SlideShare ist ein Scribd-Unternehmen logo

How To "Speak Developer"

‱Als PPTX, PDF herunterladen‱
‱
Nick Malcolm
Nick Malcolm

The document discusses how security professionals can better communicate with developers by learning to "speak developer". It recommends: 1) Learning the developer's language by understanding their perceptions, working context using agile terminology, and key metrics. 2) Speaking the developer's language by imitating them, being inclusive of all roles, and being transparent about security work. 3) "Speaking" in the right places by being pragmatic, concise, and integrating security tools and documentation into the workflows and tools developers already use. The goal is to break down barriers, empower teams to build security in from the start, and help developers integrate security best practices into their rapid pace of work.

Technologie
1 von 150
Nick Malcolm How To “Speak Developer” @nickmalcolm
How to “speak developer”
Why are we getting hacked?
Why are there vulnerabilities in my software?
Do people come in to work thinking “Hmmm, what buggy software can we create today?”
Why do penetration tests keep finding the same things?
Why wont they just listen to me?!
Why am I so busy?!
There is a language barrier
We need to break it.
We have skills and context on the security risks facing our organisations
We need to translate that into something that empowers teams to be better
We need to learn How to “speak developer”
Hi, I’m Nick. Former software developer. Security Consultant @ Aura.
1) Learn their language 2) Speak their language 3) “Speak” in the right places
1) Learn their language Perceptions. Working Context. Metrics. 2) Speak their language 3) “Speak” in the right places
1) Learn their language Perceptions. Working Context. Metrics. 2) Speak their language Imitate. Be Inclusive. Be Transparent. 3) “Speak” in the right places
1) Learn their language Perceptions. Working Context. Metrics. 2) Speak their language Imitate. Be Inclusive. Be Transparent. 3) “Speak” in the right places Pragmatic & Concise. In their tools. Timing.
1) Learn Their Language
How are we perceived? 1) Learn their language
Security Says “Slow”
Security Has An Ego
> Their perception influences how they hear what we’re saying 1) Learn their language: Perception
> We need to change their perception 1) Learn their language: Perception
Our perception of them matters too. “Actor-Observer Bias”
Other people’s bad behaviour is because they’re dumb. My bad behaviour is due to factors beyond my control. 1) Learn their language: Perception
The dev teams lack common sense and don’t learn. The security team is under-resourced and dealing with too many projects. 1) Learn their language: Perception
> Our perception influences how we talk to them 1) Learn their language: Perception
Understand their perception of us, and our perception of them 1) Learn their language: Perception
Working Context 1) Learn their language
> Use the words they use. Work the way they work. 1) Learn their language: Perception
Agile? 1) Learn their language: Working Context
Refinement Sessions Definition of Ready Definition of Done 1) Learn their language: Working Context
Meets Definition of Ready? Meets Definition of Done? Do it Ship It Refine it Backlog Item 1) Learn their language: Working Context
Meets Definition of Ready? Meets Definition of Done? Do it Ship It Refine it Backlog Item 1) Learn their language: Working Context
> If security isn’t in the Definition of Ready, it won’t get done.
Ask if you can attend their refinement sessions. Ask about their DoR & DoD. 1) Learn their language: Working Context
Find the right “injection points” 1) Learn their language: Working Context
Don’t hijack their meetings 1) Learn their language: Working Context
Epics! Features! Stories! Oh my! 1) Learn their language: Working Context
It’s the language they use to make big to-do items in to small to-do items 1) Learn their language: Working Context
EPIC EPIC EPIC Feature Feature Story Story Story Story Task Task Task Task 1) Learn their language: Working Context
EPIC EPIC EPIC 1) Learn their language: Working Context High level Define NFRs Big security initiatives
Create a Security Epic. Figure out what goes in it later! 1) Learn their language: Working Context
Flag high-level compliance / privacy considerations 1) Learn their language: Working Context
EPIC EPIC EPIC Feature Feature 1) Learn their language: Working Context Medium Level Identify security stories “As a secure developer I want to
” Reusable patterns

