security and compliance theater the seventh deadly
play

Security and Compliance Theater The Seventh Deadly Disease John - PowerPoint PPT Presentation

Apr 18, 2023 •108 likes •534 views

Security and Compliance Theater The Seventh Deadly Disease John Willis @botchagalupe botchagalupe@gmail.com https://github.com/botchagalupe/my-presentations You cant Lean, Agile, SAFE, Devops or even SRE your way around a bad

  1. Security and Compliance Theater “The Seventh Deadly Disease”

  2. John Willis @botchagalupe botchagalupe@gmail.com

  3. https://github.com/botchagalupe/my-presentations

  5. You can’t Lean, Agile, SAFE, Devops or even SRE your way around a bad organizational culture.

  6. What We Did Organizational Anthropology

  12. Conway’s Law An adage named after computer programmer Melvin Conway, who introduced the idea in 1967. It states that. "organizations which design systems ... are constrained to produce designs which are copies of the communication structures of these organizations.”

  17. Organizational Anthropology • 10 to 20 Pre-Assessment Calls • 30 to 50 Assessment Meetings • Interview 150-200 People • Over 400 Pages of Notes • 300 Summarized Observations

  18. Two Days With Leadership

  19. Common Top Three • Toil • Risk • Inconsistency

  20. General Toil • Downstream Dependancies • ITIL Processing Toil • A Lot of Signoff’s • Only High Priority Get Fixed • High Technical Debt • Product and Team Silos

  21. General Risk • Permitter Based Risk Models • Subjective Governance Models • Inconsistent Policies for Dev/Test/QA • Low Attestation Efficacy • Configuration Blind Spots

  22. General Consistency • Inconsistent Environments • Unclear Roles and Responsibilities • CD Anti-Patterns • Cross Function Chaos

  23. The Deadliest Disease!

  25. Devops (Shift Left Auditors) • Review Boards (ARB, PRB,CAB) • Check Box Compliance • Workarounds and Hidden Work • Auditor Workarounds • Vulnerability Theater • Negative Risk RIO • Policy Theater

  26. DevSecOps Detective Preventative Interval Requirements Development CI Trigger Production & Design Assessment Perimeter SCM Application Risk Assessment Classification Dynamic Web Application Static Analysis/IDE Static Analysis (CI) Assessments Firewalls Security Requirement Definition Automated Attack/ Open Source Threat-Based Pen Secure Libraries Bot Defense Governance(CI) Test Container Security Threat modeling Secure Coding Container Security Management Standards Compliance (CI) Security Mavens (Security-Trained Developers and Operations) Role Based Software Security Training Continuous Monitoring, Analytics and KPI Gathering

  27. DevSecOps Operational Tips • Work with and educate your auditors • Move Subjective Attestation to Objective Attestation • Ruthlessly eliminate false positives to Developers • Explain the vulnerabilities in business impact terms • Devops the vulnerability (JIRA, backlog, Kanban) • Open the code base to everyone in the organization • Educate on how to fix

  28. Changing subjective attestation into objective attestation

  29. Devops Automated Governance • Attestation of the integrity of assets in the delivery pipeline • Automated Attestation in CI/ CD • Transform CAB (Change Advisory Board) • Reduce Effort w/ Compliance Activities - “Continuous Compliance”

  31. The Delivery Pipeline

  32. Constructing an Attestation

  33. Attestation Database

  34. Basic Governance Model

  35. Source Code Repository Stage

  36. Build Stage

  37. Dependency Management Stage

  38. Package Stage

  39. Artifact Stage

  40. Prod Stage

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fox Theater

Fox Theater

THE WALSENBURG Fox Theater ______________________________________________________________________________________________________ University Technical Assistance PROGRAM CONSIDERATIONS Need to better monetize theater: Flexibility (Movies

883 views • 52 slides
Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security Specialists M. ANGELA SASSE, RUHR UNIVERSITY BOCHUM & UCL The problem MENSCHLICH WELTOFFEN LEISTUNGSSTARK 2 ENISA Report December 2018

362 views • 33 slides
Be Deadly Get Healthy An Opportunity for Exercise in the Aboriginal Community KRISTY

Be Deadly Get Healthy An Opportunity for Exercise in the Aboriginal Community KRISTY

Be Deadly Get Healthy An Opportunity for Exercise in the Aboriginal Community KRISTY DOUGHENEY PHYSIOTHERAPIST WEST GIPPSLAND HEALTHCARE GROUP What is Be Deadly Get Healthy? Be Deadly Get Healthy is a community driven exercise

