Building A Modern Security Engineering Team Zane
Size: px
Start display at page:

Download "Building A Modern Security Engineering Team Zane"

Transcription

1 Building A Modern Security Engineering Team Zane Lackey April 2016

2 WHO IS THIS GUY ANYWAY? 1. Built and led the Etsy Security Team Spoiler alert: what this presentation is about 2. Co-founder / CSO at Signal Sciences

3 This talk is about lessons learned being at the forefront of the shift to agile/continuous deployment/devops

4 FOR SECURITY TEAMS, THE WORLD HAS CHANGED IN FUNDAMENTAL WAYS: 1. Code deployment is now near-instantaneous

5 FOR SECURITY TEAMS, THE WORLD HAS CHANGED IN FUNDAMENTAL WAYS: 1. Code deployment is now near-instantaneous 2. Merging of development and operations means more people with production access

6 FOR SECURITY TEAMS, THE WORLD HAS CHANGED IN FUNDAMENTAL WAYS: 1. Code deployment is now near-instantaneous 2. Merging of development and operations means more people with production access 3. Cost of attack has significantly dropped

7 Near-instantaneous deployment?

8 A simulation of deploying code in the waterfall model

9 An example: Etsy pushes to production 50 times a day on average

10 Constant iteration in production via feature flags, ramp ups, A/B testing

11 WAIT A MINUTE! But doesn t the rapid rate of change mean things are less secure?!

12 Actually, the opposite is true!

13 Compared to: We ll rush that security fix. It will go out in about 6 weeks. - Former vendor at Etsy

14 What makes continuous deployment safe?

15 What makes continuous deployment safe? Visibility.

16

17

18

19 The same hard lessons are slowly shifting to security

20 Ex: Which of these is a quicker way to spot an attack?

21 A

22 B

23 Surface security info for everyone, not just the security team

24

25

26 *Mullets sold separately Building a rad culture

27 In the shift to continuous deployment, speed increases by removing organizational blockers

28 Trying to make security a blocker means you get routed around

29 Instead, the focus becomes on incentivizing teams to reach out to security

30 KEYS TO INCENTIVIZING CONVERSATION: ü Don t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture.

31 KEYS TO INCENTIVIZING CONVERSATION: ü Don t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture. ü Make realistic tradeoffs. Don t fall in to the trap of thinking every issue is critical. Ex: Letting low risk issues ship with a reasonable remediation window buys you credibility for when things actually do need to be addressed immediately.

32 KEYS TO INCENTIVIZING CONVERSATION: ü Don t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture. ü Make realistic tradeoffs. Don t fall in to the trap of thinking every issue is critical. Ex: Letting low risk issues ship with a reasonable remediation window buys you credibility for when things actually do need to be addressed immediately. ü Coherently explain impact. This would allow all our user data to be compromised if the attacker did X & Y paints a clear picture, where The input validation in this function is weak does not.

33 KEYS TO INCENTIVIZING CONVERSATION: ü Reward communication with security team. T-Shirts, gift cards, and high fives all work (shockingly) well.

34 KEYS TO INCENTIVIZING CONVERSATION: ü Reward communication with security team. T-Shirts, gift cards, and high fives all work (shockingly) well. ü Take the false positive hit yourself. Don t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch.

35 KEYS TO INCENTIVIZING CONVERSATION: ü Reward communication with security team. T-Shirts, gift cards, and high fives all work (shockingly) well. ü Take the false positive hit yourself. Don t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. ü Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.

36 TL;DR (THE SECTION FORMERLY KNOWN AS CONCLUSIONS )

37 TL;DR Ø Adapt security team culture to DevOps and continuous deployment by: Surfacing security monitoring and metrics Incentivize discussions with the security team When creating policy, don t take away capabilities Ø Drive up attacker cost through bug bounty programs, countering phishing, and running realistic attack simulations

38 THANK YOU! Signal Sciences Zane

Similar documents
2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback