SlideShare ist ein Scribd-Unternehmen logo

Building a Modern Security Engineering Organization

Z
Zane Lackey

Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering: - Practical advice for building and scaling modern AppSec and NetSec programs - Lessons learned for organizations seeking to launch a bug bounty program - How to run realistic attack simulations and learn the signals of compromise in your environment

Technologie
1 von 83
Downloaden Sie, um offline zu lesen
Building a Modern Security Engineering Organization zane@signalsciences.com @zanelackey
Who  is  this  guy  anyway?   •  Built and led the Etsy Security Team – Spoiler alert: what this presentation is about •  Recently co-founded Signal Sciences to productize effective AppSec approaches
This talk is a collection of lessons learned from building and adapting a security team
For security teams, the world has changed in fundamental ways: –  Code deployment is now near-instantaneous
For security teams, the world has changed in fundamental ways: –  Code deployment is now near-instantaneous –  Merging of development and operations means more people with production access
For security teams, the world has changed in fundamental ways: –  Code deployment is now near-instantaneous –  Merging of development and operations means more people with production access –  Cost of attack has significantly dropped
Near-instantaneous deployment?
A  technical  diagram  of  tradi7onal  waterfall  code  deployment    
What is this shifting to?
Etsy pushes to production 30 times a day on average
Constant iteration in production via feature flags, ramp ups, A/B testing
But doesn’t the rapid rate of change mean things are less secure?!
Actually,  the  opposite  is   true  
They key to realize is vulnerabilities occur in all development methodologies …But there’s no such thing as an out-of- band patch in continuous deployment
They key to realize is vulnerabilities occur in all development methodologies …But there’s no such thing as an out-of- band patch in continuous deployment
Compared to: “We’ll rush that security fix. It will go out … in about 6 weeks.” - Former vendor at Etsy
What makes continuous deployment safe?
Source:  h<p://www.slideshare.net/mikebri<ain/advanced-­‐topics-­‐in-­‐con7nuous-­‐deployment  
The same culture of graphing and monitoring inherent to continuous deployment can be used for security too
Surface security info for everyone, not just the security team
“Don’t treat security as a binary event” - @ngalbreath
Building  a  (k-­‐)rad  culture   *Mullets  sold  separately    
In the shift to continuous deployment, speed increases by removing organizational blockers
Trying to make security a blocker means you get routed around
Instead, the focus becomes on incentivizing teams to reach out to security
Keys to incentivizing conversation: – Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture.
Keys to incentivizing conversation: – Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture. – Make realistic tradeoffs. Don’t fall in to the trap of thinking every issue is critical. •  Ex: Letting low risk issues ship with a reasonable remediation window buys you credibility for when things actually do need to be addressed immediately.
Keys to incentivizing conversation: – Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not.
Keys to incentivizing conversation: – Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not. – Reward communication with security team. T-Shirts, gift cards, and high fives all work (shockingly) well.
Keys to incentivizing conversation: – Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. – Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
Keys to incentivizing conversation: – Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. – Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
Access  restric7ons  
Startups begin with a simple access control policy: Everyone can access everything
As organization grow there will be more pressure to institute access policies
The key to remember is don’t take away capabilities
Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
EX: SSH access to production systems
Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
Increasing  a<acker  cost  
Specifically, some thoughts on: –  Bug Bounties –  Attack simulations/pentesting
Bug  Boun7es  
Bug bounties are tremendously useful. If you’re not working towards launching one, strongly consider it.
Common concerns about launching a bounty: 1.  Budgetary concerns. Money is almost never the main motivation for researchers, you can launch a bounty with just a hall of fame and still get great submissions. 2.  Risk of inviting attacks. You’re already getting attacked continuously, you’re just not getting the results.
Common concerns about launching a bounty: 1.  Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. 2.  Risk of inviting attacks. You’re already getting attacked continuously, you’re just not getting the results.
Common concerns about launching a bounty: 1.  Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. 2.  Risk of inviting attacks. It’s the Internet. You’re already getting pentested continuously, you’re just not receiving the report.
The ultimate goals of a bug bounty are threefold: 1.  Incentivize people to report issues to you in the first place 2.  Drive up cost of vulnerability discovery and exploitation for attackers 3.  Provide an external validation of if your security program is working (or not)
The ultimate goals of a bug bounty are threefold: 1.  Incentivize people to report issues to you in the first place 2.  Drive up cost of vulnerability discovery and exploitation for attackers 3.  Provide an external validation of if your security program is working (or not)
The ultimate goals of a bug bounty are threefold: 1.  Incentivize people to report issues to you in the first place 2.  Drive up cost of vulnerability discovery and exploitation for attackers 3.  Provide an external validation of where your security program is working (and where it’s not)
