security is an awesome product feature
play

Security is an Awesome Product Feature Mark P. Hahn Director of - PowerPoint PPT Presentation

Dec 01, 2022 •360 likes •640 views

Security is an Awesome Product Feature Mark P. Hahn Director of Cloud Strategies and DevOps Ciber Global, LLC , an HTC Global Company 425-749-9501, mhahn@ciber.com, https://www.linkedin.com/in/markphahn/ DevSecOpsDays Pittsburgh 2020 This

  1. Security is an Awesome Product Feature Mark P. Hahn Director of Cloud Strategies and DevOps Ciber Global, LLC , an HTC Global Company 425-749-9501, mhahn@ciber.com, https://www.linkedin.com/in/markphahn/ DevSecOpsDays Pittsburgh 2020

  2. This talk was presented at DevSecOpsDays in July of 2020 https://devsecopsdayspittsburgh2020.sched.com/ Security is an The event was hosted by the Software Engineering Institute at CMU https://www.sei.cmu.edu/ Awesome Product These are the annotated slides with my speaker notes to make it readable as a standalone document. Additional references are also included. Feature Mark Hahn is Ciber's Practice Director for Cloud and Dev/Ops Frameworks. He has 25+ years of experience as a Principal Architect delivering large-scale systems, including Wall Street trading systems, multinational retail payments systems and supply chain systems. Mark practices and coaches continuous delivery techniques that improve delivery timelines and increase system reliability, including Lean Mark P. Hahn software development and continuous improvement. A rare high-level professional who maintains excellent hands-on technical proficiency, Director of Cloud Strategies and DevOps Mark has been with Ciber for 8 years. Ciber Global, LLC , an HTC Global Company 425-749-9501, mhahn@ciber.com, https://www.linkedin.com/in/markphahn/ DevSecOpsDays Pittsburgh 2020

  3. Brakeing Down Security Podcast “teams want to work on awesome features, not security, and they don't realize that security is an awesome feature” - @noid https://brakeingsecurity.com/2019-044-noid-and-dave-dittrich-discusses-recent-keybase-woes-part-1 DevSecOpsDays Pittsburgh 2020

  4. Brakeing Down Security Podcast The origin for this talk was this quote from the Brakeing Down Security podcast in December 2019 by Brian ”@Noid” Harden. Brian had recently “teams want to work on awesome given a presentation at Seattle BSides about how to find security champions in development teams so one person on the team understands the concerns of the information security team. features, not security, and they don't My thought was that the whole development team should understand that security is an awesome feature. In fact, it is the development team’s responsibility to lead the charge for security in their product. realize that security is an awesome Empowered DevOps teams should not only be responsible for creating viable features, they are also responsible for product stability and feature” trustworthiness. Hence, they need to shift left on security, and make it a first class product feature. - @noid https://brakeingsecurity.com/2019-044-noid-and-dave-dittrich-discusses-recent-keybase-woes-part-1 DevSecOpsDays Pittsburgh 2020

  5. https://en.wiktionary.org/wiki/ awesome Etymology From awe + -some ; compare Old English eġeful (“fearful; inspiring awe”). Adjective awesome ( comparative more awesome or awesomer , superlative most awesome or awesomest ) (dated) Causing awe or terror; inspiring wonder or excitement. [from 1590– 1600.] The waterfall in the middle of the rainforest was an awesome sight. The tsunami was awesome in its destructive power. (colloquial) Excellent, exciting, remarkable. That was awesome ! Awesome , dude! DevSecOpsDays Pittsburgh 2020

  6. https://en.wiktionary.org/wiki/ awesome The word “awesome” is an adjective for comparison, which implies that we are making a choice about relative Etymology value of something. In this case it is the relative value of working on application security versus work on some other product feature. From awe + -some ; compare Old English eġeful (“fearful; inspiring awe”). Adjective awesome ( comparative more awesome or awesomer , superlative most awesome or awesomest ) (dated) Causing awe or terror; inspiring wonder or excitement. [from 1590– 1600.] The waterfall in the middle of the rainforest was an awesome sight. The tsunami was awesome in its destructive power. (colloquial) Excellent, exciting, remarkable. That was awesome ! Awesome , dude! DevSecOpsDays Pittsburgh 2020