389 views • 17 slides
Security and Compliance in Clouds Jan Jrjens , Kristian Beckers Fraunhofer Institute for

Security and Compliance in Clouds Jan Jrjens , Kristian Beckers Fraunhofer Institute for

Security and Compliance in Clouds Jan Jrjens , Kristian Beckers Fraunhofer Institute for Software and Systems Engineering ISST (Dortmund, Germany) http://jan.jurjens.de Security is the Major Show-Stopper Jan Jrjens: Security and Compliance

768 views • 18 slides
THE ROYAL THEATER Hogansville, Georgia THE HISTORIC 1937 ROYAL THEATER Hogansville, Georgia

THE ROYAL THEATER Hogansville, Georgia THE HISTORIC 1937 ROYAL THEATER Hogansville, Georgia

THE ROYAL THEATER Hogansville, Georgia THE HISTORIC 1937 ROYAL THEATER Hogansville, Georgia THE ROYAL THEATER - 1937 THE ROYAL THEATER - 1937 The Royal Theater was built by Mr. O.C. Lam, a local whose brother, C.O. Lam was Troup County

544 views • 42 slides
The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help

The Joy of Open, Agile Government Security Compliance Using F/LOSS, Agile and DevSecOps to help make compliance secure Fen Labalme TOC How did I get here What is CivicActions What is compliance Making compliance fun Culture

1.24k views • 89 slides
why are the 7 deadly? 1) They are difficult to shake. 2) The y are endemic (common) to humanity.

why are the 7 deadly? 1) They are difficult to shake. 2) The y are endemic (common) to humanity.

why are the 7 deadly? 1) They are difficult to shake. 2) The y are endemic (common) to humanity. 3) They are often the necessary first step to another sin. pride envy wrath sloth greed lust gluttony what is so DEADLY about SLOTH ?

352 views • 17 slides
Substation Security Blake Beale - Manager, CIP Compliance & Security Systems Jeff Imsdahl

Substation Security Blake Beale - Manager, CIP Compliance & Security Systems Jeff Imsdahl

Substation Security Blake Beale - Manager, CIP Compliance & Security Systems Jeff Imsdahl Director, Physical Security & Deputy CSO October 31, 2018 Substation Security Program Project established fall 2013 On site evaluations

235 views • 6 slides
IT Security Compliance Management can be done right! (and make sense doing so) 1 Hi. My name

IT Security Compliance Management can be done right! (and make sense doing so) 1 Hi. My name

IT Security Compliance Management can be done right! (and make sense doing so) 1 Hi. My name is Adrian Wiesmann. I work as an IT Security Officer for a Swiss Financial Institute and my daywork is to bother, to pester and to annoy to help

638 views • 39 slides
Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS

Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS

Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS ROCK CK S STEVENS, KEVIN HALLIDAY, MICHELLE MAZUREK // UNIV IVERSIT ITY O OF M MARYLAND JOSIAH DYKSTRA, JAMES CHAPMAN, ALEX FARMER //

290 views • 27 slides
Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards

Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards

LASER Workshop 2020 Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards Rock Stevens , Kevin Halliday, Michelle Mazurek / / University of Maryland Josiah Dykstra, James Chapman, Alexander F armer

345 views • 22 slides
Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A security breach/attack is defined as an event in which a corporations network is compromised or an individuals name plus Social Security Name (SSN),

890 views • 12 slides
CIP 101 Training CIP-007-3a Cyber Security System Security Management Overview September

CIP 101 Training CIP-007-3a Cyber Security System Security Management Overview September

Eric Weston Wally Magda, CISSP, PSP, CISA Compliance Auditor, Cyber Compliance Auditor, Cyber Security Security CIP 101 Training CIP-007-3a Cyber Security System Security Management Overview September 24-25, 2013 Salt Lake City, UT No

2.02k views • 198 slides
Why assess acting? The Theater Arts/Soft Skills Unit Level Assessment Fall 2016: What *else* do

Why assess acting? The Theater Arts/Soft Skills Unit Level Assessment Fall 2016: What *else* do

Why assess acting? The Theater Arts/Soft Skills Unit Level Assessment Fall 2016: What *else* do our students learn? Collect syllabi from current English, Speech, & Theater fine arts classes (literature, creative writing, theater arts)

680 views • 15 slides
Theater Pharmacy Overview MAJ (P) Steven Barr Pharm D BCPS Theater Enabling Medical Command

Theater Pharmacy Overview MAJ (P) Steven Barr Pharm D BCPS Theater Enabling Medical Command

