Doing IT Security Organizational challenges Laura Kocksch - - PowerPoint PPT Presentation

Doing IT Security

Organizational challenges

1

Laura Kocksch Fraunhofer Institute for Secure Information Technologies/Ruhr University Bochum

RISCS Developer-Centred Security Workshop: 24th November 2016

Study I: „Can security become an

• rganizational routine?“

2

Research interest (CS):

• Security Tool adoption
• Anectodal evidence in Computer Science

 What happens when the topic "security" enters a software company?  What effects do security consultings have on security in a software compancy?

3

Research interest (S):

• Technology adoption and sociotechnical situations
• Organizations consist of structure and agency

 What practices are triggered by a security consulting?  How does a security consulting effect organizational routines in a software development group?

4

What happens during a security consulting?

5

Penetration Test  Submission of found Security defects (internal tracking system)  Face-to-face Workshop Training  In depth presentation of vulnerability types  Hands-On Hacking exercises „Hacking Challenge“ Fixing of found security defects  Long-term change?

Methods:

6

Results I: I:

• Great „euphoria“ right after the workshop…
• fixing activities ambitious…
• … but one-time event.
• Developers were dissatisfied about the outcome.

 Why this results?

7

Organizational Routines:

8

Radschläger (Eigenes Werk) [CC BY‐SA 2.5‐2.0‐1.0] via Wikimedia Commons

The ostensive [structural] aspect of a routine is […] useful in that it helps us describe what we are doing in ways that make sense of our activities. It enables us to ask others to account for actions that seem unusual, and to provide reasonable accounts when we are called to explain.

(Feldman and Pentland 2003)

Manager and Developer Agreements:

9

“[any added feature] is gonna have to have security baked into it,'' “I would say, because we are working Scrum‐like, every team should take up these questions [of security].” “There exists no rule book saying `for finishing this feature please spend two hours on security' [...] The idea is to set up teams to be self‐learning so that they consider it in the process from the very beginning, kind of trying to channel the `‐ilities.’” “Actually I don't want that [strict guidelines] ... I don't wanna say it is necessary that someone from the top starts asking us to do certain things.”

Manager and Developer Agreements:

10

``But if we only develop security features [...], the product manager has nothing [...] for the next sales training. [...] he has no shiny new features to show [...] no further checkbox to tick in a sales brochure. This is the mindset these folks are thinking in.'' “[...] if security is not on the list [of features], then is it really worth the time and extra energy to do it?

Developer´s Agreements:

“I mean we are developers because we enjoy it, I don't think any software developer does it because they are just making a paycheck [...] what you really enjoy is putting something together and seeing it work. [...] Security is not one of those things for most people I think, but it does need to be emphasized and we do need to prevent something from happening [...].” Security lacks a „story line“ “Apart from the findings from the workshop there was never any feedback from the customer [...] That [feedback] would definitely motivate us.”

11

Lessons Learned

12

Make security work accountable and tangible for all actors… Make security interesting… Establish security stakeholder respecting the

• rganizational framework

Lessons Learned:

Study II: „Can a system be planned secure? “

How to design SecurityByDesign?  Threat Modelling Techniques

13

Modelling Threads and Risks:

14

https://technet.microsoft.com/en‐us/security/hh855044.aspx By Chris Creagh (Own work) [CC BY‐SA 3.0]

Modelle ein „Boundary Object“?

15

Boundary Objects are objects which are both plastic enough to adapt to local needs and the constraints of the several parties employing them, yet robust enough to maintain a common identity across sites. They are weakly structured in common use, and become strongly structured in individual use […]

(Star and Griesemer 1989)

Results II: Chicken and Egg

16

What are the IT security constraints for the software solution we want to build? What shall the IT system look like that we need to secure?

By Sun Ladder (Own work) [CC BY‐SA 3.0] via Wikimedia Commons By Thegreenj (Own work) [CC‐BY‐SA‐3.0] via Wikimedia Commons

Results II: Chicken and Egg

17

By Sun Ladder (Own work) [CC BY‐SA 3.0] via Wikimedia Commons By Thegreenj (Own work) [CC‐BY‐SA‐3.0] via Wikimedia Commons

What IT system can you build? What IT system do you need?

„Doing IT Security“

• Security poses challenges for organizational structure
• Security definition no linear process
• Security not just like any other „-ility“
• Security sociotechnical challenge
• SecurityByDesign incorporates challenges at developer´s and

user´s side (e.g. nudging/Soft-Paternalism)

18

Selected Publication:

• A. Poller; L. Kocksch; S. Türpe; F. Epp; K. Kinder-Kurlanda: Can Security

Become a Routine? A Study of Organizational Change in an Agile Software Development Group. Forthcoming: Proc. CSCW'17, Portland, OR, February 25–March 1, 2017.

• S. Türpe, L. Kocksch, A. Poller: Penetration Tests a Turning Point in Security

Practices? Organizational Challenges and Implications in a Software Development Team. SOUPS´16, Denver, CO, Juni 22-24, 2016.

• A. Poller; S. Türpe; K. Kinder-Kurlanda: An Asset to Security Modeling?

Analyzing Stakeholder Collaborations Instead of Threats to Assets. Proc. NSPW'14, Victoria, BC, September 15-18, 2014.

19

20

Andreas Poller & Sven Türpe {andreas.poller, sven.türpe}@sit.fraunhofer.de Laura Kocksch (RUB Bochum) laura.kocksch@rub.de lkocksch@gmail.com

• Dr. Katharina Kinder-Kurlanda

GESIS-Leibniz-Institut für Sozialwissenschaften katharina.kinder-kurlanda@gesis.org

Fraunhofer-Institute for Secure Information Technology Rheinstrasse 75 64295 Darmstadt, Germany www.sit.fraunhofer.de