I want users to sign up with good passwords 
I want to let users use 2 Factor Authentication 
I want logs to be good, and stored safely 
I want to detect fraudulent payments 1) Learn their language: Working Context
If other teams in the organisation have done similar things securely, you should be pointing to those reusable patterns! 1) Learn their language: Working Context
“Features” of a Security Epic: Create a Threat Model Establish and test DR metrics & plan Conduct a Penetration Test 1) Learn their language: Working Context
EPIC EPIC EPIC Feature Feature Story Story Story Story 1) Learn their language: Working Context Acceptance criteria
I can’t choose a password with less than 12 characters I can’t choose a commonly-used password 1) Learn their language: Working Context
Servers are configured to CIS Benchmark Automated tests continuously assure ports are closed 1) Learn their language: Working Context
EPIC EPIC EPIC Feature Feature Story Story Story Story Task Task Task Task 1) Learn their language: Working Context Low Level Code examples Test examples
> Learn how your teams work
> Friction happens if we don’t adapt to their working style
DevOps? 1) Learn their language: Working Context
Continuous Integration Continuous Delivery Continuous Deployment Metrics, Metrics, Metrics 1) Learn their language: Working Context
Continuous Integration Continuous Delivery Continuous Deployment Metrics, Metrics, Metrics 1) Learn their language: Working Context
> If they’re trying to do CD, is security a hurdle?
Deployment Frequency How often can we deploy each day/week/month? 1) Learn their language: Working Context
Change Lead Time How long does it take from “Done” to “Deployed”? 1) Learn their language: Working Context
> Don’t slow velocity 1) Learn their language: Working Context
> What are their rituals? What are their drivers? 1) Learn their language: Working Context
What tools do you use? Where do team discussions happen? Can I join in? What’s tripping you up? 1) Learn their language: Working Context
⚑ Use outliers to shift the norm 1) Learn their language: Working Context
Identify the “star” team Help them lead by example
Identify the “worst” team You’ll learn an awful lot
NORM WORST BEST NORM 1) Learn their language: Working Context
Understand their working language Start with the outliers 1) Learn their language: Working Context
2) Speak Their Language
Imitation 2) Speak their language
How do any of us begin to learn a language? Trial and error. Over and over. 2) Speak their language: Imitation
“ Imitation is not just the sincerest form of flattery - it's the sincerest form of learning - George Bernard Shaw 2) Speak their language: Imitation
Slack / Chatrooms / GIFs 2) Speak their language: Imitation
NICK MALCOLM / AURA INFORMATION SECURITY
giphy.com knowyourmeme.com 2) Speak their language: Imitation
Be Inclusive 2) Speak their language
> These are your developers! Coders, Testers, BAs, PMs, Architects, Sysadmins, Help Desk
 2) Speak their language
Silos are a security issue. “thrown over the fence” == “fallen through the cracks” 2) Speak their language: Be Inclusive
Include all development team roles, not just coders If they’re part of the SDLC, involve them! 2) Speak their language: Be Inclusive
Everyone learns more. Everyone understand their responsibilities better. 2) Speak their language: Be Inclusive
Remember: Jargon excludes people. 2) Speak their language: Be Inclusive
⚑ Example: Threat Modelling 2) Speak their language: Be Inclusive
⚑ Gather the team for a half-an-hour brainstorming session. All roles should be involved. 2) Speak their language: Be Inclusive
⚑ Who are our users? What info are they putting in? What would happen if it was exposed / changed / lost? What can we do to stop that? 2) Speak their language: Be Inclusive
⚑ Encourage discussion Ask questions Help teams understand likelihood and impact Talk about real scenarios you’ve seen. 2) Speak their language: Be Inclusive
Be Transparent 2) Speak their language
When you’re working on something that affects them, include them!
