Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

DevSecCon London 2018: Building effective DevSecOps teams through role-playing games

149 Aufrufe

Veröffentlicht am

MIKE SHEMA
Effective appsec emerges from DevSecOps tactics like feedback loops, automation, and the flexibility to respond to situations quickly. These tactics emphasize process and tools, sometimes neglecting the knowledge and skills of working with others to build and maintain apps. And the solutions they strive for don’t always catch the importance of how different users can have different threat models. On the technology side of appsec we have clouds, top 10 lists, and tools. But we haven’t built up equivalent resources, references, or models for the people we build apps with and who we build them for. This presentation dives into specific techniques and references for working with people and building threat models that go beyond basic technical concerns. Tabletop role-playing games are a great model for understanding and building skills that are important to DevSecOps teams. They encourage communication, collaboration, and the achievement of shared goals. And they also face the same challenges in solving conflicts, avoiding derailing behaviors, and ensuring everyone participates. Come discover how RPGs can positively influence your security teams. Security is an integral part of DevSecOps. And, yes, it’s made of people.

Veröffentlicht in: Technologie
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

DevSecCon London 2018: Building effective DevSecOps teams through role-playing games

  1. 1. LONDON 18-19 OCT 2018 Mike Shema @CodexWebSecurum Building Effective DevSecOps
 Teams Through Role-Playing Games
  2. 2. The Masquerade: Second Edition. White Wolf Game Studio. 1997.
  3. 3. Monstrously Manual As we treat infrastructure as code and make code more human-readable, we must still find ways to read humans.
  4. 4. DevOps Automation Required to scale. Establishes consistency. Enables confident iteration.
  5. 5. Dev[Sec]Ops People Working with them. Working for them. Building for them.
  6. 6. Actual Problem Ignored Users are stupid. Devs are lazy. Vuln equals risk. https://www.usenix.org/legacy/publications/library/proceedings/sec99/whitten.html
  7. 7. Fantasy Campaign Setting User Intelligence -2; Wisdom -2 Developer Intelligence -2; Wisdom -2
  8. 8. Collaborative story-telling Shared goals Communication exercises
  9. 9. Barbarian Fighter Magic-User Thief Cleric Ranger Bard Coder, Sysadmin DevOps DevOps at scale Red Team Blue Team Threat Hunting CISO
  10. 10. The Masquerade: Second Edition. White Wolf Game Studio. 1997.
  11. 11. Communication Empathy Threats Shared Vocabulary
  12. 12. Communication Listen Acknowledge Repeat back
  13. 13. Empathy Broaden understanding Reconsider viewpoints Improve solutions Constructive feedback
  14. 14. Threats Ambiguity Blame Erasure Essentializing
  15. 15. Codes of Conduct Set expectations, standards of behavior. Describe a path for conflict resolution, define consequences. Foster participation. Example: https://golang.org/conduct
  16. 16. https://captainawkward.com
  17. 17. RPG Threat Models
  18. 18. Roll for initiative. Split the party. Touch the statue. Attack the darkness.
  19. 19. A Fiendish Folio Abuse, directed or distributed Asymmetric costs of effort or attention Forced participation Security as a cost Privacy* *Summons 2d6 more privacy demons
  20. 20. …and more fiends Asymmetric features Unexpected design AR and VR vectors
  21. 21. DevTruSafOps Ratings without context or with irrelevant context. Reputational damage. Reputational abuse. Involuntary participation, added to list of X, added to repo of Y.
  22. 22. DevPrivOps Metadata leaks De-anonymization of identity De-aggregation of cohorts
  23. 23. Privacy by Design Coarseness of data. Storage of data. Use of data.
  24. 24. Protocols & Ceremonies
  25. 25. Ceremonies How are users included in the system? How are they modeled, what is expected of them? Do they have the tools, knowledge, skills to accomplish what’s expected? https://eprint.iacr.org/2007/399.pdf
  26. 26. Attacking the Darkness Ambiguity in design, omitting the user. Assuming a uniform user. Not perceiving a user’s threat model. Not measuring a ceremony’s effectiveness.
  27. 27. Metrics: The Observation
  28. 28. Build a Story (Cautiously) Ask an interesting & relevant question. Collect signals, beware silence. Create metrics, beware tunnel vision. Create a story, beware myth.
  29. 29. 50% of Findings
  30. 30. Threats Lack of signals Unrepresentative signals Tunnel vision Information bias & many more cognitive biases https://www.businessinsider.com/cognitive-biases-affect-decisions-2015-8/
  31. 31. Unearthing Arcana What we measure also reflects what we care about. What we care about also reflects on our environment.
  32. 32. Mind Flayer RPGs continue to evolve. Cliques, in-groups, and gate- keeping are threats to any social group. Not everyone is familiar with RPGs.
  33. 33. Tabletop Exercises Scenario Objectives Participants Rules & Scope Referee Reduces stress Enables learning Practices ceremonies Generates feedback
  34. 34. The CTO directs a DevOps team member to improve analytics. They export a production DB into a 3rd-party business intelligence tool for a proof-of-concept.
 They grant access to every team member. The data includes password hashes.
  35. 35. Create relevant scenarios. Attack the objective, not the scenario. Review feedback on people, process, & tools. Review feedback on rules & rulings.
  36. 36. RPG Interpersonal Skills Compromise Negotiation Patience Team-building
  37. 37. Made by people Made for people Made of people Soylent Soylent Soylent
  38. 38. @CodexWebSecurum
  39. 39. Appendix N https://www.usenix.org/legacy/publications/library/proceedings/sec99/ whitten.html https://eprint.iacr.org/2007/399.pdf https://captainawkward.com https://www.crashoverridenetwork.com https://geekfeminism.wikia.com/wiki/Category:Concepts https://tallpoppy.io https://businessinsider.com/cognitive-biases-affect-decisions-2015-8/ https://www.contributor-covenant.org/version/1/4/code-of-conduct
  40. 40. –Tron, TRON “I don't wanna bust out of here and find nothing but a lot of cold circuits waiting for me.”
  41. 41. LONDON 18-19 OCT 2018 end of line.

×