  7. DevOps / DevSecOps Drives Business Value DevOps Toolchain Idea! Product. Plan Build Monitor Continuous DevSecOps Toolchain Integration Create Plan Configure Detect Continuous Continuous Monitoring Improvement Configuration Monitoring Continuous Continuous And And Integration Monitoring Analytics Analytics Continuous Continuous Deployment Learning Deploy Test Verify Preproduction Predict Respond DevSecOpsDays Pittsburgh 2020

  8. DevOps / DevSecOps Drives Business Value DevOps Toolchain Idea! Product. Plan The reason for the product is to create some business value for an organization. DevOps, or DevSecOps is a method (or a collection of methods) for focusing on business value and agreeing on a set of work to create or enhance business value. Which ever model you use for managing your work, the key is the value Build Monitor that the organization derives. Continuous DevSecOps Toolchain I prefer the simpler wheel on the right over the more complex models Integration on the right. Development teams need to complete trips around the wheel to deliver running software, and working on security features are Create Plan Configure Detect simply circuits around the wheel. Continuous Continuous Monitoring Improvement Configuration Monitoring Continuous Continuous And And Integration Monitoring Analytics Analytics Continuous Continuous Deployment Learning Deploy Test Verify Preproduction Predict Respond DevSecOpsDays Pittsburgh 2020

  9. Empowered Teams Drive Business Value Idea! Product. Plan P O D L D V D V D V D V D V Build Monitor Continuous Empowered teams are Integration responsible for all phases of software development. Deploy Test DevSecOpsDays Pittsburgh 2020

  10. Empowered Teams Drive Business Value Development teams working to deliver business value must Idea! Product. recognize that “Cybersecurity is a business problem, not a technical problem.” That phrase is the title of the first chapter in the book Fire Doesn’t Innovate by Kip Boyle, ISBN-10: 1544513194. Plan P O D L D V D V D V D V D V Build Monitor Continuous Empowered teams are Integration responsible for all phases of software development. Deploy Test DevSecOpsDays Pittsburgh 2020

  11. Automated Delivery Toolchain Business Owners End Users Senior Leadership P M B A P D U S U S U S E C V P D R P O D L D V D V D V D V D V I A C P S A S R T 1 O P Information Security SRE and Operations DevSecOpsDays Pittsburgh 2020

  12. Automated Delivery Toolchain P M = Product Management B A = Business Analyst P D = Product Designer Business Owners End Users Senior Leadership E C = Executive U S = User V P = Vice President P M B A P D D R = Director U S U S U S E C V P D R Development teams need to evaluate the input and needs of many different constituencies when ranking security features versus business features. This is a negotiation process which developments may not be good at. The tool that teams can use to risk modeling and threat analysis to P O D L D V D V D V D V D V help quality and then quantify the security risk to their system. The book Threat Modeling: Designing for Security by Adam Shostack, ISBN: 9781118809990 is a good staring point. The STRIDE model provides a workable starting point for analysis that can easily be used by development teams. I A = InfoSec Analyst C P = Compliance S R = SRE S A = Security Analyst I A C P S A T 1 = Tier 1 S R T 1 O P O P = Operations Information Security SRE and Operations DevSecOpsDays Pittsburgh 2020

  13. Relative Valuations • Hard Requirements • Regulatory mandates • Important Requirements • TLS and up to date cypher suites • OAuth2 • Good Ideas • Multifactor Authentication • Encryption at rest • Correct Session Timeouts • Nice to Haves • Application Firewall DevSecOpsDays Pittsburgh 2020

  14. One way to set priorities is to use a qualitative Relative Valuations ranking and make judgements between different features. The quality descriptors can vary. When threat modeling, security risks are often described with qualifiers likelihood and for impact. The qualifiers can then be used to sort • Hard Requirements and rank security risks, and choose mitigations to work on. • Regulatory mandates However, the qualitive rankings for security may • Important Requirements be difficult to compare to the qualifiers used to describe and rank business features. • TLS and up to date cypher suites • OAuth2 • Good Ideas • Multifactor Authentication • Encryption at rest • Correct Session Timeouts • Nice to Haves • Application Firewall DevSecOpsDays Pittsburgh 2020

  15. Monetary Valuation 2019 IBM / Ponemon Data Breach Report Average size of a data breach 25,575 record Average Cost of a data breach $3.92 million Cost per lost record Time to identify and contain a data breach $150 279 days GDPR CCPA €20 million $62.5 million or up to 4% of the annual worldwide turnover ($2,500 pre consumer) + Lawsuits DevSecOpsDays Pittsburgh 2020

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

31) Feature Models and MDA for Product Lines 1. Feature Models 2. Product Linie Configuration with

31) Feature Models and MDA for Product Lines 1. Feature Models 2. Product Linie Configuration with

Fakultt Informatik, Institut fr Software- und Multimediatechnik, Lehrstuhl fr Softwaretechnologie 31) Feature Models and MDA for Product Lines 1. Feature Models 2. Product Linie Configuration with Feature Models 3. Multi-Stage Configuration

646 views • 48 slides
31) Feature Models and MDA for Product Lines 1. Feature Models 2. Product Linie Configuration with

31) Feature Models and MDA for Product Lines 1. Feature Models 2. Product Linie Configuration with

Obligatory Literature Florian Heidenreich, Jan Kopcsek, and Christian Wende. Fakultt Informatik, Institut fr Software- und Multimediatechnik, Lehrstuhl fr Softwaretechnologie FeatureMapper: Mapping Features to Models. In Companion

316 views • 12 slides
Overview Extracting Product Feature Motivation & Terminology Opinion Mining Work

Overview Extracting Product Feature Motivation & Terminology Opinion Mining Work

Overview Extracting Product Feature Motivation & Terminology Opinion Mining Work Assessments from Overview of OPI NE Reviews Product Feature Extraction Ana-Maria Popescu Customer Opinion Extraction Oren Etzioni Experimental Results

174 views • 5 slides
Week 6 Video 5 Visualization Other Awesome EDM Visualizations Other Awesome EDM Visualizations

Week 6 Video 5 Visualization Other Awesome EDM Visualizations Other Awesome EDM Visualizations

Week 6 Video 5 Visualization Other Awesome EDM Visualizations Other Awesome EDM Visualizations Not an exhaustive list For obvious reasons Learnograms A graph that shows the change in one learning- related variable over time Concept

411 views • 11 slides
In the forward engineering, a feature model is used to create valid product configurations. In

In the forward engineering, a feature model is used to create valid product configurations. In

REVaMP 2 Configuration Mining Deriving Feature Constraints from Product Line Configurations Robert Bosch GmbH This presentation was created for the REVAMP2 publicly funded EU project. The slides present the Configuration Mining tool, developed

502 views • 11 slides
A TALK BY ME FOR AWESOME PEOPLE LIKE YOU Designing Happiness Presentation by: Vince

A TALK BY ME FOR AWESOME PEOPLE LIKE YOU Designing Happiness Presentation by: Vince

30 30 A TALK BY ME FOR AWESOME PEOPLE LIKE YOU Designing Happiness Presentation by: Vince Baskerville | Mobile Product Manager Lithium Technologies reach engage create infuse customers anywhere on existing networks a content hub across the

915 views • 69 slides
Security Feature Parity: GCC and Clang Linux Plumbers Conference 2019 Kees Cook

Security Feature Parity: GCC and Clang Linux Plumbers Conference 2019 Kees Cook

Security Feature Parity: GCC and Clang Linux Plumbers Conference 2019 Kees Cook <keescook@chromium.org> https://outflux.net/slides/2019/lpc/gcc-clang.pdf old school security feature examples stack canaries: -fstack-protector-strong

