was i supposed to mix the was i supposed to mix the
play

Was I supposed to Mix the Was I supposed to Mix the Security in - PowerPoint PPT Presentation

Oct 31, 2023 •27 likes •307 views

Was I supposed to Mix the Was I supposed to Mix the Security in Before I Baked It? Security in Before I Baked It? Security Beyond the Clich Security Beyond the Clich W. Brandon Martin W. Brandon Martin Deconstructed Security, LLC

  1. Was I supposed to Mix the Was I supposed to Mix the Security in Before I Baked It? Security in Before I Baked It? Security Beyond the Cliché Security Beyond the Cliché W. Brandon Martin W. Brandon Martin Deconstructed Security, LLC Deconstructed Security, LLC

  2. The Next 45 Minutes The Next 45 Minutes 01 - Introduction 01 - Introduction 02 - Background & Overview 02 - Background & Overview 03 - Security v. Business 03 - Security v. Business 04 - Security Balance 04 - Security Balance 05 - Architectural Solutions 05 - Architectural Solutions 06 - Security Practitioners 06 - Security Practitioners 07 - Questions 07 - Questions

  3. 01 - Introduction 01 - Introduction

  4. About Me About Me Christian Christian Dad (x3) Dad (x3) Independent Security Consultant Independent Security Consultant Raised in a barn Raised in a barn Creds Creds OSCP, OSWP, GPEN OSCP, OSWP, GPEN CISSP, CRISC CISSP, CRISC 6 Sigma Black Belt 6 Sigma Black Belt Disclaimer: My statements today do not do not Disclaimer: My statements today necessarily represent anyone else's view or necessarily represent anyone else's view or actionable security advice. security advice. actionable

  5. 02 - Background & Overview 02 - Background & Overview

  6. Problem Statement Problem Statement Good security requires planning and Good security requires planning and preparation. preparation. Security requirements delay projects. Security requirements delay projects. Businesses need projects to stay in business. Businesses need projects to stay in business. Business and security goals collide. Business and security goals collide.

  7. Goals Goals Explore the security / business tension. Explore the security / business tension. Review real-world balance failures. Review real-world balance failures. Review architectures that worked and failed. Review architectures that worked and failed. Re-define the security practitioner's role. Re-define the security practitioner's role.

  8. 03 - Security v. Business 03 - Security v. Business

  9. Reality Reality Business people struggle with security. Business people struggle with security. Technical people struggle with security. Technical people struggle with security. Security people struggle with both sides. Security people struggle with both sides.

  10. Security Requirements Security Requirements Keep the hackers out. Keep the hackers out. Maintain compliance and/or regulator satisfaction. Maintain compliance and/or regulator satisfaction. Train developers on secure coding practices. Train developers on secure coding practices. Keep penetration testers out. Keep penetration testers out. Sanitize untrusted input. Sanitize untrusted input. Implement CIS benchmarks. Implement CIS benchmarks. No High or Critical findings No High or Critical findings

  11. Business Requirements Business Requirements Calculate interest on a loan. Calculate interest on a loan. Send a purchase order electronically. Send a purchase order electronically. Automate the disbursement process. Automate the disbursement process. Complete the first sprint by Feb 28. Complete the first sprint by Feb 28.

  12. Technical Requirements Technical Requirements Response latency < 2 seconds. Response latency < 2 seconds. Application must be testable. Application must be testable. Application must run on Microsoft Windows, Android, Application must run on Microsoft Windows, Android, iOS. iOS. Network throughput SLA must be 2Mb/s. Network throughput SLA must be 2Mb/s.

  13. The Result The Result CFO wants results yesterday. CFO wants results yesterday. CTO wants to be meet the SLA. CTO wants to be meet the SLA. CISO wants to dot the "i" and cross the "t." CISO wants to dot the "i" and cross the "t."

  14. 04 - Security Balance 04 - Security Balance

  15. Security Overpowers Business Security Overpowers Business A German pro basketball team was relegated to a lower A German pro basketball team was relegated to a lower division due to a Windows update (2015) division due to a Windows update (2015) User can't create a valid password at change time (2019) User can't create a valid password at change time (2019) GrooveShark (2015) GrooveShark (2015) Countless failed startups you never heard mentioned Countless failed startups you never heard mentioned

  16. Business Overpowers Security Business Overpowers Security Mirai Botnet Mirai Botnet Target's Heating and Cooling System Breach (~$202M) Target's Heating and Cooling System Breach (~$202M) Yahoo lost 500M Passwords; Linkedin 117M Yahoo lost 500M Passwords; Linkedin 117M Hillary Clinton's Email Server Hillary Clinton's Email Server

  17. Balance is Key Balance is Key Risk perspective is missing. Risk perspective is missing. Context is under-appreciated. Context is under-appreciated. Healthy discourse is difficult. Healthy discourse is difficult.