Before you launch, record what vulnerability classes you expect to see and what you don’t. Compare this against the issues actually reported.
Before you launch, record what vulnerability classes you expect to see and what you don’t. Compare this against the issues actually reported.
Keep metrics on: – Number of bugs reported and severities – Time to remediation of reported issues You want both of these metrics to trend down over time
Practical considerations: – Inform all teams before bounty launch, especially non-engineering teams •  Ex: Customer Support – Attacks will start almost immediately For Etsy bug bounty launch, time from announcement to first attack: 13min
Practical considerations: – Inform all teams before bounty launch, especially non-engineering teams •  Ex: Customer Support – Attacks will start almost immediately For Etsy bug bounty launch, time from announcement to first attack: 13min
Practical considerations: – Your first 2-3 weeks will be intense. Have as many people as you can dedicated to triage and response
Practical considerations: – Operationally review any helper systems for scaling problems beforehand •  When 10-100x traffic hits helper systems your security team uses, what falls over? – Money almost never the overriding factor, hall of fame is –  Researchers are generally great to interact with
Practical considerations: – Operationally review any helper systems for scaling problems beforehand •  When 10-100x traffic hits helper systems your security team uses, what falls over? – Money is almost never the main motivation for bounty participants, hall of fame credit is –  Researchers are generally great to interact with
Practical considerations: – Operationally review any helper systems for scaling problems beforehand. •  When 10-100x traffic hits helper systems your security team uses, what falls over? – Money is almost never the main motivation for bounty participants, hall of fame credit is –  Key to great researcher interaction is frequent and transparent communication
XXX   Running effective attack simulations
Problems with “pentesting” are well understood in the offensive community but not as well in the defensive community
Pentests typically result in a list of enumerated known vulnerabilities to be patched, not data on how a real attacker would operate against a given environment
Attack simulations should be done to learn how attackers are likely to achieve goals against your organization NOT to show compromise is possible (spoiler alert: it is.)
Use this attack data to focus where/how to build detection mechanisms
From an organizational side, attack simulations compliment vulnerability enumeration/compliance/etc
Four keys to effective attack simulations: 1.  Goal oriented •  “Obtain domain admin”, “read the CEOs email”, “view credit card data”, … •  Ask attack team for input on goals, they’ll come up with ones you didn’t think of 2.  Full ganization in scope •  Have attack team call a contact if they’re about to do something risky – several week simulat – ion
Four keys to effective attack simulations: 1.  Goal oriented •  “Obtain domain admin”, “read the CEOs email”, “view credit card data”, … •  Ask attack team for input on goals, they’ll come up with ones you didn’t think of 2.  Full organization in scope •  Have attack team call a contact if they’re about to do something risky –  Ex: Instead of throwing an exploit that lands “most of the time”, grant access to the target system with temporary credentials
Four keys to effective attack simulations: 3.  Simulate realistic compromise patterns •  Start the attack team on a: –  standard laptop/desktop to simulate phishing/clientside compromise –  database or web server to simulate SQL injection/RCE •  0days aren’t cheating, they’re reality. Attack team should be encouraged to use them. –  Break simulation down into iterations: •  Don’t spend the full engagement time on only round of testing, once one team achieve goal(s), then swap in new attack team to achieve the same goal(s) –  Ex: We try to run 3-4 iterations per several week simulation
Four keys to effective attack simulations: 3.  Simulate realistic compromise patterns •  Start the attack team on a: –  standard laptop/desktop to simulate phishing/clientside compromise –  database or web server to simulate SQL injection/RCE •  0days aren’t cheating, they’re reality. Attack team should be encouraged to use them. 4.  Break simulation down into iterations: •  Don’t spend the full engagement time on only round of testing, once one team achieve goal(s), then swap in new attack team to achieve the same goal(s) –  Ex: We try to run 3-4 iterations per several week simulation
The project output should be attack chains showing how attack team went from A->B->C to achieve goals, what steps they took and why
Just as importantly, what steps they didn’t take Ex: “We didn’t try to find internal network diagrams on your wiki because zone transfers were enabled so we could got enough data about your network from that”
Remember, the goal is to simulate realistic attack behaviors and patterns that can be used to enhance detection
In addition, simulate varying attack profiles from quick & loud to quietly maintaining persistence
Over multiple iterations learn what behaviors overlap between attackers and what strong signals of lateral movement in your environment look like
TL;DR (The section formerly known as “Conclusions”)
•  Adapt security team culture to DevOps and continuous deployment by: – Surfacing security monitoring and metrics – Incentivize discussions with the security team – When creating policy, don’t take away capabilities •  Drive up attacker cost through bug bounty programs, countering phishing, and running realistic attack simulations
Thanks!   zane@signalsciences.com @zanelackey

