Abstract image of a woman sitting on books and studying on a laptop

Realizing Near-Zero Security Flaws in Your Software

Download as PPTX, PDF
N
Nicholas Percoco

The document outlines a presentation by Nick Percoco at the Gartner Security & Risk Management Summit 2018, detailing his journey to achieving near-zero security flaws in software. It covers the evolution of a security program through phases involving program assessment, maturing processes, and fostering a security culture, while addressing significant challenges and solutions. Key points include the importance of visibility, team collaboration, and effective governance in improving security practices.

Software
Related topics:
Information SecurityInsights on Software Development agile-software-development
1 of 49
Downloaded 45 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
—— GARTNER SECURITY & RISK MANAGEMENT SUMMIT 2018 REALIZING NEAR-ZERO SECURITY FLAWS IN YOUR SOFTWARE Nick Percoco
SECTION 01 My Journey
3Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 WHAT BROUGHT ME HERE? • Wrote first computer program in 1981 • Chicagoland BBS rat in 80s and early 90s • Internet Security Systems in late 90s • Founder of SpiderLabs, Creator of THOTCON • Co-Founder of “I am The Cavalry” movement • Global Services lead at Rapid7 • Advisor to industry / non-industry startups • Chief Security Officer at Uptake • Launched Secure SDLC at hyper-growth startup
4Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 WHAT’S THIS TALK ABOUT? • Setting a vision • Starting small • Making mistakes • Learning • Failing • Evolving • Transparency
5Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 SCOPE
6Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 TEAM SIZE
7Copyright © 2018 Uptake – CONFIDENTIALSecurity at Uptake Program Structure UPTAKE SECURITY PROGRAM Risk & Compliance Security Cloud & Networking Application Security Threat Exposure Management Hackers & Hunters Security Audit MORETECHNICALMORECOMPLIANCE CSOOVERSIGHT&PROGRAMMANAGEMENT SecurityAdvisoryCouncil UptakeStakeholders CustomerStakeholders Physical Security Cryptography
8Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 NEAR-ZERO SECURITY FLAWS
SECTION 02 Start: A Complete Program Assessment
10Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 FOUR AREAS OF FOCUS – DIFFICULT QUESTIONS Inventory + Visibility — What applications do we have? — Who owns what? — How are we discovering/documenting? Discovery — How are we discovering security vulnerabilities? — Includes scans, pentests, bug bounty, internal reporting, etc. Management — How are we documenting vulnerabilities discovered? — How are we managing known vulnerabilities and remediations? Culture — How are we promoting security throughout our culture? — How are we gaining “buy-in” from engineering and product teams?
SECTION 03 Our Journey: Phase 1
12Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture
13Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Initial Team and Prod. Definitions Initial Team & Product Definitions — High level — Tried to align to agile teams Problem — Teams and products were continually changing — Non standardized “owners” - mixing of business and engineering teams — Unclear definitions - mixing “products” with “services”
14Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture 3rd Party Pentest Initial Team and Prod. Definitions 3rd Party Pentest — Customer requirement driven — Brought in 3rd party for pentest — First time in-depth security testing was performed — Performed on just one product (the most mature)
15Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Security Code Scanning — Mentality was to just scan everything Problem — Organized on initial definitions — Did not map static scan profiles to our definitions — Did not have foresight for organization or easily visible metrics — Did not have clear ownerships for vulnerability fixes
16Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Onboarding Slides 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding New Hires — Overview of what security means and how to work with the team — Goal was to show value from security and break down barriers Problem — Overcoming problem of siloization
17Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding Slides Internal Pentesting — Thoughtfully choosing new applications, products, and acquisitions — Created a schedule to pentest everything at least once a year Problem — Ownership of issues found
18Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding Slides Bug Bounty — Recognize that we had more surface area for testing than could be handled by single team Problem — Were not able to use production client data — Heavy engineering investment for new environment — Needed more buy-in from engineering and support for remediation — Underestimated the effort required to stand this up — Overestimated our maturity
19Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Onboarding Slides Tracking — Tracked source of finding (eg pentest, static scan), severity, and exploitability — A central location to see vulnerabilities and risk Problem — Little monitoring of assignee or ownership — Little monitoring of validation of fixes
20Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engineering Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Onboarding Slides Assigning Issues — Added vulnerability tickets directly to engineering teams’ queues — Tickets ended up in backlogs Problem — Hard to see overview of risks per product — Tickets ended up being ignored/not updated
21Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Mtgs. / Office Hours Onboarding Slides Team Meetings/Office Hours — Meet with teams to walk through vulnerabilities — Created office hours for teams to come to us with questions and act as working sessions Problem — Teams looked at the office hours as a chore as opposed to useful
22Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Security Champions Team Mtgs. / Office Hours Onboarding Slides Security Champions — Cross organizational group to help bring security into all facets — Breakdown silos and disseminate best practices Problem — Keeping the interest of all involved — Teams changed quickly so the champions were needing to change often
23Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Inventory + Visibility Discovery Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Training — Engineering training: Required on a minimum of yearly basis — Company Training: More in depth onboarding slides Problem — Not hands on enough
24Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery Individual Team Sign-Off — Decided we don’t know the engineering organization as well as the individual teams — Gave engineers tools to run their own scans and view their own results — Required engineering teams to “sign-off” that scans were clean before deploying Problem — Lost a lot of visibility into the pipeline — If something was released out of cycle, we were not informed
25Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery
SECTION 04 Our Journey: Phase 2
27Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Label Goes Here Pentesting 3rd Party Pentest Veracode / Blackduck Discovery Re-Evaluate Definitions and Ownership — Refined definitions of application vs. product vs. microservice — Distinguished between “Risk” and “Bug” — Defined ownership – risk is owned by product team, bug is owned by engineering team Problem — Still lacked cross-team acceptance and buy-in — Changing team perspectives was hard because they were used to operating on old inventory and definitions
28Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery APPSEC Jira APPSEC Jira — Migrated all tracking to a dedicated Jira project with custom workflows — Centralized “source of truth” for all owners, risks, findings, and engagements — Built in metrics and reporting (e.g. time to close, average risk, assignees, etc.) Problem — Product and Business side don’t check Jira regularly
29Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides APPSEC Dashboard — Using Uptake Design System, created centralized dashboard that pulled data from Jira and correlated with other tools — Single pane of glass for all security findings and statuses — Custom KPIs and familiar interface Problem — Helped with visibility and accountability, but still lacked clear ownership
30Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Leadership and Cross-Team Buy-In — Increased visibility and well documented Jira workflows led to leadership buy-in on ownership — Established SLAs on finding remediations using dashboard metrics — Product, Security and Engineering Leadership sent out communication Problem — New paradigm of ownership meant slow to adopt across all engineering teams — New workflows had to be adopted for certain teams
31Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty 2.0 Bug Bounty Label Goes Here Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Bug Bounty 2.0 — With leadership and cross-team buy in, revisited and re-launched Bug Bounty — Jira integration with Bug Bounty submissions fed directly into dashboard — Same SLAs applied to Bug Bounty findings Problem — Engineering buy-in for remediating findings, but still lacked buy-in for maintaining and updating Bug Bounty environment
32Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Container Metrics — With microservice ownership definitions, started pulling metrics on all running containers — Using container orchestration as “source of truth” for all applications running in production — Each container is tied to a product and has an owner Problem — Had visibility into what is running, but not direct 1:1 correlation to what is being scanned
33Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Culture Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Scanning Containers — Reorganized scanning pipeline to correlate directly to container metrics — Standard naming convention let us query scan results for every image and container in production Problem — 100% visibility, but data is “after- the-fact”
34Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Outreach and Training — AppSec has higher visibility and transparency within the organization — Started running trainings and tech-talks on scanning and penetration testing — Empowering engineering teams to do their own security testing
35Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics
SECTION 05 Our Journey: Phase 3
37Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Dashboard 2.0 Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Dashboard 2.0 — The AppSec Dashboard has proved successful — Want to implement more security metrics from other tools — Implement news and security communications/alerts
38Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Full CI/CD Dashboard 2.0 Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Full CI/CD Integration — Engineering is re-working their CI/CD pipeline — Tightly integrate with all security tools and scanning — Aim for 100% code coverage in CI/CD before container is deployed — Feedback loop from discovered findings into unit tests
39Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Full CI/CD Dashboard 2.0 Technical Trainings, CTFs, Events Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Security Events — Continue trainings and tech talks — Host internal CTFs to promote security testing — Increase developer involvement in penetration testing and validation testing
SECTION 06 Lessons Learned
41Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 LESSONS LEARNED Need to keep all four areas “in sync” — We jumped too far ahead in the Discovery lane too soon – had to play catch up with Inventory and Management — Culture cannot lag behind. Buy in and cross-team culture allows quicker progress in the other areas Honest self-assessments of maturity — Having tools in place does not equal maturity — Culture drives maturity Avoid silo-ing Security — Openness and cross-team communication leads to buy-in — Don’t just “chuck findings over the fence” Have clear definitions and ownership — Risk vs Bug — Application vs product vs microservice
Realizing Near-Zero Security Flaws in Your Software
43Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
44Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
45Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
46Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
47Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
48Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
Copyright © 2018 by Uptake Technologies Inc. All rights reserved. No parts of this document may be distributed, reproduced, transmitted, or stored electronically without Uptake’s prior written permission. This document contains Uptake's confidential and proprietary information. If a pre-existing contract containing disclosure and use restrictions exists between your company and Uptake, you and your company will use the information in this document subject to the terms of the pre-existing contract. If no such pre-existing contract exists, you and your Company agree to protect the information in this document and agree not to reproduce or disclose the information in any way. Uptake makes no warranties, express or implied, in this document. Uptake shall not be liable for damages of any kind arising out of use of this document. Any discussion of potential features is not a promise of future functionality.

More Related Content

PDF
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
PPTX
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Codemotion
 
PPTX
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Codemotion
 
PPTX
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
PDF
Continuous Security: Zap security bugs now Codemotion-2015
Carlo Bonamico
 
PDF
A DevSecOps Tale of Business, Engineering, and People
James Wickett
 
PDF
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Deborah Schalm
 
PPTX
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
AgileNetwork
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Codemotion
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Codemotion
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
Continuous Security: Zap security bugs now Codemotion-2015
Carlo Bonamico
 
A DevSecOps Tale of Business, Engineering, and People
James Wickett
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Deborah Schalm
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
AgileNetwork
 

What's hot (19)

PDF
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
PPT
Agile/Scrum for IT Risk Professionals
Dave Friesen
 
PDF
The New Ways of DevSecOps - The Secure Dev 2019
James Wickett
 
PDF
Agile Testing for Embedded and IoT Software Development
TechWell
 
PDF
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
James Wickett
 
PDF
Security's DevOps Transformation
Michele Chubirka
 
PDF
DevSecOps - Colocando segurança na esteira
Diego Gabriel Cardoso
 
PPTX
DevSecOps: Colocando segurança na esteira
Diego Gabriel Cardoso
 
PDF
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
PDF
Bootstrapping UX
Jim Lane
 
PPTX
Security Champions - Introduce them in your Organisation
Ives Laaf
 
PPTX
Null application security in an agile world
Stefan Streichsbier
 
PDF
DevSecOps at Agile 2019
Elizabeth Ayer
 
PPTX
Open Source Power Tools - Opensouthcode 2018-06-02
Jorge Hidalgo
 
PPTX
XP2018 presentation for Phoenix Scrum User Group 2018
Thene Sheehy
 
PDF
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
PDF
Shift Left Security - The What, Why and How
DevOps.com
 
PDF
Why I Am a Software Engineer
Craig Saunders
 
PDF
Better Software East 2016: Evolving Automated to Continuous
Parasoft
 
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
Agile/Scrum for IT Risk Professionals
Dave Friesen
 
The New Ways of DevSecOps - The Secure Dev 2019
James Wickett
 
Agile Testing for Embedded and IoT Software Development
TechWell
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
James Wickett
 
