SESSION ID:

#RSAC

Christopher Romeo

AppSec Awareness: A Blue Print for Security Culture Change

HUM-T11

CEO / Principal ConsultantSecurity Journey@edgeroute

#RSAC

My Commitment

2

Explain security culture and application security awareness

Provide the process for how to build your own application security awareness program

Share knowledge, experience, and best practices building application security awareness programs

#RSAC

What is Security Culture?

3

“What happens {with security} when people are left to their own devices.”

--Tim Ferriss

#RSAC

Security is non-negotiable

4

#RSAC

What is Appsec Awareness?

5

ApplicationSecurityAwareness

Anti-Phishing,PasswordSecurity,SafeSocialNetworking,PhysicalSecurity,SocialEngineering

GeneralSecurityAwareness

MasteringSecurityConcepts

CodingSecurely

PerformingSecurityTest

PlanningforSecurity

#RSAC

Knowledge & History

6

#RSAC

Role Based

7

#RSAC

Activity

8

#RSAC

Application Security Awareness is…

9

A program that instills a security foundation, changing security culture from the inside out

#RSAC

Goals of AppSec Awareness

10

Disrupt

#RSAC

Goals of AppSec Awareness

11

Sustainable

#RSAC

Goals of AppSec Awareness

12

Secure

#RSAC

My Experience

13

http://blogs.cisco.com/security/the-cisco-security-dojo

#RSAC

14

#RSAC

15

Mission

#RSAC

Define the problem

16

Our organization lacks:

general application security knowledge

appreciation for the evolving threat landscape

experience with secure development practices and tools

motivation to step up and improve security

#RSAC

Assess Security Culture

17

#RSAC

Program Objectives

18

S.E.C.U.R.I.T.Y Create a thriving programTeach everyone the

importance of securityGenerate activity towards

improving securityBuild security community

#RSAC

Build a Team

19

SME

#RSAC

Apply: Mission

20

Define the problem as it exists in YOUR organization

Assess YOUR security culture, to determine how far you have to go

Define what you are trying to accomplish (program objectives)

Build a team of internal and external experts

#RSAC

A foundation…

21Program Architecture

#RSAC

Theme

22

#RSAC

Levels

23

Learning

Applying

Doing

Leading

Leader

#RSAC

Roles

24

Development

• SW Engineer

• Tester

• Manager

• HW Engineer

Operations

• IT

• DevOps

Internal

• Sales

• Marketing

• Executives

Everyone

#RSAC

Activities

25

Build

• A security tool or process

• Partnerships

• Security community

Enrich

• Mentor

• Teach a course

• Deliver presentations

Explore

• Security issue analysis

• Security committee

• A vulnerable web app

Implement

• A security feature

• A security test

• Security strategy

#RSAC

Recognition

26

#RSAC

Recognition

27

#RSAC

Budget

28

Time

External production partners

Could be shoestring, could be millions

#RSAC

Schedule

29

2016 2017, 18, 19?

#RSAC

Apply: Program Architecture

30

Choose a theme that fits within the boundaries of YOUR organization

Define your roles

Determine:

the number of levels

what activities will you promote (if any)

your recognition philosophy and implementation

#RSAC

31

Curriculum

#RSAC

Curriculum Development Process

32

Determine basic lessons

Review existing content

Search the product /

service history

Draft the content maps

Argue extensively

about content maps

Gather Community

Feedback and Update

#RSAC

Level 1 Content Map

33

Security Fundamentals

Threat Landscape

Attacks & Attackers

OWASP Top 10

Secure Development

Life CycleSecurity Myths Cryptography

Secure Design Principles

Security Standards

Privacy

#RSAC

Level 2 Content Map -- Developer

34

Secure Coding with Java

XSSThreat

ModelingInput

Validation

SQL Injection CSRFSecure Code

ReviewUsing OpenSSL

Attacks Against Human

Engineers

Testing Web App Security

#RSAC

Apply: Curriculum

35

Develop:

a curriculum development process for your program

a content map for each level of your program

#RSAC

Content Creation

#RSAC

Content

37

#RSAC

Assessment

38

#RSAC

Resources

39

#RSAC

Content Creation Process

40

Outline

Instructional Design Review

Rough Draft

Technical review

Instructional Design Review

Final draft

#RSAC

Apply: Content Creation

41

Determine:

Content style

Assessment structure

Build your content development process

#RSAC

#RSAC

What is a security metaphor?

43

#RSAC

Examples

44

Still Cartoons

Full motion cartoons

Video

#RSAC

A word of caution…

45

#RSAC

Apply: Humor & Metaphor

46

Decide on your organization’s tolerance for humor

Edgy to tame: where do you sit?

Brainstorm ideas for security metaphors

bring your production team into the loop

#RSAC

Tools

#RSAC

Gamification

48

#RSAC

Interface

49

Security Fundamentals

Attacks & Attackers

Threat Landscape

Security Myths

Cryptography

Privacy

#RSAC

Dashboard

50

#RSAC

Apply: Tools

51

Decide how to model your theme and content in a catchy interface that engages your learners

Study gamification principles and incorporate

HINT: Ask your kids!

Plan your dashboard; what is the hard hitting information that will bring visibility to your program?

#RSAC

The finished product…

52

CurriculumProgram Architecture

Content Creation

ToolsMission

#RSAC

Build Your Own

53

#RSAC

Q+A & Contact

Chris Romeo, CEO / Principal Consultant

chris_romeo@securityjourney.com

www.securityjourney.com

@edgeroute