Empfohlen

Attack-driven defense
Attack-driven defenseAttack-driven defense
Attack-driven defenseZane Lackey
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 

Empfohlen

Attack-driven defense
Attack-driven defenseAttack-driven defense
Attack-driven defenseZane Lackey
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Alphorm.com Formation Hacking et Sécurité , avancé
Alphorm.com Formation Hacking et Sécurité , avancéAlphorm.com Formation Hacking et Sécurité , avancé
Alphorm.com Formation Hacking et Sécurité , avancéAlphorm
 
Les principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuellesLes principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuellesXavier Kress
 
The FatRat
The FatRatThe FatRat
The FatRatAjilSunny
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Oracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linuxOracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linuxVenu Palakolanu
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Abhijeth D
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLFn|u - The Open Security Community
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 

Weitere ähnliche Inhalte

Was ist angesagt?

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Alphorm.com Formation Hacking et Sécurité , avancé
Alphorm.com Formation Hacking et Sécurité , avancéAlphorm.com Formation Hacking et Sécurité , avancé
Alphorm.com Formation Hacking et Sécurité , avancéAlphorm
 
Les principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuellesLes principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuellesXavier Kress
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Oracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linuxOracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linuxVenu Palakolanu
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Abhijeth D
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 

Was ist angesagt? (20)

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
Alphorm.com Formation Hacking et Sécurité , avancé
Alphorm.com Formation Hacking et Sécurité , avancéAlphorm.com Formation Hacking et Sécurité , avancé
Alphorm.com Formation Hacking et Sécurité , avancé
 
Les principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuellesLes principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuelles
 
The FatRat
The FatRatThe FatRat
The FatRat
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Review
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
Oracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linuxOracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linux
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 

Andere mochten auch

How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
From DevOps to DevSecOps: 2 Dimensions of Security for DevOps
From DevOps to DevSecOps: 2 Dimensions of Security for DevOpsFrom DevOps to DevSecOps: 2 Dimensions of Security for DevOps
From DevOps to DevSecOps: 2 Dimensions of Security for DevOpsSanjeev Sharma
 
Growth Hacking with Predictive Analytics
Growth Hacking with Predictive AnalyticsGrowth Hacking with Predictive Analytics
Growth Hacking with Predictive AnalyticsAndrew Ahn
 
Building security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesBuilding security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesAaron Carpenter
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning warsRafal Los
 
II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At MicrosoftMark J. Feldman
 
Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...
Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...
Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...Bill Slawski
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Health IT Conference – iHT2
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT SecuritySeccuris Inc.
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Project Execution Methodologies – Rising a Step Further
Project Execution Methodologies – Rising a Step FurtherProject Execution Methodologies – Rising a Step Further
Project Execution Methodologies – Rising a Step FurtherSPEC INDIA
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesJorge Sebastiao
 

Andere mochten auch (20)

How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
From DevOps to DevSecOps: 2 Dimensions of Security for DevOps
From DevOps to DevSecOps: 2 Dimensions of Security for DevOpsFrom DevOps to DevSecOps: 2 Dimensions of Security for DevOps
From DevOps to DevSecOps: 2 Dimensions of Security for DevOps
 
Growth Hacking with Predictive Analytics
Growth Hacking with Predictive AnalyticsGrowth Hacking with Predictive Analytics
Growth Hacking with Predictive Analytics
 
Building security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesBuilding security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO Series
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning wars
 
II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At Microsoft
 
Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...
Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...
Semantic Web, Knowledge Graph, and Other Changes to SERPS – A Google Semantic...
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT Security
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
Project Execution Methodologies – Rising a Step Further
Project Execution Methodologies – Rising a Step FurtherProject Execution Methodologies – Rising a Step Further
Project Execution Methodologies – Rising a Step Further
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_security
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 

Ähnlich wie Building a Modern Security Engineering Organization

Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane LackeyYandex
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsFireEye, Inc.
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Dinis Cruz
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuiteDave R. Taylor
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics MethodsSplunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics MethodsSplunk
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
SplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunk
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
 
Continuous Deployment
Continuous DeploymentContinuous Deployment
Continuous DeploymentBrian Henerey
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopSplunk
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityVodqaBLR
 

Ähnlich wie Building a Modern Security Engineering Organization (20)

Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuite
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics MethodsSplunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
SplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics Methods
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
Continuous Deployment
Continuous DeploymentContinuous Deployment
Continuous Deployment
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibility
 

Kürzlich hochgeladen

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Kürzlich hochgeladen (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Building a Modern Security Engineering Organization

