Doing IT Security Organizational challenges Laura Kocksch Fraunhofer Institute for Secure Information Technologies/Ruhr University Bochum RISCS Developer-Centred Security Workshop: 24th November 2016 1
Study I: „Can security become an organizational routine?“ 2
Research interest (CS): • Security Tool adoption • Anectodal evidence in Computer Science What happens when the topic "security" enters a software company? What effects do security consultings have on security in a software compancy? 3
Research interest (S): • Technology adoption and sociotechnical situations • Organizations consist of structure and agency What practices are triggered by a security consulting? How does a security consulting effect organizational routines in a software development group? 4
What happens during a security consulting? Penetration Test Submission of found Security defects (internal tracking system) Face-to-face Workshop Training In depth presentation of vulnerability types Hands-On Hacking exercises „Hacking Challenge“ Fixing of found security defects Long-term change? 5
6 Methods:
Results I: I: • Great „euphoria“ right after the workshop… • fixing activities ambitious… • … but one-time event. • Developers were dissatisfied about the outcome. Why this results? 7
Radschläger (Eigenes Werk) [CC BY ‐ SA 2.5 ‐ 2.0 ‐ 1.0] via Wikimedia Commons Organizational Routines: The ostensive [structural] aspect of a routine is […] useful in that it helps us describe what we are doing in ways that make sense of our activities. It enables us to ask others to account for actions that seem unusual, and to provide reasonable accounts when we are called to explain. (Feldman and Pentland 2003) 8
Manager and Developer Agreements: “Actually I don't want that [strict guidelines] ... I don't wanna say it is necessary that someone from the top starts asking us to do certain things.” “There exists no rule book saying `for finishing this feature please spend two hours on security' [...] “I would say, because we are The idea is to set up teams to be working Scrum ‐ like, every self ‐ learning so that they consider “[any added feature] is team should take up these it in the process from the very gonna have to have security questions [of security].” beginning, kind of trying to baked into it,'' channel the ` ‐ ilities.’” 9
Manager and Developer Agreements: ``But if we only develop security features [...], the product manager has nothing [...] for the next sales training. “[...] if security is not on the list [...] he has no shiny new features to [of features], then is it really show [...] no further checkbox to tick worth the time and extra energy in a sales brochure. This is the mindset to do it? these folks are thinking in.'' 10
“I mean we are developers because we enjoy it, I don't think any software Developer´s Agreements: developer does it because they are just making a paycheck [...] what you really enjoy is putting something Security lacks a „story line“ together and seeing it work. [...] Security is not one of those things for most people I think, but it does need to be emphasized and we do need to prevent something from happening [...].” “Apart from the findings from the workshop there was never any feedback from the customer [...] That [feedback] would definitely motivate us.” 11
Lessons Learned Lessons Learned: Make security work accountable and tangible for all actors… Make security interesting… Establish security stakeholder respecting the organizational framework 12
Study II: „Can a system be planned secure? “ How to design SecurityByDesign? Threat Modelling Techniques 13
https://technet.microsoft.com/en ‐ us/security/hh855044.aspx By Chris Creagh (Own work) [CC BY ‐ SA 3.0] Modelling Threads and Risks: 14
Modelle ein „Boundary Object“? Boundary Objects are objects which are both plastic enough to adapt to local needs and the constraints of the several parties employing them, yet robust enough to maintain a common identity across sites. They are weakly structured in common use, and become strongly structured in individual use […] (Star and Griesemer 1989) 15
Results II: Chicken and Egg By Sun Ladder (Own work) [CC BY ‐ SA 3.0] via Wikimedia Commons By Thegreenj (Own work) [CC ‐ BY ‐ SA ‐ 3.0] via Wikimedia Commons What are the IT security What shall the IT system look constraints for the software like that we need to secure? solution we want to build? 16
By Sun Ladder (Own work) [CC BY ‐ SA 3.0] via Wikimedia Commons By Thegreenj (Own work) [CC ‐ BY ‐ SA ‐ 3.0] via Wikimedia Commons Results II: Chicken and Egg What IT system can you build? What IT system do you need? 17
„ Doing IT Security “ • Security poses challenges for organizational structure • Security definition no linear process • Security not just like any other „-ility“ • Security sociotechnical challenge • SecurityByDesign incorporates challenges at developer´s and user´s side (e.g. nudging/Soft-Paternalism) 18
Selected Publication: A. Poller; L. Kocksch; S. Türpe; F. Epp; K. Kinder-Kurlanda: Can Security Become a Routine? A Study of Organizational Change in an Agile Software Development Group . Forthcoming: Proc. CSCW'17, Portland, OR, February 25–March 1, 2017. S. Türpe, L. Kocksch, A. Poller: Penetration Tests a Turning Point in Security Practices? Organizational Challenges and Implications in a Software Development Team. SOUPS ´ 16, Denver, CO, Juni 22-24, 2016. A. Poller; S. Türpe; K. Kinder-Kurlanda: An Asset to Security Modeling? Analyzing Stakeholder Collaborations Instead of Threats to Assets . Proc. NSPW'14, Victoria, BC, September 15-18, 2014. 19
Andreas Poller & Sven Türpe Fraunhofer-Institute for {andreas.poller, Secure Information Technology Rheinstrasse 75 sven.türpe}@sit.fraunhofer.de 64295 Darmstadt, Germany www.sit.fraunhofer.de Laura Kocksch (RUB Bochum) laura.kocksch@rub.de lkocksch@gmail.com Dr. Katharina Kinder-Kurlanda GESIS-Leibniz-Institut für Sozialwissenschaften katharina.kinder-kurlanda@gesis.org 20
Recommend
More recommend
