SLIDE 1
Architecting a culture of secure software
@lady_nerd laura@safestack.io https://safestack.io
secure software @lady_nerd laura@safestack.io https://safestack.io - - PowerPoint PPT Presentation
secure software @lady_nerd laura@safestack.io https://safestack.io - - PowerPoint PPT Presentation
Architecting a culture of secure software @lady_nerd laura@safestack.io https://safestack.io In this talk Everything is not awesome The reality of our threat landscape and the need for change Security at speed Shifting mindsets and
SLIDE 2
SLIDE 3
In this talk
Everything is not awesome
The reality of our ‘threat landscape’ and the need for change
Security at speed
Shifting mindsets and adapting to our new environment
Architecting conscious security culture
Building a security-by-default culture
SLIDE 4
SLIDE 5
Everything is not awesome
SLIDE 6
SLIDE 7
SLIDE 8
Sidenote
Shiny Pebbles are kind of interesting River rocks that shine under moonlight were often
- volcanic. Volcanic rocks don’t get compromised
under high temperatures and shatter. “Shiny Pebbles” became a highly sought after cooking tool that would be passed between generations and had significant value both culturally and economically in Polynesian cultures.
SLIDE 9
SLIDE 10
Knights Warriors Armies Law Enforcement
Security Managers
SLIDE 11
SLIDE 12
SLIDE 13
Hire more security people!
SLIDE 14
SLIDE 15
Everyone expects your security team to be a team….
Many hats not many people
SLIDE 16
SLIDE 17
Fear
Vulnerability
Shame Isolation Uncertainty
SLIDE 18
4 million people 35 penetration testers 450 security professionals 1.2 per security team
P.S we are hiring
SLIDE 19
SLIDE 20
Security at speed
SLIDE 21
continuous
SLIDE 22
automated autonomous integrated repeatable scalable measurable respectful
SLIDE 23
automated
“the best technical people I know work
really hard to make themselves redundant”
SLIDE 24
Deployment Provisioning Testing Static analysis Vulnerability mgmt
SLIDE 25
autonomous
“no bottlenecks, breakdowns or ripples”
SLIDE 26
SLIDE 27
Skills Authority Accountability every team
SLIDE 28
integrated
“bite-sized security that works with every step
- f your lifecycle”
SLIDE 29
Dependency checkers Static analysis and code review
Integrate security into your pipeline
Vulnerability scanners Threat assessment tools Requirements generators
SLIDE 30
Woven in to keep you going Respected enough to stop you
SLIDE 31
repeatable
“security fails when it’s a special event”
SLIDE 32
scalable
more than just a single team experiment
SLIDE 33
measurable
if you can’t measure it, how do you know you made things better?
SLIDE 34
respectful
every action has a cost, value the time and resource needed to complete an action
SLIDE 35
Architecting conscious security culture
SLIDE 36
SLIDE 37
hire good people
“learn what good means for your organisation”
SLIDE 38
keep good people
money isn’t normally the only factor
SLIDE 39
skills, authority, accountability increase effectiveness in role
Agency Incentivization Acknowledgement
increase loyalty to role
SLIDE 40
blameless (fearless)
extend blameless culture to security
SLIDE 41
Use understanding attack and risk as problem solving, creative, lateral thinking
You shouldn’t feel naughty You shouldn’t feel sad
SLIDE 42
data driven security
take out the emotion, measure and respond
SLIDE 43
Patch adoption Upgrade rates User profiles (technology and usage) Device patterns Browser patterns Chronological and location patterns Error rates Query times Query data set size and complexity
SLIDE 44
language matters
consistent, concise, inclusive
SLIDE 45
sustainability and stamina
save crisis responses and stress for special
- ccasions
SLIDE 46
TL;DR
Everything is not awesome
The reality of our ‘threat landscape’ and the need for change
Security at speed
Shifting mindsets and adapting to our new environment
Architecting conscious security culture
Building a security-by-default culture
SLIDE 47
SLIDE 48
@lady_nerd laura@safestack.io https://safestack.io