  18. 05 - Architectural Solutions 05 - Architectural Solutions

  19. Architecting the Internet - TCP/IP Architecting the Internet - TCP/IP Designed in the 1970's Designed in the 1970's Adopted in the 1980's Adopted in the 1980's Secured in the 1990's Secured in the 1990's Online Banking and Paris Hilton widely adopted in the Online Banking and Paris Hilton widely adopted in the 2000's 2000's

  20. Architecting the Internet - DNS Architecting the Internet - DNS Proposed in 1983; essential since 1985 Proposed in 1983; essential since 1985 Designed for 50M addresses, currently 271M Designed for 50M addresses, currently 271M DNSSEC introduced in 1997 DNSSEC introduced in 1997 Dan Kaminsky's bug 2008 Dan Kaminsky's bug 2008 DNSpionage 2019; 25% US Adoption of DNSSEC DNSpionage 2019; 25% US Adoption of DNSSEC

  21. Lessons Learned Lessons Learned Some controls are difficult to "bolt on" after rollout. Some controls are difficult to "bolt on" after rollout. Forecasting unexpected use cases is hard. Forecasting unexpected use cases is hard. The architecture must leave "bolt holes" for security. The architecture must leave "bolt holes" for security. Consumers don't always prioritize security. Consumers don't always prioritize security. Security can take years. Security can take years.

  22. Improving Security Improving Security Containers Containers Don't patch, rebuild Don't patch, rebuild Infrastructure as code (i.e. version tracking) (i.e. version tracking) Infrastructure as code DevSecOps - Integrating Security Testing In Development DevSecOps - Integrating Security Testing In Development Static Application Security Testing Static Application Security Testing Dynamic Application Security Testing. Dynamic Application Security Testing. Software Frameworks Software Frameworks Solve common problems Solve common problems

  23. 06 - Security Practitioners 06 - Security Practitioners

  24. Partner Perceptions Partner Perceptions Just say no. Just say no. Abuse fear, uncertainty, & doubt (FUD). Abuse fear, uncertainty, & doubt (FUD). Overstate risk. Overstate risk. Don't understand the technology's built-in controls. Don't understand the technology's built-in controls. Slow down and delay projects. Slow down and delay projects. Only understand [Insert Background] Only understand [Insert Background]

  25. Ideals Ideals "Yes, and…" "Yes, and…" Trust, Assurance & Confidence (TAC). Trust, Assurance & Confidence (TAC). Understand enough background to be helpful. Understand enough background to be helpful. Paint accurate risk pictures. Paint accurate risk pictures. Understand technical controls. Understand technical controls. Connect silos and accelerate projects. Connect silos and accelerate projects. Don't accept risk. Don't accept risk.

  26. Hard to find good help Hard to find good help We can't all be the best. We can't all be the best. Can't educate a practitioner to full competence. Can't educate a practitioner to full competence. Industry trend - full stacking Industry trend - full stacking Information Security Information Security Risk Analysis Risk Analysis Networking, Servers, Clients, Mobile, Users Networking, Servers, Clients, Mobile, Users

  27. Addressing the Talent Gap Addressing the Talent Gap Security Associate Programs (OJT) Security Associate Programs (OJT) Job rotation Job rotation Certification Certification Mentoring Mentoring Cybersecurity Education Reform Cybersecurity Education Reform Sales and Presentation Skills Sales and Presentation Skills

  28. 07 - Questions 07 - Questions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Feedback EEG Brain Feedback EEG Brain Feedback Tends to be Supposed

Feedback EEG Brain Feedback EEG Brain Feedback Tends to be Supposed

Feedback EEG Brain Feedback EEG Brain Feedback Tends to be Supposed over-simulated to be calm Supposed to Tends to be be alert under- stimulated Memory Stroke problems Seizure Head Sleep disorders injury disorders

465 views • 33 slides
6/18/2018 What If Everything Was The Way Its Supposed To Be? We can all envision a world in

6/18/2018 What If Everything Was The Way Its Supposed To Be? We can all envision a world in

6/18/2018 What If Everything Was The Way Its Supposed To Be? We can all envision a world in which justice prevails. But, are we dreaming the impossible dream? Why Acting Justly Isnt A Futile Exercise The same OT prophets who preach

308 views • 4 slides
Towards internet of code ukasz Dbek May 27, 2015 This was supposed to be about lens library!