  • 1. Building a Modern Security Engineering Organization zane@signalsciences.com @zanelackey
  • 2. Who  is  this  guy  anyway?   •  Built and led the Etsy Security Team – Spoiler alert: what this presentation is about •  Recently co-founded Signal Sciences to productize effective AppSec approaches
  • 3. This talk is a collection of lessons learned from building and adapting a security team
  • 4. For security teams, the world has changed in fundamental ways: –  Code deployment is now near-instantaneous
  • 5. For security teams, the world has changed in fundamental ways: –  Code deployment is now near-instantaneous –  Merging of development and operations means more people with production access
  • 6. For security teams, the world has changed in fundamental ways: –  Code deployment is now near-instantaneous –  Merging of development and operations means more people with production access –  Cost of attack has significantly dropped
  • 8. A  technical  diagram  of  tradi7onal  waterfall  code  deployment    
  • 9. What is this shifting to?
  • 10. Etsy pushes to production 30 times a day on average
  • 11. Constant iteration in production via feature flags, ramp ups, A/B testing
  • 12. But doesn’t the rapid rate of change mean things are less secure?!
  • 13. Actually,  the  opposite  is   true  
  • 14. They key to realize is vulnerabilities occur in all development methodologies …But there’s no such thing as an out-of- band patch in continuous deployment
  • 15. They key to realize is vulnerabilities occur in all development methodologies …But there’s no such thing as an out-of- band patch in continuous deployment
  • 16. Compared to: “We’ll rush that security fix. It will go out … in about 6 weeks.” - Former vendor at Etsy
  • 17. What makes continuous deployment safe?
  • 18.
  • 20. The same culture of graphing and monitoring inherent to continuous deployment can be used for security too
  • 21. Surface security info for everyone, not just the security team
  • 22.
  • 23. “Don’t treat security as a binary event” - @ngalbreath
  • 24. Building  a  (k-­‐)rad  culture   *Mullets  sold  separately    
  • 25. In the shift to continuous deployment, speed increases by removing organizational blockers
  • 26. Trying to make security a blocker means you get routed around
  • 27. Instead, the focus becomes on incentivizing teams to reach out to security
  • 28. Keys to incentivizing conversation: – Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture.
  • 29. Keys to incentivizing conversation: – Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture. – Make realistic tradeoffs. Don’t fall in to the trap of thinking every issue is critical. •  Ex: Letting low risk issues ship with a reasonable remediation window buys you credibility for when things actually do need to be addressed immediately.
  • 30. Keys to incentivizing conversation: – Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not.
  • 31. Keys to incentivizing conversation: – Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not. – Reward communication with security team. T-Shirts, gift cards, and high fives all work (shockingly) well.
  • 32. Keys to incentivizing conversation: – Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. – Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
  • 33. Keys to incentivizing conversation: – Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. – Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
  • 35. Startups begin with a simple access control policy: Everyone can access everything
  • 36. As organization grow there will be more pressure to institute access policies
  • 37. The key to remember is don’t take away capabilities
  • 38. Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
  • 39. Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
  • 40. Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
  • 41. Methodology: 1.  Figure out what capability is needed 2.  Build an alternate way to perform the needed function in a safe way 3.  Transition the organization over to the safe way 4.  Alert on any usage of the old unsafe way
  • 42. EX: SSH access to production systems
  • 43. Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
  • 44. Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
  • 45. Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
  • 46. Security policy goal: Eliminate unneeded access to production systems –  Why do developers do it? Ex: To view error logs –  Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) –  Publicize the new tooling to the organization –  After majority of transition, alert on any logins to production systems by non-sysops
  • 48. Specifically, some thoughts on: –  Bug Bounties –  Attack simulations/pentesting
  • 50. Bug bounties are tremendously useful. If you’re not working towards launching one, strongly consider it.
  • 51. Common concerns about launching a bounty: 1.  Budgetary concerns. Money is almost never the main motivation for researchers, you can launch a bounty with just a hall of fame and still get great submissions. 2.  Risk of inviting attacks. You’re already getting attacked continuously, you’re just not getting the results.
  • 52. Common concerns about launching a bounty: 1.  Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. 2.  Risk of inviting attacks. You’re already getting attacked continuously, you’re just not getting the results.
  • 53. Common concerns about launching a bounty: 1.  Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. 2.  Risk of inviting attacks. It’s the Internet. You’re already getting pentested continuously, you’re just not receiving the report.
  • 54. The ultimate goals of a bug bounty are threefold: 1.  Incentivize people to report issues to you in the first place 2.  Drive up cost of vulnerability discovery and exploitation for attackers 3.  Provide an external validation of if your security program is working (or not)
  • 55. The ultimate goals of a bug bounty are threefold: 1.  Incentivize people to report issues to you in the first place 2.  Drive up cost of vulnerability discovery and exploitation for attackers 3.  Provide an external validation of if your security program is working (or not)