Security's DevOps Transformation
Michele Chubirka
 
DevSecOps - Colocando segurança na esteira
Diego Gabriel Cardoso
 
DevSecOps: Colocando segurança na esteira
Diego Gabriel Cardoso
 
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
Bootstrapping UX
Jim Lane
 
Security Champions - Introduce them in your Organisation
Ives Laaf
 
Null application security in an agile world
Stefan Streichsbier
 
DevSecOps at Agile 2019
Elizabeth Ayer
 
Open Source Power Tools - Opensouthcode 2018-06-02
Jorge Hidalgo
 
XP2018 presentation for Phoenix Scrum User Group 2018
Thene Sheehy
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Shift Left Security - The What, Why and How
DevOps.com
 
Why I Am a Software Engineer
Craig Saunders
 
Better Software East 2016: Evolving Automated to Continuous
Parasoft
 
Ad

Similar to Realizing Near-Zero Security Flaws in Your Software (20)

PPTX
My Keynote from BSidesTampa 2015 (video in description)
Andrew Case
 
PPTX
Security Certification or How I Learned to Stop Worrying & Love Stories - And...
AgileNZ Conference
 
PDF
The New Normal - Rackspace Solve 2015
Major Hayden
 
PPTX
Enterprise under attack dealing with security threats and compliance
SPAN Infotech (India) Pvt Ltd
 
PPTX
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
PDF
Accelerating OT - A Case Study
Digital Bond
 
PDF
G05.2013 gartner top security trends
Satya Harish
 
PDF
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
PPTX
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Drew Malone
 
PDF
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018
Adhitya Hartowo
 
PDF
Building a Modern Security Engineering Organization
Zane Lackey
 
PDF
Prevention is futile in 2020 - Gartner Report in Retrospect
Jermund Ottermo
 
PDF
The Future of DevSecOps
Stefan Streichsbier
 
PPTX
SplunkLive! Tampa: Splunk for Security - Hands-On Session
Splunk
 
PPTX
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
PDF
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
PDF
2014 the future evolution of cybersecurity
Matthew Rosenquist
 
PDF
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
PPT
Top 10 Security Challenges
Jorge Sebastiao
 
My Keynote from BSidesTampa 2015 (video in description)
Andrew Case
 
Security Certification or How I Learned to Stop Worrying & Love Stories - And...
AgileNZ Conference
 
The New Normal - Rackspace Solve 2015
Major Hayden
 
Enterprise under attack dealing with security threats and compliance
SPAN Infotech (India) Pvt Ltd
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
Accelerating OT - A Case Study
Digital Bond
 
G05.2013 gartner top security trends
Satya Harish
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Drew Malone
 
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018
Adhitya Hartowo
 
Building a Modern Security Engineering Organization
Zane Lackey
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Jermund Ottermo
 
The Future of DevSecOps
Stefan Streichsbier
 
SplunkLive! Tampa: Splunk for Security - Hands-On Session
Splunk
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
2014 the future evolution of cybersecurity
Matthew Rosenquist
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
Top 10 Security Challenges
Jorge Sebastiao
 
Ad

Recently uploaded (20)

PDF
The Dynamic Duo Transforming Financial Accounting Systems Through Modern Expe...
Triforce Global
 
DOC
UTEP毕业证学历认证,宾夕法尼亚克拉里恩大学毕业证未毕业
oqwcyqe
 
PPTX
How to Odoo 19 Installation on Ubuntu - CandidRoot
CandidRoot Solutions Private Limited
 
PDF
AI/ML Infra Meetup | Beyond S3's Basics: Architecting for AI-Native Data Access
Alluxio, Inc.
 
