individual cognition, states and the global system Nicholas Wright 5 th December 2019 SMA brief Georgetown, UCL, Intelligent Biology, New America Grey Zone and Global 2 How can the US

589 views • 19 slides
Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key Components SKE, MAC Public-Key Components PKE, Digital Signatures Building blocks: Block-ciphers (AES), Hash-functions (SHA-3), Trapdoor PRG/OWP for PKE

1.07k views • 72 slides
CEF eI D Building Block European Com m ission DI GI T Frdric POELS STORK Secure idenTity

CEF eI D Building Block European Com m ission DI GI T Frdric POELS STORK Secure idenTity

CEF eI D Building Block European Com m ission DI GI T Frdric POELS STORK Secure idenTity acrOss boRders linKed I SA Interoperability Solutions for European Public Administrations eI DAS STORK 2 .0 Electronic Identification, Secure

793 views • 31 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
Designing and Building Secure Software With material from Dave Levin, Mike Hicks, Adam Shostack

Designing and Building Secure Software With material from Dave Levin, Mike Hicks, Adam Shostack

Designing and Building Secure Software With material from Dave Levin, Mike Hicks, Adam Shostack Making secure software Flawed approach : Design and build software, ignore security at first Add security once the functional requirements

858 views • 39 slides
Building Secure Channels Kenny Paterson Information Security Group

Building Secure Channels Kenny Paterson Information Security Group

Building Secure Channels Kenny Paterson Information Security Group Overview Why do we need secure channels? What properties should they have?

480 views • 31 slides
Building Secure Applications Greg Ponto & Tom Shippee Presentation agenda Overview -

Building Secure Applications Greg Ponto & Tom Shippee Presentation agenda Overview -

Esri International User Conference San Diego, California Technical Workshops | July 26, 2012 Building Secure Applications Greg Ponto & Tom Shippee Presentation agenda Overview - Exploring 10.1 architecture Beginners: - Using 10.1

461 views • 28 slides
Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on

Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on

Development*Process*for*Secure* So2ware Development Processes ( Lecture outline ) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development Lifecycle

598 views • 34 slides
Building a secure Kennedy bastion, or, 50 @anna_ken_ ways to kill your server Telenor Digital

Building a secure Kennedy bastion, or, 50 @anna_ken_ ways to kill your server Telenor Digital

Anna Building a secure Kennedy bastion, or, 50 @anna_ken_ ways to kill your server Telenor Digital What is a bastion (jumpbox) ? Outside world bastion server server server What do we mean by secure? How do we make a custom AMI?

231 views • 20 slides
Linux Security for Developers Insights for building a (more) secure world Michael Boelen

Linux Security for Developers Insights for building a (more) secure world Michael Boelen

Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 We Love Construction 2 Image source unknown And Magic! Turning data into: - Useful output - Stable

1.14k views • 85 slides
GNUnet A network protocol stack for building secure, distributed, and privacy-preserving

GNUnet A network protocol stack for building secure, distributed, and privacy-preserving

GNUnet A network protocol stack for building secure, distributed, and privacy-preserving application FOSDEM20 Martin Schanzenbach 2/2/2020 The Internet is under attack The Internet HTTP, Facebook, Google, Libra ... DNS / X.509 TCP /

631 views • 34 slides
discrimination: litmus tests of (London's) NHS cultures Roger Kline Co-Director Patients First

discrimination: litmus tests of (London's) NHS cultures Roger Kline Co-Director Patients First

Patient safety and race discrimination: litmus tests of (London's) NHS cultures Roger Kline Co-Director Patients First and Research Fellow Middlesex University NHS cultures (at a time of immense pressure) Sheila Marsh and Bronwen . The

626 views • 28 slides
Building Secure Decentralized Applications the DECENT Way Haofan Zheng Xiaowei Chu University

Building Secure Decentralized Applications the DECENT Way Haofan Zheng Xiaowei Chu University