Seek their feedback. Give them ownership. 2) Speak their language: Be Transparent
Get involved. Be a familiar face. Be available. Commit to “office hours”. 2) Speak their language: Be Transparent
Build trust. Change perceptions. 2) Speak their language: Be Transparent
“Translate” pen test reports Provide metrics on recurring bugs 2) Speak their language: Be Transparent
> Security should happen with your teams not to your teams 2) Speak their language
Imitate Be Inclusive Be Transparent 2) Speak their language
3) Speak In The Right Places
Pragmatic & Concise 3) Speak in the right places
Documentation should be: 1. Easy to navigate 2. Answer “what do I actually need to do?” 3. Answer “where do I look for more information" 3) Speak in the right places: Pragmatic & Concise
Anything else is a hurdle to be avoided. 3) Speak in the right places: Pragmatic & Concise
Developers don’t look at standards. They look at Stack Overflow. 3) Speak in the right places: Pragmatic & Concise
Instead of 100 page “coding standards”, give them something practical 3) Speak in the right places: Pragmatic & Concise
⚑ Example: Pattern Library 3) Speak in the right places: Pragmatic & Concise
⚑ Known-secure code snippets Hardened configurations Base projects Base tests 3) Speak in the right places: Pragmatic & Concise
Make “the right thing” a copy-paste away. 3) Speak in the right places: Pragmatic & Concise
Show them what “good” will look like, for if they need to look elsewhere. Empower them to add new code back. 3) Speak in the right places: Pragmatic & Concise
Quick, relevant answers. Secure software. 3) Speak in the right places: Pragmatic & Concise
Be In Their Tools 3) Speak in the right places
⚑ Example: Jira-Integrated Security Questionnaire 3) Speak in the right places: Be in their tools
⚑ Slack’s goSDL Identifies security requirements at the “Epic” level. Teams can DIY 3) Speak in the right places: Be in their tools
⚑ Will this be internal-only, or production? Will it access sensitive customer data? Will you change or create security features? 
 3) Speak in the right places: Be in their tools
⚑ 3) Speak in the right places: Be in their tools
⚑ Makes it less likely that issues make it to production Or show up in a Penetration Test. 3) Speak in the right places: Be in their tools
⚑ Example: Static Code Analysis 3) Speak in the right places: Be in their tools
⚑ Add a metric to their DevOps dashboard # vulnerabilities identified at build time 3) Speak in the right places: Be in their tools
⚑ Make sure it integrates with code editors and testing suites too 3) Speak in the right places: Be in their tools
⚑ Start off by accepting the existing issues, but preventing new ones. Then work through the backlog. And SHOW THEM their progress! 3) Speak in the right places: Be in their tools
> Integrate with their tools 3) Speak in the right places: Be in their tools
> Make it easy to do the right thing 3) Speak in the right places: Be in their tools
> Make it easy to spot the wrong things 3) Speak in the right places: Be in their tools
> Security built-in, and increased pace 3) Speak in the right places
Pragmatic & Concise Be in their tools 3) Speak in the right places
So. What if we lived in a world where we could “Speak Developer”?
Empowerment
Empowered to do the right thing, and empowered to call things out when they look weird.
Pace
Tools that help them move fast, without breaking things
Trust
Trust that when you say “Stop”, you must really, truly mean it
“ Woven in to keep them going Respected enough to stop them - Laura Bell (@lady_nerd)
Recap time!
1) Learn their language
2) Speak their language
3) “Speak” in the right places
Bridge the language barrier
because that’s our job
Weave security in
and deliver secure software
Learning a new language is slow going. That’s OK
Learn from each other
Other people in this room are (hopefully!) interested in this topic
What ideas sparked? How do you approach this topic? What can I learn from you?
Take that first step.
Speak developer.
Thanks! Questions? Nick Malcolm @nickmalcolm aurainfosec.com