Towards internet of code ukasz Dbek May 27, 2015 This was supposed to be about lens library!

Towards internet of code ukasz Dbek May 27, 2015 This was supposed to be about lens library! Yes, but... This was supposed to be about lens library! Why internet is awesome? Because every device connected to it speaks the same language.

891 views • 64 slides
How are spouses supposed to treat each other? 1 Peter 3:1-7 Introduction Being a Christian

How are spouses supposed to treat each other? 1 Peter 3:1-7 Introduction Being a Christian

How are spouses supposed to treat each other? 1 Peter 3:1-7 Introduction Being a Christian is tough when partner is not. Biggest concern is being a right kind of example Part of the ongoing section of Living Godly lives in a pagan

283 views • 13 slides
where do we go from here? the future? of open source? and geospatial? This talk is supposed to

where do we go from here? the future? of open source? and geospatial? This talk is supposed to

From: Paul Ramsey &lt;pramsey@cartodb.com&gt; where do we go from here? the future? of open source? and geospatial? This talk is supposed to be about the next ten years, but I felt the topic really called for more question marks. So this is

1.24k views • 91 slides
What am I supposed to do? If we dont let them drop the class, theyll say thats why

What am I supposed to do? If we dont let them drop the class, theyll say thats why

What am I supposed to do? If we dont let them drop the class, theyll say thats why their kid keeps cutting. But if we let them drop it, arent we enabling him to continue overcommitting? ~High School Counselor How do we

731 views • 30 slides
Welcome to Thank You for Volunteering Agenda What is

Welcome to Thank You for Volunteering Agenda What is

Welcome to Thank You for Volunteering Agenda What is DI? What is Rising Stars? What am I supposed to do? What are they supposed

1.05k views • 86 slides
std::async Standard C++ function template Supposed to make threads (easier) Already

std::async Standard C++ function template Supposed to make threads (easier) Already

a sync m agic (en)light e ning talk trieger@informatik.hu-berlin.de async as a code reordering specifier Everything else is just multithreading EuroLLVM14 Tobias Rieger 1 std::async Standard C++ function template Supposed to make

244 views • 7 slides
What Are Our Security Goals? CIA C onfidentiality If its supposed to be a secret, be

What Are Our Security Goals? CIA C onfidentiality If its supposed to be a secret, be

What Are Our Security Goals? CIA C onfidentiality If its supposed to be a secret, be careful who hears it I ntegrity Dont let someone change something they shouldnt A vailability Dont let someone stop others

586 views • 30 slides
SWITCH Presentation Supposed to be parting thoughts but Im no longer moving :&gt;) Rob Miller

SWITCH Presentation Supposed to be parting thoughts but Im no longer moving :&gt;) Rob Miller

SWITCH Presentation Supposed to be parting thoughts but Im no longer moving :&gt;) Rob Miller June 1, 2018 (My moms birthday) Agen enda I Wi Will Mov ove Q Quickly Development work at 3G and CanPower Honorable mention:

575 views • 42 slides
Clergy : were in charge of spiritual matters and they were supposed to save your soul Nobility :

Clergy : were in charge of spiritual matters and they were supposed to save your soul Nobility :

Clergy : were in charge of spiritual matters and they were supposed to save your soul Nobility : were the land-owners who played a significant role in government. They were there to protect their subjects. Third Estate : Included everybody

172 views • 16 slides
School Funding 101 How are schools supposed to be funded and why is Chesterfield so dramatically

School Funding 101 How are schools supposed to be funded and why is Chesterfield so dramatically

School Funding 101 How are schools supposed to be funded and why is Chesterfield so dramatically under-funded? The Legislature shall provide for the maintenance and and support of of a thorough and and efficient system of of free public

378 views • 19 slides
Meeting the FCC Mobility II Challenge New Hampshire Perspective What is the challenge supposed to

Meeting the FCC Mobility II Challenge New Hampshire Perspective What is the challenge supposed to