  • 56. The ultimate goals of a bug bounty are threefold: 1.  Incentivize people to report issues to you in the first place 2.  Drive up cost of vulnerability discovery and exploitation for attackers 3.  Provide an external validation of where your security program is working (and where it’s not)
  • 57. Before you launch, record what vulnerability classes you expect to see and what you don’t. Compare this against the issues actually reported.
  • 58. Before you launch, record what vulnerability classes you expect to see and what you don’t. Compare this against the issues actually reported.
  • 59. Keep metrics on: – Number of bugs reported and severities – Time to remediation of reported issues You want both of these metrics to trend down over time
  • 60. Practical considerations: – Inform all teams before bounty launch, especially non-engineering teams •  Ex: Customer Support – Attacks will start almost immediately For Etsy bug bounty launch, time from announcement to first attack: 13min
  • 61. Practical considerations: – Inform all teams before bounty launch, especially non-engineering teams •  Ex: Customer Support – Attacks will start almost immediately For Etsy bug bounty launch, time from announcement to first attack: 13min
  • 62. Practical considerations: – Your first 2-3 weeks will be intense. Have as many people as you can dedicated to triage and response
  • 63. Practical considerations: – Operationally review any helper systems for scaling problems beforehand •  When 10-100x traffic hits helper systems your security team uses, what falls over? – Money almost never the overriding factor, hall of fame is –  Researchers are generally great to interact with
  • 64. Practical considerations: – Operationally review any helper systems for scaling problems beforehand •  When 10-100x traffic hits helper systems your security team uses, what falls over? – Money is almost never the main motivation for bounty participants, hall of fame credit is –  Researchers are generally great to interact with
  • 65. Practical considerations: – Operationally review any helper systems for scaling problems beforehand. •  When 10-100x traffic hits helper systems your security team uses, what falls over? – Money is almost never the main motivation for bounty participants, hall of fame credit is –  Key to great researcher interaction is frequent and transparent communication
  • 66. XXX   Running effective attack simulations
  • 67. Problems with “pentesting” are well understood in the offensive community but not as well in the defensive community
  • 68. Pentests typically result in a list of enumerated known vulnerabilities to be patched, not data on how a real attacker would operate against a given environment
  • 69. Attack simulations should be done to learn how attackers are likely to achieve goals against your organization NOT to show compromise is possible (spoiler alert: it is.)
  • 70. Use this attack data to focus where/how to build detection mechanisms
  • 71. From an organizational side, attack simulations compliment vulnerability enumeration/compliance/etc
  • 72. Four keys to effective attack simulations: 1.  Goal oriented •  “Obtain domain admin”, “read the CEOs email”, “view credit card data”, … •  Ask attack team for input on goals, they’ll come up with ones you didn’t think of 2.  Full ganization in scope •  Have attack team call a contact if they’re about to do something risky – several week simulat – ion
  • 73. Four keys to effective attack simulations: 1.  Goal oriented •  “Obtain domain admin”, “read the CEOs email”, “view credit card data”, … •  Ask attack team for input on goals, they’ll come up with ones you didn’t think of 2.  Full organization in scope •  Have attack team call a contact if they’re about to do something risky –  Ex: Instead of throwing an exploit that lands “most of the time”, grant access to the target system with temporary credentials
  • 74. Four keys to effective attack simulations: 3.  Simulate realistic compromise patterns •  Start the attack team on a: –  standard laptop/desktop to simulate phishing/clientside compromise –  database or web server to simulate SQL injection/RCE •  0days aren’t cheating, they’re reality. Attack team should be encouraged to use them. –  Break simulation down into iterations: •  Don’t spend the full engagement time on only round of testing, once one team achieve goal(s), then swap in new attack team to achieve the same goal(s) –  Ex: We try to run 3-4 iterations per several week simulation
  • 75. Four keys to effective attack simulations: 3.  Simulate realistic compromise patterns •  Start the attack team on a: –  standard laptop/desktop to simulate phishing/clientside compromise –  database or web server to simulate SQL injection/RCE •  0days aren’t cheating, they’re reality. Attack team should be encouraged to use them. 4.  Break simulation down into iterations: •  Don’t spend the full engagement time on only round of testing, once one team achieve goal(s), then swap in new attack team to achieve the same goal(s) –  Ex: We try to run 3-4 iterations per several week simulation
  • 76. The project output should be attack chains showing how attack team went from A->B->C to achieve goals, what steps they took and why
  • 77. Just as importantly, what steps they didn’t take Ex: “We didn’t try to find internal network diagrams on your wiki because zone transfers were enabled so we could got enough data about your network from that”
  • 78. Remember, the goal is to simulate realistic attack behaviors and patterns that can be used to enhance detection
  • 79. In addition, simulate varying attack profiles from quick & loud to quietly maintaining persistence
  • 80. Over multiple iterations learn what behaviors overlap between attackers and what strong signals of lateral movement in your environment look like
  • 81. TL;DR (The section formerly known as “Conclusions”)
  • 82. •  Adapt security team culture to DevOps and continuous deployment by: – Surfacing security monitoring and metrics – Incentivize discussions with the security team – When creating policy, don’t take away capabilities •  Drive up attacker cost through bug bounty programs, countering phishing, and running realistic attack simulations