Empfohlen

Making sure nothing is "lost in translation"
Making sure nothing is "lost in translation"Making sure nothing is "lost in translation"
Making sure nothing is "lost in translation"
Paula de Matos
 
Giving able pupils a solid theoretical framework for analysing language
Giving able pupils a solid theoretical framework for analysing languageGiving able pupils a solid theoretical framework for analysing language
Giving able pupils a solid theoretical framework for analysing language
Francis Gilbert
 
Essayorganizer2 090923170930 Phpapp02
Essayorganizer2 090923170930 Phpapp02Essayorganizer2 090923170930 Phpapp02
Essayorganizer2 090923170930 Phpapp02
tiffany meade
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
shettleraustin
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
hhaallee
 
Tikal
TikalTikal
Tikal
jazamae
 
Essay Organizer
Essay OrganizerEssay Organizer
Essay Organizer
ClevelandBrowns
 
Essay Organizer 2
Essay Organizer 2Essay Organizer 2
Essay Organizer 2
tiffany meade
 

Empfohlen

Making sure nothing is "lost in translation"
Making sure nothing is "lost in translation"Making sure nothing is "lost in translation"
Making sure nothing is "lost in translation"
Paula de Matos
 
Giving able pupils a solid theoretical framework for analysing language
Giving able pupils a solid theoretical framework for analysing languageGiving able pupils a solid theoretical framework for analysing language
Giving able pupils a solid theoretical framework for analysing language
Francis Gilbert
 
Essayorganizer2 090923170930 Phpapp02
Essayorganizer2 090923170930 Phpapp02Essayorganizer2 090923170930 Phpapp02
Essayorganizer2 090923170930 Phpapp02
tiffany meade
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
shettleraustin
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
hhaallee
 
