appsec awareness: a blueprint for security culture change
TRANSCRIPT
SESSION ID:
#RSAC
Christopher Romeo
AppSec Awareness: A Blue Print for Security Culture Change
HUM-T11
CEO / Principal ConsultantSecurity Journey@edgeroute
#RSAC
My Commitment
2
Explain security culture and application security awareness
Provide the process for how to build your own application security awareness program
Share knowledge, experience, and best practices building application security awareness programs
#RSAC
What is Security Culture?
3
“What happens {with security} when people are left to their own devices.”
--Tim Ferriss
#RSAC
Security is non-negotiable
4
#RSAC
What is Appsec Awareness?
5
ApplicationSecurityAwareness
Anti-Phishing,PasswordSecurity,SafeSocialNetworking,PhysicalSecurity,SocialEngineering
GeneralSecurityAwareness
MasteringSecurityConcepts
CodingSecurely
PerformingSecurityTest
PlanningforSecurity
#RSAC
Knowledge & History
6
#RSAC
Role Based
7
#RSAC
Activity
8
#RSAC
Application Security Awareness is…
9
A program that instills a security foundation, changing security culture from the inside out
#RSAC
Goals of AppSec Awareness
10
Disrupt
#RSAC
Goals of AppSec Awareness
11
Sustainable
#RSAC
Goals of AppSec Awareness
12
Secure
#RSAC
My Experience
13
http://blogs.cisco.com/security/the-cisco-security-dojo
#RSAC
14
#RSAC
15
Mission
#RSAC
Define the problem
16
Our organization lacks:
general application security knowledge
appreciation for the evolving threat landscape
experience with secure development practices and tools
motivation to step up and improve security
#RSAC
Assess Security Culture
17
#RSAC
Program Objectives
18
S.E.C.U.R.I.T.Y Create a thriving programTeach everyone the
importance of securityGenerate activity towards
improving securityBuild security community
#RSAC
Build a Team
19
SME
#RSAC
Apply: Mission
20
Define the problem as it exists in YOUR organization
Assess YOUR security culture, to determine how far you have to go
Define what you are trying to accomplish (program objectives)
Build a team of internal and external experts
#RSAC
A foundation…
21Program Architecture
#RSAC
Theme
22
#RSAC
Levels
23
Learning
Applying
Doing
Leading
Leader
#RSAC
Roles
24
Development
• SW Engineer
• Tester
• Manager
• HW Engineer
Operations
• IT
• DevOps
Internal
• Sales
• Marketing
• Executives
Everyone
#RSAC
Activities
25
Build
• A security tool or process
• Partnerships
• Security community
Enrich
• Mentor
• Teach a course
• Deliver presentations
Explore
• Security issue analysis
• Security committee
• A vulnerable web app
Implement
• A security feature
• A security test
• Security strategy
#RSAC
Recognition
26
#RSAC
Recognition
27
#RSAC
Budget
28
Time
External production partners
Could be shoestring, could be millions
#RSAC
Schedule
29
2016 2017, 18, 19?
#RSAC
Apply: Program Architecture
30
Choose a theme that fits within the boundaries of YOUR organization
Define your roles
Determine:
the number of levels
what activities will you promote (if any)
your recognition philosophy and implementation
#RSAC
31
Curriculum
#RSAC
Curriculum Development Process
32
Determine basic lessons
Review existing content
Search the product /
service history
Draft the content maps
Argue extensively
about content maps
Gather Community
Feedback and Update
#RSAC
Level 1 Content Map
33
Security Fundamentals
Threat Landscape
Attacks & Attackers
OWASP Top 10
Secure Development
Life CycleSecurity Myths Cryptography
Secure Design Principles
Security Standards
Privacy
#RSAC
Level 2 Content Map -- Developer
34
Secure Coding with Java
XSSThreat
ModelingInput
Validation
SQL Injection CSRFSecure Code
ReviewUsing OpenSSL
Attacks Against Human
Engineers
Testing Web App Security
#RSAC
Apply: Curriculum
35
Develop:
a curriculum development process for your program
a content map for each level of your program
#RSAC
Content Creation
#RSAC
Content
37
#RSAC
Assessment
38
#RSAC
Resources
39
#RSAC
Content Creation Process
40
Outline
Instructional Design Review
Rough Draft
Technical review
Instructional Design Review
Final draft
#RSAC
Apply: Content Creation
41
Determine:
Content style
Assessment structure
Build your content development process
#RSAC
#RSAC
What is a security metaphor?
43
#RSAC
Examples
44
Still Cartoons
Full motion cartoons
Video
#RSAC
A word of caution…
45
#RSAC
Apply: Humor & Metaphor
46
Decide on your organization’s tolerance for humor
Edgy to tame: where do you sit?
Brainstorm ideas for security metaphors
bring your production team into the loop
#RSAC
Tools
#RSAC
Gamification
48
#RSAC
Interface
49
Security Fundamentals
Attacks & Attackers
Threat Landscape
Security Myths
Cryptography
Privacy
#RSAC
Dashboard
50
#RSAC
Apply: Tools
51
Decide how to model your theme and content in a catchy interface that engages your learners
Study gamification principles and incorporate
HINT: Ask your kids!
Plan your dashboard; what is the hard hitting information that will bring visibility to your program?
#RSAC
The finished product…
52
CurriculumProgram Architecture
Content Creation
ToolsMission
#RSAC
Build Your Own
53
#RSAC
Q+A & Contact
Chris Romeo, CEO / Principal Consultant
www.securityjourney.com
@edgeroute