PDF
Microsoft Office 365 Crack Download Free
wasibhadar
 
PDF
Guide to Food Delivery App Development.pdf
Lilac infotech
 
PPTX
MLforCyber_MLDataSetsandFeatures_Presentation.pptx
AaryaNaik8
 
PDF
novaPDF Pro 11.9.482 Crack + License Key [Latest 2025]
viktamscs
 
PDF
Type Class Derivation in Scala 3 - Jose Luis Pintado Barbero
José Luis Pintado Barbero
 
PDF
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
PPTX
Cybersecurity-and-Fraud-Protecting-Your-Digital-Life.pptx
balaji9945191
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
PPTX
Lecture 5 Software Requirement Engineering
Huda Nasir
 
PPTX
most interesting chapter in the world ppt
sreyashmuppana
 
PPTX
Matchmaking for JVMs: How to Pick the Perfect GC Partner
Tier1 app
 
PDF
CCleaner 6.39.11548 Crack 2025 License Key
viktamscs
 
PPTX
CNN LeNet5 Architecture: Neural Networks
DrRPonnusamyCIT
 
PDF
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
PDF
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
PPTX
Trending Python Topics for Data Visualization in 2025
IT IDOL Technologies
 
The Dynamic Duo Transforming Financial Accounting Systems Through Modern Expe...
Triforce Global
 
UTEP毕业证学历认证,宾夕法尼亚克拉里恩大学毕业证未毕业
oqwcyqe
 
How to Odoo 19 Installation on Ubuntu - CandidRoot
CandidRoot Solutions Private Limited
 
AI/ML Infra Meetup | Beyond S3's Basics: Architecting for AI-Native Data Access
Alluxio, Inc.
 
Microsoft Office 365 Crack Download Free
wasibhadar
 
Guide to Food Delivery App Development.pdf
Lilac infotech
 
MLforCyber_MLDataSetsandFeatures_Presentation.pptx
AaryaNaik8
 
novaPDF Pro 11.9.482 Crack + License Key [Latest 2025]
viktamscs
 
Type Class Derivation in Scala 3 - Jose Luis Pintado Barbero
José Luis Pintado Barbero
 
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
Cybersecurity-and-Fraud-Protecting-Your-Digital-Life.pptx
balaji9945191
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
Lecture 5 Software Requirement Engineering
Huda Nasir
 
most interesting chapter in the world ppt
sreyashmuppana
 
Matchmaking for JVMs: How to Pick the Perfect GC Partner
Tier1 app
 
CCleaner 6.39.11548 Crack 2025 License Key
viktamscs
 
CNN LeNet5 Architecture: Neural Networks
DrRPonnusamyCIT
 
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
Trending Python Topics for Data Visualization in 2025
IT IDOL Technologies
 