Tikal
TikalTikal
Tikal
jazamae
 
Essay Organizer
Essay OrganizerEssay Organizer
Essay Organizer
ClevelandBrowns
 
Essay Organizer 2
Essay Organizer 2Essay Organizer 2
Essay Organizer 2
tiffany meade
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
curtisbrown1
 
Moral Fiber Organizer
Moral Fiber OrganizerMoral Fiber Organizer
Moral Fiber Organizer
lilgreenbb
 
Intro to Plain Language-for FCN Apr2012 Presentation
Intro to Plain Language-for FCN Apr2012 PresentationIntro to Plain Language-for FCN Apr2012 Presentation
Intro to Plain Language-for FCN Apr2012 Presentation
Federal Communicators Network
 
Myths in the Translation QA
Myths in the Translation QAMyths in the Translation QA
Myths in the Translation QA
Martin Janda
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
John Papotnik
 
Essay Organizer
Essay OrganizerEssay Organizer
Essay Organizer
jennifer wager
 
Essay%20 Organizer2
Essay%20 Organizer2Essay%20 Organizer2
Essay%20 Organizer2
12mccartyc
 
Meeting 6 team b
Meeting 6 team bMeeting 6 team b
Meeting 6 team b
Gwen Noteborn
 
Slideshow
SlideshowSlideshow
Slideshow
Justin Bengel
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
lilcourtney
 
Meeting 6 team a
Meeting 6 team aMeeting 6 team a
Meeting 6 team a
gcmnoteborn
 
Pro Translating Presentation
Pro Translating PresentationPro Translating Presentation
Pro Translating Presentation
mcdelavega
 
Austin1
Austin1Austin1
Austin1
shettleraustin
 
Austin
AustinAustin
Austin
shettleraustin
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
shettleraustin
 
Essay Organizer
Essay OrganizerEssay Organizer
Essay Organizer
lilgreenbb
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
Justin Bengel
 
Getting it right_english
Getting it right_englishGetting it right_english
Getting it right_english
john rogan
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
John Papotnik
 
Writing for Developers: Some Rational Techniques (YUIConf 2012)
Writing for Developers: Some Rational Techniques (YUIConf 2012)Writing for Developers: Some Rational Techniques (YUIConf 2012)
Writing for Developers: Some Rational Techniques (YUIConf 2012)
evangoer
 
ConveyUX Elegant Precision
ConveyUX Elegant PrecisionConveyUX Elegant Precision
ConveyUX Elegant Precision
laurentgc
 
Watch your language, young man!
Watch your language, young man!Watch your language, young man!
Watch your language, young man!
PaweƂ WacƂawczyk
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
curtisbrown1
 
Moral Fiber Organizer
Moral Fiber OrganizerMoral Fiber Organizer
Moral Fiber Organizer
lilgreenbb
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
John Papotnik
 
Essay%20 Organizer2
Essay%20 Organizer2Essay%20 Organizer2
Essay%20 Organizer2
12mccartyc
 
Meeting 6 team b
Meeting 6 team bMeeting 6 team b
Meeting 6 team b
Gwen Noteborn
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
lilcourtney
 
Meeting 6 team a
Meeting 6 team aMeeting 6 team a
Meeting 6 team a
gcmnoteborn
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
shettleraustin
 
Essay Organizer
Essay OrganizerEssay Organizer
Essay Organizer
lilgreenbb
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
Justin Bengel
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
John Papotnik
 

Was ist angesagt? (19)

Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
 
Moral Fiber Organizer
Moral Fiber OrganizerMoral Fiber Organizer
Moral Fiber Organizer
 
Intro to Plain Language-for FCN Apr2012 Presentation
Intro to Plain Language-for FCN Apr2012 PresentationIntro to Plain Language-for FCN Apr2012 Presentation
Intro to Plain Language-for FCN Apr2012 Presentation
 
Myths in the Translation QA
Myths in the Translation QAMyths in the Translation QA
Myths in the Translation QA
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
 
Essay Organizer
Essay OrganizerEssay Organizer
Essay Organizer
 
Essay%20 Organizer2
Essay%20 Organizer2Essay%20 Organizer2
Essay%20 Organizer2
 
Meeting 6 team b
Meeting 6 team bMeeting 6 team b
Meeting 6 team b
 
Slideshow
SlideshowSlideshow
Slideshow
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
 
Meeting 6 team a
Meeting 6 team aMeeting 6 team a
Meeting 6 team a
 
Pro Translating Presentation
Pro Translating PresentationPro Translating Presentation
Pro Translating Presentation
 