Building Secure Decentralized Applications the DECENT Way Haofan Zheng Xiaowei Chu University of California, Santa Cruz Owen Arden Remote Attestation A process for the enclave to gain the trust of a remote service, so that the remote

212 views • 18 slides
EMOTIONAL LOAD AND CUSTOMER SATISFACTION SARAH MORGAN - LUCEAT COACHING WHAT I PLAN TO COVER

EMOTIONAL LOAD AND CUSTOMER SATISFACTION SARAH MORGAN - LUCEAT COACHING WHAT I PLAN TO COVER

EMOTIONAL LOAD AND CUSTOMER SATISFACTION SARAH MORGAN - LUCEAT COACHING WHAT I PLAN TO COVER Emotional Load / Labour Employee Experience Customer Experience Four Key Areas ARLIE HOCHSCHILD - EMOTIONAL LABOUR "induce or suppress

559 views • 15 slides
Squawk: Something loose in cockpit. Reply: Something tightened in cockpit.

Squawk: Something loose in cockpit. Reply: Something tightened in cockpit.

Squawk: Something loose in cockpit. Reply: Something tightened in cockpit. Number three engine Squawk: missing. Reply: Number three engine found on right wing after brief search. Squawk: IFF inoperative.

640 views • 34 slides
Emergent Coherence From Field-Induced Instabilities of a Fractionalized Quantum Spin Liquid Mukul

Emergent Coherence From Field-Induced Instabilities of a Fractionalized Quantum Spin Liquid Mukul

Emergent Coherence From Field-Induced Instabilities of a Fractionalized Quantum Spin Liquid Mukul S. Laad (1), S. Acharya (2), A. Taraphder (2) (1) IMSc, Chennai, India, (2) IIT Kharagpur, India February 13, 2015 Outline Motivation. Kitaev

375 views • 35 slides
Chapter 7A Storytelling and Narrative Storytelling: -a feature of daily experience that we do

Chapter 7A Storytelling and Narrative Storytelling: -a feature of daily experience that we do

Chapter 7A Storytelling and Narrative Storytelling: -a feature of daily experience that we do without thinking -consume stories continuously Game designers add stories to: -enhance entertainment value -keep player interested -sell game

436 views • 10 slides
Newtonian Emotion System Introduction Psychology Plutchik Valentin Lungu Lazarus Perception

Newtonian Emotion System Introduction Psychology Plutchik Valentin Lungu Lazarus Perception

Newtonian Emotion System V. Lungu Newtonian Emotion System Introduction Psychology Plutchik Valentin Lungu Lazarus Perception Newtonian University POLITEHNICA of Bucharest Emotion Concepts Laws valentin.lungu.aimas@gmail.com Gravity

566 views • 22 slides
+ Do Now : What brought you to choose to work in Holyoke? Holyoke Public Schools Day of

+ Do Now : What brought you to choose to work in Holyoke? Holyoke Public Schools Day of

+ Do Now : What brought you to choose to work in Holyoke? Holyoke Public Schools Day of Learning for New-to-Holyoke Teachers Thursday, August 17, 2017 + Todays Agenda Time Topic 8:30 Breakfast and Do Now 8:50 Welcome and

985 views • 30 slides
Baumgartner, POLI 203 Fall 2014 Our two new exonerees Reading: press articles about Henry

Baumgartner, POLI 203 Fall 2014 Our two new exonerees Reading: press articles about Henry

Baumgartner, POLI 203 Fall 2014 Our two new exonerees Reading: press articles about Henry McCollum and Leon Brown Wed: the two articles about race September 8, 2014 Catching up Judicializing a political decision? Traditional Values /

472 views • 20 slides
Wow slides information and levels to a Some examples for your inspiration consistent

Wow slides information and levels to a Some examples for your inspiration consistent

Slide combining different Wow slides information and levels to a Some examples for your inspiration consistent whole Sales / Revenues Industry-specific Management IT / Technology consulting Consulting Consulting This puts us in

366 views • 5 slides

More recommend