Realizing Near-Zero Security Flaws in Your Software

  • 1. —— GARTNER SECURITY & RISK MANAGEMENT SUMMIT 2018 REALIZING NEAR-ZERO SECURITY FLAWS IN YOUR SOFTWARE Nick Percoco
  • 3. 3Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 WHAT BROUGHT ME HERE? • Wrote first computer program in 1981 • Chicagoland BBS rat in 80s and early 90s • Internet Security Systems in late 90s • Founder of SpiderLabs, Creator of THOTCON • Co-Founder of “I am The Cavalry” movement • Global Services lead at Rapid7 • Advisor to industry / non-industry startups • Chief Security Officer at Uptake • Launched Secure SDLC at hyper-growth startup
  • 4. 4Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 WHAT’S THIS TALK ABOUT? • Setting a vision • Starting small • Making mistakes • Learning • Failing • Evolving • Transparency
  • 5. 5Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 SCOPE
  • 6. 6Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 TEAM SIZE
  • 7. 7Copyright © 2018 Uptake – CONFIDENTIALSecurity at Uptake Program Structure UPTAKE SECURITY PROGRAM Risk & Compliance Security Cloud & Networking Application Security Threat Exposure Management Hackers & Hunters Security Audit MORETECHNICALMORECOMPLIANCE CSOOVERSIGHT&PROGRAMMANAGEMENT SecurityAdvisoryCouncil UptakeStakeholders CustomerStakeholders Physical Security Cryptography
  • 8. 8Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 NEAR-ZERO SECURITY FLAWS
  • 9. SECTION 02 Start: A Complete Program Assessment
  • 10. 10Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 FOUR AREAS OF FOCUS – DIFFICULT QUESTIONS Inventory + Visibility — What applications do we have? — Who owns what? — How are we discovering/documenting? Discovery — How are we discovering security vulnerabilities? — Includes scans, pentests, bug bounty, internal reporting, etc. Management — How are we documenting vulnerabilities discovered? — How are we managing known vulnerabilities and remediations? Culture — How are we promoting security throughout our culture? — How are we gaining “buy-in” from engineering and product teams?
  • 12. 12Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture
  • 13. 13Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Initial Team and Prod. Definitions Initial Team & Product Definitions — High level — Tried to align to agile teams Problem — Teams and products were continually changing — Non standardized “owners” - mixing of business and engineering teams — Unclear definitions - mixing “products” with “services”
  • 14. 14Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture 3rd Party Pentest Initial Team and Prod. Definitions 3rd Party Pentest — Customer requirement driven — Brought in 3rd party for pentest — First time in-depth security testing was performed — Performed on just one product (the most mature)
  • 15. 15Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Security Code Scanning — Mentality was to just scan everything Problem — Organized on initial definitions — Did not map static scan profiles to our definitions — Did not have foresight for organization or easily visible metrics — Did not have clear ownerships for vulnerability fixes
  • 16. 16Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Onboarding Slides 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding New Hires — Overview of what security means and how to work with the team — Goal was to show value from security and break down barriers Problem — Overcoming problem of siloization
  • 17. 17Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding Slides Internal Pentesting — Thoughtfully choosing new applications, products, and acquisitions — Created a schedule to pentest everything at least once a year Problem — Ownership of issues found
  • 18. 18Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding Slides Bug Bounty — Recognize that we had more surface area for testing than could be handled by single team Problem — Were not able to use production client data — Heavy engineering investment for new environment — Needed more buy-in from engineering and support for remediation — Underestimated the effort required to stand this up — Overestimated our maturity
  • 19. 19Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Onboarding Slides Tracking — Tracked source of finding (eg pentest, static scan), severity, and exploitability — A central location to see vulnerabilities and risk Problem — Little monitoring of assignee or ownership — Little monitoring of validation of fixes
  • 20. 20Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engineering Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Onboarding Slides Assigning Issues — Added vulnerability tickets directly to engineering teams’ queues — Tickets ended up in backlogs Problem — Hard to see overview of risks per product — Tickets ended up being ignored/not updated
  • 21. 21Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Mtgs. / Office Hours Onboarding Slides Team Meetings/Office Hours — Meet with teams to walk through vulnerabilities — Created office hours for teams to come to us with questions and act as working sessions Problem — Teams looked at the office hours as a chore as opposed to useful
  • 22. 22Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Security Champions Team Mtgs. / Office Hours Onboarding Slides Security Champions — Cross organizational group to help bring security into all facets — Breakdown silos and disseminate best practices Problem — Keeping the interest of all involved — Teams changed quickly so the champions were needing to change often
  • 23. 23Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Inventory + Visibility Discovery Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Training — Engineering training: Required on a minimum of yearly basis — Company Training: More in depth onboarding slides Problem — Not hands on enough
  • 24. 24Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery Individual Team Sign-Off — Decided we don’t know the engineering organization as well as the individual teams — Gave engineers tools to run their own scans and view their own results — Required engineering teams to “sign-off” that scans were clean before deploying Problem — Lost a lot of visibility into the pipeline — If something was released out of cycle, we were not informed
  • 25. 25Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery
  • 27. 27Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Label Goes Here Pentesting 3rd Party Pentest Veracode / Blackduck Discovery Re-Evaluate Definitions and Ownership — Refined definitions of application vs. product vs. microservice — Distinguished between “Risk” and “Bug” — Defined ownership – risk is owned by product team, bug is owned by engineering team Problem — Still lacked cross-team acceptance and buy-in — Changing team perspectives was hard because they were used to operating on old inventory and definitions
  • 28. 28Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery APPSEC Jira APPSEC Jira — Migrated all tracking to a dedicated Jira project with custom workflows — Centralized “source of truth” for all owners, risks, findings, and engagements — Built in metrics and reporting (e.g. time to close, average risk, assignees, etc.) Problem — Product and Business side don’t check Jira regularly
  • 29. 29Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides APPSEC Dashboard — Using Uptake Design System, created centralized dashboard that pulled data from Jira and correlated with other tools — Single pane of glass for all security findings and statuses — Custom KPIs and familiar interface Problem — Helped with visibility and accountability, but still lacked clear ownership
  • 30. 30Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Leadership and Cross-Team Buy-In — Increased visibility and well documented Jira workflows led to leadership buy-in on ownership — Established SLAs on finding remediations using dashboard metrics — Product, Security and Engineering Leadership sent out communication Problem — New paradigm of ownership meant slow to adopt across all engineering teams — New workflows had to be adopted for certain teams
  • 31. 31Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty 2.0 Bug Bounty Label Goes Here Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Bug Bounty 2.0 — With leadership and cross-team buy in, revisited and re-launched Bug Bounty — Jira integration with Bug Bounty submissions fed directly into dashboard — Same SLAs applied to Bug Bounty findings Problem — Engineering buy-in for remediating findings, but still lacked buy-in for maintaining and updating Bug Bounty environment
  • 32. 32Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Container Metrics — With microservice ownership definitions, started pulling metrics on all running containers — Using container orchestration as “source of truth” for all applications running in production — Each container is tied to a product and has an owner Problem — Had visibility into what is running, but not direct 1:1 correlation to what is being scanned
  • 33. 33Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Culture Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Scanning Containers — Reorganized scanning pipeline to correlate directly to container metrics — Standard naming convention let us query scan results for every image and container in production Problem — 100% visibility, but data is “after- the-fact”
  • 34. 34Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Outreach and Training — AppSec has higher visibility and transparency within the organization — Started running trainings and tech-talks on scanning and penetration testing — Empowering engineering teams to do their own security testing
  • 35. 35Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics
  • 37. 37Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Dashboard 2.0 Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Dashboard 2.0 — The AppSec Dashboard has proved successful — Want to implement more security metrics from other tools — Implement news and security communications/alerts
  • 38. 38Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Full CI/CD Dashboard 2.0 Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Full CI/CD Integration — Engineering is re-working their CI/CD pipeline — Tightly integrate with all security tools and scanning — Aim for 100% code coverage in CI/CD before container is deployed — Feedback loop from discovered findings into unit tests
  • 39. 39Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Full CI/CD Dashboard 2.0 Technical Trainings, CTFs, Events Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Security Events — Continue trainings and tech talks — Host internal CTFs to promote security testing — Increase developer involvement in penetration testing and validation testing
  • 41. 41Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 LESSONS LEARNED Need to keep all four areas “in sync” — We jumped too far ahead in the Discovery lane too soon – had to play catch up with Inventory and Management — Culture cannot lag behind. Buy in and cross-team culture allows quicker progress in the other areas Honest self-assessments of maturity — Having tools in place does not equal maturity — Culture drives maturity Avoid silo-ing Security — Openness and cross-team communication leads to buy-in — Don’t just “chuck findings over the fence” Have clear definitions and ownership — Risk vs Bug — Application vs product vs microservice
  • 43. 43Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  • 44. 44Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  • 45. 45Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  • 46. 46Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  • 47. 47Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  • 48. 48Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  • 49. Copyright © 2018 by Uptake Technologies Inc. All rights reserved. No parts of this document may be distributed, reproduced, transmitted, or stored electronically without Uptake’s prior written permission. This document contains Uptake's confidential and proprietary information. If a pre-existing contract containing disclosure and use restrictions exists between your company and Uptake, you and your company will use the information in this document subject to the terms of the pre-existing contract. If no such pre-existing contract exists, you and your Company agree to protect the information in this document and agree not to reproduce or disclose the information in any way. Uptake makes no warranties, express or implied, in this document. Uptake shall not be liable for damages of any kind arising out of use of this document. Any discussion of potential features is not a promise of future functionality.