Austin1
Austin1Austin1
Austin1
 
Austin
AustinAustin
Austin
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
 
Essay Organizer
Essay OrganizerEssay Organizer
Essay Organizer
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
 
Getting it right_english
Getting it right_englishGetting it right_english
Getting it right_english
 
Essay%20 Organizer
Essay%20 OrganizerEssay%20 Organizer
Essay%20 Organizer
 

Ähnlich wie How To "Speak Developer"

ConveyUX Elegant Precision
ConveyUX Elegant PrecisionConveyUX Elegant Precision
ConveyUX Elegant Precision
laurentgc
 
Build your own Language - Why and How?
Build your own Language - Why and How?Build your own Language - Why and How?
Build your own Language - Why and How?
Markus Voelter
 
Language: Your Organization's Most Important and Least Valued Asset (Confab 2...
Language: Your Organization's Most Important and Least Valued Asset (Confab 2...Language: Your Organization's Most Important and Least Valued Asset (Confab 2...
Language: Your Organization's Most Important and Least Valued Asset (Confab 2...
Abby Covert
 
Language: Your Organization's Most Important and Least Valued Asset
Language: Your Organization's Most Important and Least Valued AssetLanguage: Your Organization's Most Important and Least Valued Asset
Language: Your Organization's Most Important and Least Valued Asset
Abby Covert
 
Gadgets pwn us? A pattern language for CALL
Gadgets pwn us? A pattern language for CALLGadgets pwn us? A pattern language for CALL
Gadgets pwn us? A pattern language for CALL
Lawrie Hunter
 

Ähnlich wie How To "Speak Developer" (20)

Writing for Developers: Some Rational Techniques (YUIConf 2012)
Writing for Developers: Some Rational Techniques (YUIConf 2012)Writing for Developers: Some Rational Techniques (YUIConf 2012)
Writing for Developers: Some Rational Techniques (YUIConf 2012)
 
ConveyUX Elegant Precision
ConveyUX Elegant PrecisionConveyUX Elegant Precision
ConveyUX Elegant Precision
 
Watch your language, young man!
Watch your language, young man!Watch your language, young man!
Watch your language, young man!
 
Build your own Language - Why and How?
Build your own Language - Why and How?Build your own Language - Why and How?
Build your own Language - Why and How?
 
Language: Your Organization's Most Important and Least Valued Asset (Confab 2...
Language: Your Organization's Most Important and Least Valued Asset (Confab 2...Language: Your Organization's Most Important and Least Valued Asset (Confab 2...
Language: Your Organization's Most Important and Least Valued Asset (Confab 2...
 
Language Learning & Technology with Young Learners
Language Learning & Technology with Young LearnersLanguage Learning & Technology with Young Learners
Language Learning & Technology with Young Learners
 
Language: Your Organization's Most Important and Least Valued Asset
Language: Your Organization's Most Important and Least Valued AssetLanguage: Your Organization's Most Important and Least Valued Asset
Language: Your Organization's Most Important and Least Valued Asset
 
NOVA Data Science Meetup 1/19/2017 - Presentation 2
NOVA Data Science Meetup 1/19/2017 - Presentation 2NOVA Data Science Meetup 1/19/2017 - Presentation 2
NOVA Data Science Meetup 1/19/2017 - Presentation 2
 
Python overview
Python overviewPython overview
Python overview
 
Ijet Talk
Ijet TalkIjet Talk
Ijet Talk
 
Deep network notes.pdf
Deep network notes.pdfDeep network notes.pdf
Deep network notes.pdf
 
There's an app for that new
There's an app for that new There's an app for that new
There's an app for that new
 
Speech recognition - Art of the possible
Speech recognition - Art of the possibleSpeech recognition - Art of the possible
Speech recognition - Art of the possible
 
Speech Recognition: Art of the possible - DigiFest 2022
Speech Recognition: Art of the possible - DigiFest 2022Speech Recognition: Art of the possible - DigiFest 2022
Speech Recognition: Art of the possible - DigiFest 2022
 
Speech Recognition: Art of the possible - DigiFest 2022
Speech Recognition: Art of the possible - DigiFest 2022Speech Recognition: Art of the possible - DigiFest 2022
Speech Recognition: Art of the possible - DigiFest 2022
 
Best Practices for Designing High-Fidelity Voice Experiences
Best Practices for Designing High-Fidelity Voice ExperiencesBest Practices for Designing High-Fidelity Voice Experiences
Best Practices for Designing High-Fidelity Voice Experiences
 