Meeting the FCC Mobility II Challenge New Hampshire Perspective What is the challenge supposed to accomplish? FCC will spend ~$4.5 billion over 10 years to bring 4G LTE mobile service across the US Many towns and regions in New Hampshire

176 views • 16 slides
SIBO For Patients 1 What You Will Learn In This Course How is our digestive system supposed

SIBO For Patients 1 What You Will Learn In This Course How is our digestive system supposed

SIBO For Patients 1 What You Will Learn In This Course How is our digestive system supposed to work? What is SIBO? What are the symptoms of SIBO? Testing for SIBO Treatment of SIBO options - 4 phases Preparation Kill

866 views • 43 slides
What makes a good algorithm? Does what its supposed to Analysis of Algorithms Easy to

What makes a good algorithm? Does what its supposed to Analysis of Algorithms Easy to

What makes a good algorithm? Does what its supposed to Analysis of Algorithms Easy to understand, code, and debug Efficient Makes efficient use of computers resources Memory Speed Slides courtesy of Prof. Joe

457 views • 6 slides
01-09-2014 Outline Preconditions Outcome: What are you supposed to learn? The framework and

01-09-2014 Outline Preconditions Outcome: What are you supposed to learn? The framework and

01-09-2014 Outline Preconditions Outcome: What are you supposed to learn? The framework and definition of herd management The management cycle Classical production theory Advanced Quantitative Methods Limitation of classical theories in

198 views • 5 slides
Enterprise Storage Architecture Fall 2019 Storage Efficiency Tyler Bletsch Duke University Two

Enterprise Storage Architecture Fall 2019 Storage Efficiency Tyler Bletsch Duke University Two

ECE566 Enterprise Storage Architecture Fall 2019 Storage Efficiency Tyler Bletsch Duke University Two views of file system usage User data view: How large are my files? (bytes -used metric) or How much capacity am I given?

749 views • 35 slides
VFIO, OVMF, GPU, and You The state of GPU assignment in QEMU/KVM Alex Williamson /

VFIO, OVMF, GPU, and You The state of GPU assignment in QEMU/KVM Alex Williamson /

VFIO, OVMF, GPU, and You The state of GPU assignment in QEMU/KVM Alex Williamson / alex.williamson@redhat.com The current state of VGA assignment VGA assignment defined: Graphics card assigned as primary graphics for the VM Uses VGA BIOS for

688 views • 29 slides
Tree SSA Tree SSA Design and Implementation Design and Implementation Diego Novillo Red Hat

Tree SSA Tree SSA Design and Implementation Design and Implementation Diego Novillo Red Hat

Tree SSA Tree SSA Design and Implementation Design and Implementation Diego Novillo Red Hat Canada dnovillo@redhat.com GCC &amp; GNU Toolchain Developers' Summit June 2004 Ottawa, Canada Project History - 1 Project History - 1 Project

168 views • 16 slides
eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project

eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project

eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project schofield@terena.org Innovation through participation Agenda What is eduGAIN? Project Expectations Current Status Policy Framework Roadmap

1.01k views • 14 slides
Lessons learned from six years of cloud technology transformation in government David Turner

Lessons learned from six years of cloud technology transformation in government David Turner

Lessons learned from six years of cloud technology transformation in government David Turner Managing Director, MSC Digital MSC Digital Independent and vendor agnostic Formed specifically to assist the UK Public Sector - Its

386 views • 19 slides
OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical

OAuth 2.0 for Browser Based Apps OAuth Security Workshop 2019 David Waite, Principal Technical Architect, Ping Identity Purpose Best Current Practices Document Builds mostly on RFC 8252 - OAuth 2.0 for Native Apps I-D

386 views • 10 slides
Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief

Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief

Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief Open Source Officer Sun Microsystems http://www.webmink.net/ Systems Middleware Cloud 3 1 Third Wave? Stallman Software Freedoms Use

1.31k views • 87 slides
FrankenLaws: The Sad State of the Information Security Regulatory Landscape UNCC 12 th Annual

FrankenLaws: The Sad State of the Information Security Regulatory Landscape UNCC 12 th Annual

1 Charlotte, North Carolina Tuesday, October 11, 2011 FrankenLaws: The Sad State of the Information Security Regulatory Landscape UNCC 12 th Annual Cyber Security Symposium Tuesday, October 11, 2011 Charlotte, North Carolina John Linkous |

488 views • 26 slides

More recommend