552 views • 15 slides
There and Back Again Motivation Sample Spaces and Feature Models: . . Conclusions Feature

There and Back Again Motivation Sample Spaces and Feature Models: . . Conclusions Feature

Outline . Czarnecki, She, Wsowski. Sample Spaces and Feature Models: There and Back Again . Software Product Line Conference 2008 There and Back Again Motivation Sample Spaces and Feature Models: . . Conclusions Feature Model Mining

1.21k views • 54 slides
Extending a Base Product for Multiple Customers Denis Defreyne MediaGeniX NG 1 2 Your

Extending a Base Product for Multiple Customers Denis Defreyne MediaGeniX NG 1 2 Your

ESUG 2012 Extending a Base Product for Multiple Customers Denis Defreyne MediaGeniX NG 1 2 Your product is cool, but its missing feature X! CUSTOMER 3 Yes, feature X would be nice for you, but nobody else! YOU 4

1.39k views • 111 slides
RFL-LED Floodlight Series Product feature presentation RDALIGHTING.COM RFL Floodlight Series

RFL-LED Floodlight Series Product feature presentation RDALIGHTING.COM RFL Floodlight Series

RFL-LED Floodlight Series Product feature presentation RDALIGHTING.COM RFL Floodlight Series Building facades, patios, yards, signs, wall washing, and general lighting applications 4 sizes, 6 wattages RFL1-20 RFL2-40

317 views • 10 slides
Failing Gracefully As A Feature Lorne Kligerman Director of Product, Gremlin @lklig 2 3 T-Ho

Failing Gracefully As A Feature Lorne Kligerman Director of Product, Gremlin @lklig 2 3 T-Ho

Failing Gracefully As A Feature Lorne Kligerman Director of Product, Gremlin @lklig 2 3 T-Ho 2017 Hey team bit of a spill but Im fine. Be down in 10! 4 We Expect Technology To Just Work 5 Black Friday Failures Technical

910 views • 41 slides
AWL-LED Series Product feature presentation RDALIGHTING.COM AWL LED Wall Light Series Perimeter

AWL-LED Series Product feature presentation RDALIGHTING.COM AWL LED Wall Light Series Perimeter

AWL-LED Series Product feature presentation RDALIGHTING.COM AWL LED Wall Light Series Perimeter lighting in commercial and residential buildings, townhouses, condominiums, schools, and warehouses. 3 Sizes, 5 Wattages AWL-14 AWL-26

890 views • 11 slides
Tweak twig with awesome Vue.js by Tejomay Saha Tweak twig with awesome Vue.js by Tejomay

Tweak twig with awesome Vue.js by Tejomay Saha Tweak twig with awesome Vue.js by Tejomay

Tweak twig with awesome Vue.js by Tejomay Saha Tweak twig with awesome Vue.js by Tejomay Saha Hello! I am Tejomay Saha @tejomayonline I am here as I love learning and expressing new techs stuffs to ease coding. Working at Srijan

865 views • 42 slides
Outline: Session #1 Look Inside Feature Description Text Session #2 Additional

Outline: Session #1 Look Inside Feature Description Text Session #2 Additional

Outline: Session #1 Look Inside Feature Description Text Session #2 Additional Product Images Encore Session Q&A, Support, Celebrate! Today: Additional Product Images! Adding Product Images Benefits A virtual

535 views • 34 slides
BLESS: Better Security and Ops for SSH Access Bryan D. Payne, Director of Product Security June

BLESS: Better Security and Ops for SSH Access Bryan D. Payne, Director of Product Security June

BLESS: Better Security and Ops for SSH Access Bryan D. Payne, Director of Product Security June 2017 Post by Ryan McGeehan 1 2 3 4 5 Phishing & Lateral Data Zero Day Backdoor Exfiltrate Movement Gathering Attack Several users

1.11k views • 74 slides
Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product

Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product

Pole Vaulting over Agile Security Pits Daniel Liber ~whoami Current: Security Leader @ CyberArk Product security Strategy and process driven A pain in the insecurity s a$$ Past @ multiple places Consulting, Research,

581 views • 32 slides
Cross-Lingual Part-of-Speech Tagging through Ambiguous Learning Guillaume Wisniewski Nicolas

Cross-Lingual Part-of-Speech Tagging through Ambiguous Learning Guillaume Wisniewski Nicolas

1/27 Cross-Lingual Part-of-Speech Tagging through Ambiguous Learning Guillaume Wisniewski Nicolas Pcheux Souhir Gahbiche-Braham Franois Yvon Universit Paris-Sud & LIMSI-CNRS October 28, 2014 2/27 Context performance standards

755 views • 42 slides
6. Functions Funding and Benefit Sharing A. 1. Project Cost Sharing Project Benefits D. 1.

6. Functions Funding and Benefit Sharing A. 1. Project Cost Sharing Project Benefits D. 1.

WATER FOR EVER Legal context A. 1. International Conventions 2. South African Legislation 3. Swaziland Legislation Evolution of KOBWA B. 1. Treaties 2. Evolution Stages 3. Main Objectives 4. Need for Bi-national Executive Arrangement 5.

825 views • 43 slides
technologies: Engineering Field Testing platform in Durban, South Africa Ruth Cottingham N

technologies: Engineering Field Testing platform in Durban, South Africa Ruth Cottingham N

Road to commercialising sanitation technologies: Engineering Field Testing platform in Durban, South Africa Ruth Cottingham N Alcock, C Buckley, T Gounden, S Mercer, L Ngubane, R Sindall, C Sutherland eThekwini Water and Sanitation, Khanyisa

639 views • 29 slides
Introduction - At the end of unit 13 I want to have produced a short documentary on the

Introduction - At the end of unit 13 I want to have produced a short documentary on the

Behind Closed Doors Introduction - At the end of unit 13 I want to have produced a short documentary on the dangers that surround Urban Exploring in regards to trespassing, buildings

287 views • 4 slides
It takes It tak es a w a whole sc hole school to r hool to raise aise a post a post-grad

It takes It tak es a w a whole sc hole school to r hool to raise aise a post a post-grad

It takes It tak es a w a whole sc hole school to r hool to raise aise a post a post-grad adua uate te stud studen ent: t: Employability and engagement of masters students Sadie Lawty, M Sadie Lawt , MSc Car Sc Career eers s

377 views • 33 slides
An Exploration of Embeddings for Generalized Phrases Wenpeng Yin & Hinrich Schutze ...

An Exploration of Embeddings for Generalized Phrases Wenpeng Yin & Hinrich Schutze ...

An Exploration of Embeddings for Generalized Phrases Wenpeng Yin & Hinrich Schutze ... Prachi, 12485 Hrishikesh, 14111265 CSE IIT Kanpur Embeddings for Contents Generalized Phrases CS671, NLP Motivation Motivation 1 Embedding

829 views • 28 slides
White Manipulation in Judgment Aggregation Gabriella Pigozzi Davide Grossi ILLC Amsterdam

White Manipulation in Judgment Aggregation Gabriella Pigozzi Davide Grossi ILLC Amsterdam

University of Tsukuba, LGS09, 26 - 29 August 2009 White Manipulation in Judgment Aggregation Gabriella Pigozzi Davide Grossi ILLC Amsterdam Marija Slavkovik W hat is this all about judgment aggregation (JA) has two problems: aggregation

770 views • 75 slides
Key concepts image apparatus Magic Automation Play information program Symbolic Chance

Key concepts image apparatus Magic Automation Play information program Symbolic Chance

Key concepts image apparatus Magic Automation Play information program Symbolic Chance improbable Necessity Historical context of the linear A B Chance and probability Apparatuses are playthings that repeat the same movement over

126 views • 8 slides

More recommend