NLP introduced and in 47 slides Lecture 1.ppt
NLP introduced and in 47 slides Lecture 1.pptNLP introduced and in 47 slides Lecture 1.ppt
NLP introduced and in 47 slides Lecture 1.ppt
 
Rapid prototyping
Rapid prototypingRapid prototyping
Rapid prototyping
 
DDD Introduction
DDD IntroductionDDD Introduction
DDD Introduction
 
Gadgets pwn us? A pattern language for CALL
Gadgets pwn us? A pattern language for CALLGadgets pwn us? A pattern language for CALL
Gadgets pwn us? A pattern language for CALL
 

Mehr von Nick Malcolm

A Recipe for Password Storage: Add Salt to Taste
A Recipe for Password Storage: Add Salt to TasteA Recipe for Password Storage: Add Salt to Taste
A Recipe for Password Storage: Add Salt to Taste
Nick Malcolm
 
All aboard the Cyber Security Rollercoaster!
All aboard the Cyber Security Rollercoaster!All aboard the Cyber Security Rollercoaster!
All aboard the Cyber Security Rollercoaster!
Nick Malcolm
 

Mehr von Nick Malcolm (7)

A Recipe for Password Storage: Add Salt to Taste
A Recipe for Password Storage: Add Salt to TasteA Recipe for Password Storage: Add Salt to Taste
A Recipe for Password Storage: Add Salt to Taste
 
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
 
All aboard the Cyber Security Rollercoaster!
All aboard the Cyber Security Rollercoaster!All aboard the Cyber Security Rollercoaster!
All aboard the Cyber Security Rollercoaster!
 
Timing Attacks and Ruby on Rails
Timing Attacks and Ruby on RailsTiming Attacks and Ruby on Rails
Timing Attacks and Ruby on Rails
 
Protecting the Front Door
Protecting the Front DoorProtecting the Front Door
Protecting the Front Door
 
Adding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyAdding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with Authy
 
Our CloudFlare experience
Our CloudFlare experienceOur CloudFlare experience
Our CloudFlare experience
 

KĂŒrzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

KĂŒrzlich hochgeladen (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

How To "Speak Developer"

Hinweis der Redaktion

  1. I want to start by asking some questions. Aimed at InfoSec professionals working in organisations with software development teams
  2. Do people come
  3. Do people come in to work thinking “hmmm, what buggy code can I write today?”
  4. As information security professionals working in organisations with software teams, these questions come up all the time.
  5. Security teams feel under resourced, overcommitted, with incidents and questions and reports flying in from all over
  6. I think there’s a language barrier. You might think so too, if the title of my talk drew you here. This isn’t a new idea.
  7. But I do think it’s our responsibility as information security professionals, to break that barrier. It’s on us. Not development teams, although their involvement is crucial. Ultimately we have the skills and knowledge that needs to be translated in to something they can understand and be empowered to run with themselves.
  8. We need to learn how to speak developer
  9. We need to learn how to speak developer
  10. We need to learn how to speak developer
  11. 6 years as a ruby on rails developer 2 years in information security. I spend most of my working week trying to do exactly this. I’ve been on the other side of the fence, and now it’s my job to empower and work alongside organisation and development teams to improve their security maturity.
  12. There are three things I think are a crucial starting point, and we’ll talk through these today. 1) Understand how they perceive us, and what their working styles are. What drives them? 2) Observe how they interact with each other, and where, and then join in. Be present. Be transparent. Include them. 3) Don’t speak to them at the end of a project, speak at the start and throughout. Make it easy for them to choose secure paths by providing guidance at the right time and in the right way
  13. There are three things I think are a crucial starting point, and we’ll talk through these today. 1) Understand how they perceive us, and what their working styles are. What drives them? 2) Observe how they interact with each other, and where, and then join in. Be present. Be transparent. Include them. 3) Don’t speak to them at the end of a project, speak at the start and throughout. Make it easy for them to choose secure paths by providing guidance at the right time and in the right way
  14. There are three things I think are a crucial starting point, and we’ll talk through these today. 1) Understand how they perceive us, and what their working styles are. What drives them? 2) Observe how they interact with each other, and where, and then join in. Be present. Be transparent. Include them. 3) Don’t speak to them at the end of a project, speak at the start and throughout. Make it easy for them to choose secure paths by providing guidance at the right time and in the right way
  15. There are three things I think are a crucial starting point, and we’ll talk through these today. 1) Understand how they perceive us, and what their working styles are. What drives them? 2) Observe how they interact with each other, and where, and then join in. Be present. Be transparent. Include them. 3) Don’t speak to them at the end of a project, speak at the start and throughout. Make it easy for them to choose secure paths by providing guidance at the right time and in the right way
  16. Before we can understand their context and learn their language, let’s think about how they might perceive us. What lens do they see security through, at the moment?
  17. Before we can understand their context and learn their language, let’s think about how they might perceive us. What lens do they see security through, at the moment?
  18. Too often we’re seen as people who say no all the time. We’re in too late in the project. Don’t have time to do anything except pull the handbrake.
  19. Perhaps we put barriers in the way to try and give ourselves some breathing space. We delay project timelines and become a source of friction, a hurdle to be overcome or smashed through.
  20. Another approach is to throw a book of requirements at them. We leave it to them to figure out what’s relevant and what’s not. If they miss Section 54 Point 12 Subsection D and overlook a requirement, we can pass the blame and say “told you so”. https://media.giphy.com/media/8Ue8ekoT67ylq/giphy.gif
  21. Ego Patronizing Jargon – it’s easy to overcomplicate language, and can be a way of posturing power dynamics Forcing every change to go through them
  22. How do they perceive us?
  23. Whether their perception is fair or right doesn’t matter.
  24. There is something called the Actor-Observer bias. Where we attribute other people’s behaviour to something intrinsic to them, and our behaviour to things we can’t control. There’s a thing called the “Actor-Observer Bias”