Theater Pharmacy Overview MAJ (P) Steven Barr Pharm D BCPS Theater Enabling Medical Command (TEMC) Pharmacist TF 1 st Medical Brigade (TF1MED) FWD. CPE Information and Disclosures [MAJ (P) Steven BARR declare(s) no conflicts of interest,

593 views • 21 slides
The Seven (More) DEADLY SINS OF Microservices Daniel Bryant @ danielbryantuk OpencRedo

The Seven (More) DEADLY SINS OF Microservices Daniel Bryant @ danielbryantuk OpencRedo

The Seven (More) DEADLY SINS OF Microservices Daniel Bryant @ danielbryantuk OpencRedo Previously, AT QCON NYC 2015... https://www.infoq.com/presentations/7-sins-microservices 14/06/2016 @danielbryantuk The Seven (more) Deadly Sins of

979 views • 60 slides
Peter Johnston: Teaching Improvisation and the Pedagogical History of the Jimmy Giuffre 3 The

Peter Johnston: Teaching Improvisation and the Pedagogical History of the Jimmy Giuffre 3 The

Teaching Improvisation and the Pedagogical History of the Jimmy Giuffre 3 - Peter Johnston Peter Johnston: Teaching Improvisation and the Pedagogical History of the Jimmy Giuffre 3 The growth of interest in jazz in university music departments

370 views • 8 slides
CSEE4840 Project Presentation Watch Out! Zachary Salzbank Shangru Li Gameplay Player moves

CSEE4840 Project Presentation Watch Out! Zachary Salzbank Shangru Li Gameplay Player moves

CSEE4840 Project Presentation Watch Out! Zachary Salzbank Shangru Li Gameplay Player moves from platform to platform with rotary switch as controller Landing on platforms increases the score Different platforms create different

286 views • 11 slides
REASONS TO DO MUSIC PROGRAMMING APPEAL TO ALL AGES REACH A NEW AUDIENCE SUPPORT LOCAL

REASONS TO DO MUSIC PROGRAMMING APPEAL TO ALL AGES REACH A NEW AUDIENCE SUPPORT LOCAL

REASONS TO DO MUSIC PROGRAMMING APPEAL TO ALL AGES REACH A NEW AUDIENCE SUPPORT LOCAL MUSICIANS ENHANCE YOUR COMMUNITY PROFILE LOW COST OPTIONS MUSIC IS FUN MAKING IT WORK FINDING PERFORMERS BUDGETING: STRETCHING

414 views • 22 slides
Using PowerPoints Advanced Features September, 2003 Suzanne Czurylo czurylo@umich.edu For

Using PowerPoints Advanced Features September, 2003 Suzanne Czurylo czurylo@umich.edu For

Using PowerPoints Advanced Features September, 2003 Suzanne Czurylo czurylo@umich.edu For questions about using PowerPoint, please contact Software Support at umbssofthelp@umich.edu What Are Advanced Features? Advanced Features are not

377 views • 11 slides
Introduction to WSU Accounting Presented by Terry Ely Controller, Business Services/Controller

Introduction to WSU Accounting Presented by Terry Ely Controller, Business Services/Controller

2/23/201 WA S H I N G T O N S T AT E 6 U N I V E R S I T Y Introduction to WSU Accounting Presented by Terry Ely Controller, Business Services/Controller 5-2008 terrye@wsu.edu Updated February 2016 Objectives Some history of WSU

447 views • 21 slides
1 Agenda Agenda Opening Comments General Information Calendar Highlights Budget

1 Agenda Agenda Opening Comments General Information Calendar Highlights Budget

1 FY 2 0 1 5 Closing & FY 2 0 1 6 Opening Training Presented by Office of the State Controller May 6, 2015 Higher Education Session Colorado Springs 2 Presenters Presenters Financial Analysis & Reporting Section Tammy Nelson

834 views • 33 slides
Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis Introduction Limited to Windows, and aimed at IA32: Outline of protected mode and the kernel Attack vectors Useful tools Examples

672 views • 36 slides
FeatureHub: towards collaborative data science Micah J. Smith, Roy Wedge, Kalyan Veeramachaneni

FeatureHub: towards collaborative data science Micah J. Smith, Roy Wedge, Kalyan Veeramachaneni

FeatureHub: towards collaborative data science Micah J. Smith, Roy Wedge, Kalyan Veeramachaneni MIT IEEE DSAA 2017 Tokyo, Japan A tale of two systems FeatureHub: towards collaborative data science (Smith, Wedge, Veeramachaneni) 2 Massive

479 views • 25 slides

More recommend