  25. Before we can start to speak their language, we need to recognise our own biases that might prevent us from putting in the effort. Most people don’t come to work wanting to do a bad job and build buggy apps.
  26. Now that we’re more aware of their context and our own context, let’s look at the context of how they work. We don’t want to try and force a square peg through a round hole. Are they working with waterfall, agile, devops, something in between?
  27. Pitch your security requirements at the right level. Understand what their levels are.
  28. Pitch your security requirements at the right level. Understand what their levels are.
  29. If you don’t influence the refinement of a story, or get security into the definition of ready, things will be done without security involvement. If you can’t fit in to this workflow, it’s likely that you’ll cause friction in your team.
  30. If you don’t influence the refinement of a story, or get security into the definition of ready, things will be done without security involvement. If you can’t fit in to this workflow, it’s likely that you’ll cause friction in your team.
  31. Respect their time and agenda Don’t hijack their story refinement sessions in to a “tell security what you’ve been doing for the last month”
  32. Stories: Design Reviews Threat Modelling, Pen test, etc
  33. This is an important spot to get in to
  34. How fast are they trying to deliver? Where are their sources of friction? Are these changing? What metrics are important to them? How can you build that into your own success metrics? Adopt their language of success.
  35. How fast are they trying to deliver? Where are their sources of friction? Are these changing? What metrics are important to them? How can you build that into your own success metrics? Adopt their language of success.
  36. Don’t focus just on the number of findings. The focus initially should be proving that security tools can be added to the pipeline and add value without dragging down velocity.
  37. What are the injection points where you can get in early, with just the right amount of effort to say the right thing.
  38. Identify and start with the “star” teams, so others are led by example. Then work with the “worst” team. By working at both ends of the scale, the median will rise. If you can establish a relationship with both of those teams, you’ll have learnt an awful lot about how to work best with the other teams.
  39. Graph of using outliers to shift norm
  40. Graph of using outliers to shift norm
  41. There are theories on how we learn language, and imitation is one we can understand. When you hear a young child learning to talk, imitation is so common. Trial and error. Repetition. The same applies to us when we’re learning the language of our developers.
  42. There are theories on how we learn language, and imitation is one we can understand. When you hear a young child learning to talk, imitation is so common. Trial and error. Repetition. The same applies to us when we’re learning the language of our developers.
  43. If you’re seen as an outsider, own it! Poke fun at yourself. https://media.giphy.com/media/Exs0D5k1MpoRO/giphy.gif
  44. If someone does a good job, praise them
  45. Drake meme
  46. If you have to use a ban hammer, at least make it fun!
  47. If they’re invovled in the Software Development Lifecycle, they’re “developers”!
  48. Silos exist. You need to know if things are being ”thrown over the fence”, and should make it part of your job to make sure everyone is aware of their roles and responsibilities.
  49. When you’re working on something that effects them, include them!
  50. Get involved in onboarding. Ask to go to team meetings. Let them know you’re approachable, reasonable, not scary, not here to say no. If they use a chatroom, hang out in there sometimes so that you’re part of the team. Have office hours at least. A couple of hours a week where you clear your schedule to be available. Let them know when you’re free and when you’re not, so they can time things to match.
  51. Get involved in onboarding. Ask to go to team meetings. Let them know you’re approachable, reasonable, not scary, not here to say no. If they use a chatroom, hang out in there sometimes so that you’re part of the team. Have office hours at least. A couple of hours a week where you clear your schedule to be available. Let them know when you’re free and when you’re not, so they can time things to match.
  52. Penetration tests aren’t a big hammer to whack teams with You need to translate the findings into something they can understand and learn from Track the categories of bugs, so that they know where to focus
  53. Policies, Standards, Guidelines need to meet these three criteria to be useful to development teams. Anything else is a hurdle to be avoided, a time sink where effort expended exceeds value gained.
  54. Policies, Standards, Guidelines need to meet these three criteria to be useful to development teams. Anything else is a hurdle to be avoided, a time sink where effort expended exceeds value gained.
  55. Policies, Standards, Guidelines need to meet these three criteria to be useful to development teams. Anything else is a hurdle to be avoided, a time sink where effort expended exceeds value gained.
  56. Policies, Standards, Guidelines need to meet these three criteria to be useful to development teams. Anything else is a hurdle to be avoided, a time sink where effort expended exceeds value gained.
  57. Why do developers love SO? Because you can copy paste code that probably works. As security people, we know that code is often buggy or vulnerable in certain contexts.
  58. Build your own go-to library where the right thing is just a copy-paste away. Let teams build on these, and create new ones. Have more than just code, have unit and integration test cases that testers can run with too. Mention pen tests again
  59. If your teams are creating Epics, get in early with some questions. Here are three, but you should aim to ask about 10 questions. They should be able to answer them themselves
  60. If your teams are creating Epics, get in early with some questions. Here are three, but you should aim to ask about 10 questions. They should be able to answer them themselves
  61. If your teams are creating Epics, get in early with some questions. Here are three, but you should aim to ask about 10 questions. They should be able to answer them themselves
  62. Empowered to do the right thing, and empowered to call things out when they look weird
  63. Empowered to do the right thing, and empowered to call things out when they look weird
  64. Empowered to do the right thing, and empowered to call things out when they look weird
  65. Tools to help them move faster
  66. Empowered to do the right thing, and empowered to call things out when they look weird
  67. You trust them to do the right thing, and they trust you when you say something really ought to be done
  68. Empowered to do the right thing, and empowered to call things out when they look weird
  69. Easy to understand. Easy to act.
  70. Easy to understand. Easy to act.
  71. It’s hard to learn a language, so allow yourself time. Don’t be surprised if it’s a slow process. Language is hard to learn, and trust can be hard to gain.
  72. We all know that talks are sometimes the most useless part of going to a conference, and I won't presume I've done a great job myself. But take a look around you. You've all just spent 40 minutes in the same room, hopefully because this topic means something to you. As you leave to enjoy the rest of the conference, take the time to ask to ask others how they approach this issue. How they work with and empower their development teams. What ideas sparked out of this talk for you? What could you learn from others in the same position as you? Or from those who have already made some progress? Share your learnings with others. Use each other to raise the bar. And together we can weave security into the fabric of all we do. Thank you.
  73. We all know that talks are sometimes the most useless part of going to a conference, and I won't presume I've done a great job myself. But take a look around you. You've all just spent 40 minutes in the same room, hopefully because this topic means something to you. As you leave to enjoy the rest of the conference, take the time to ask to ask others how they approach this issue. How they work with and empower their development teams. What ideas sparked out of this talk for you? What could you learn from others in the same position as you? Or from those who have already made some progress? Share your learnings with others. Use each other to raise the bar. And together we can weave security into the fabric of all we do. Thank you.
  74. We all know that talks are sometimes the most useless part of going to a conference, and I won't presume I've done a great job myself. But take a look around you. You've all just spent 40 minutes in the same room, hopefully because this topic means something to you. As you leave to enjoy the rest of the conference, take the time to ask to ask others how they approach this issue. How they work with and empower their development teams. What ideas sparked out of this talk for you? What could you learn from others in the same position as you? Or from those who have already made some progress? Share your learnings with others. Use each other to raise the bar. And together we can weave security into the fabric of all we do. Thank you.