Doing IT SecurityOrganizational challenges

1

Laura Kocksch Fraunhofer Institute for Secure Information Technologies/Ruhr University Bochum

RISCS Developer-Centred Security Workshop: 24th November 2016

Study I: „Can security become an organizational routine?“

2

Research interest (CS):

• Security Tool adoption

• Anectodal evidence in Computer Science

What happens when the topic "security" enters a software company?What effects do security consultings have on security

in a software compancy?3

Research interest (S):

• Technology adoption and sociotechnical situations• Organizations consist of structure and agency

What practices are triggered by a security consulting? How does a security consulting effect organizational

routines in a software development group?

4

What happens during a securityconsulting?

5

Penetration Test Submission of found Security defects (internal tracking system) Face-to-face Workshop Training In depth presentation of vulnerability types Hands-On Hacking exercises„Hacking Challenge“Fixing of found security defects

Long-term change?

Methods:

6

Results I: I:

• Great „euphoria“ right after the workshop…• fixing activities ambitious…• … but one-time event.• Developers were dissatisfied about the outcome.

Why this results?

7

Organizational Routines:

8

Radschläger (Eigene

s Werk) [C

C BY

‐SA 2.5‐2.0‐1.0] via W

ikim

edia Com

mon

s

The ostensive [structural] aspect of a routine is […] useful in that it helps us describe what we are doing in ways that make sense of our activities. It enables us to ask others to account for actions that seem unusual, and to provide reasonable accounts when we are called to explain.

(Feldman and Pentland 2003)

Manager and Developer Agreements:

9

“[any added feature] is gonna have to have security baked into it,''

“I would say, because we are working Scrum‐like, every team should take up these questions [of security].”

“There exists no rule book saying `for finishing this feature please spend two hours on security' [...] The idea is to set up teams to be self‐learning so that they consider it in the process from the very beginning, kind of trying to channel the `‐ilities.’”

“Actually I don't want that [strict guidelines] ... I don't wanna say it is necessary that someone from the top starts asking us to do certain things.”

Manager and Developer Agreements:

10

``But if we only develop security features [...], the product manager has nothing [...] for the next sales training. [...] he has no shiny new features to show [...] no further checkbox to tick in a sales brochure. This is the mindset these folks are thinking in.''

“[...] if security is not on the list [of features], then is it really worth the time and extra energy to do it?

Developer´s Agreements:“I mean we are developers because we enjoy it, I don't think any software developer does it because they are just making a paycheck [...] what you really enjoy is putting something together and seeing it work. [...] Security is not one of those things for most people I think, but it does need to be emphasized and we do need to prevent something from happening [...].”

Security lacks a „story line“

“Apart from the findings from the workshop there was never any feedback from the customer [...] That [feedback] would definitely motivate us.”

11

Lessons Learned

12

Make security work accountable and tangible for all actors…Make security interesting…Establish security stakeholder respecting the organizational framework

Lessons Learned:

Study II: „Can a system be plannedsecure? “

How to design SecurityByDesign?

Threat Modelling Techniques

13

Modelling Threads and Risks:

14https://techne

t.microsoft.com

/en‐us/security

/hh8

5504

4.aspx

By Chris Creagh

(Own work) [C

C BY

‐SA 3.0]

Modelle ein „Boundary Object“?

15

Boundary Objects are objects which are both plastic enough to adapt to local needs and the constraints of the several parties employing them, yet robust enough to maintain a common identity across sites. They are weakly structured in common use, and become strongly structured in individual use […]

(Star and Griesemer 1989)

Results II: Chicken and Egg

16

What are the IT securityconstraints for the software solution we want to build?

What shall the IT system looklike that we need to secure?

By Sun

 Ladde

r (Own work) [C

C BY

‐SA 3.0] via W

ikim

edia Com

mon

sBy

 The

greenj(Own work) [C

C‐BY

‐SA‐3.0] via W

ikim

edia Com

mon

s

Results II: Chicken and Egg

17

By Sun

 Ladde

r (Own work) [C

C BY

‐SA 3.0] via W

ikim

edia Com

mon

sBy

 The

greenj(Own work) [C

C‐BY

‐SA‐3.0] via W

ikim

edia Com

mon

s

What IT system can youbuild?

What IT system do you need?

„Doing IT Security“

• Security poses challenges for organizational structure• Security definition no linear process• Security not just like any other „-ility“ • Security sociotechnical challenge• SecurityByDesign incorporates challenges at developer´s and

user´s side (e.g. nudging/Soft-Paternalism)

18

Selected Publication:A. Poller; L. Kocksch; S. Türpe; F. Epp; K. Kinder-Kurlanda: Can Security Become a Routine? A Study of Organizational Change in an Agile Software Development Group. Forthcoming: Proc. CSCW'17, Portland, OR, February 25–March 1, 2017.S. Türpe, L. Kocksch, A. Poller: Penetration Tests a Turning Point in Security Practices? Organizational Challenges and Implications in a Software Development Team. SOUPS´16, Denver, CO, Juni 22-24, 2016.A. Poller; S. Türpe; K. Kinder-Kurlanda: An Asset to Security Modeling? Analyzing Stakeholder Collaborations Instead of Threats to Assets. Proc. NSPW'14, Victoria, BC, September 15-18, 2014.

19

20

Andreas Poller & Sven Türpe{andreas.poller, sven.türpe}@sit.fraunhofer.de

Laura Kocksch (RUB Bochum)laura.kocksch@rub.delkocksch@gmail.com

Dr. Katharina Kinder-KurlandaGESIS-Leibniz-Institut für Sozialwissenschaftenkatharina.kinder-kurlanda@gesis.org

Fraunhofer-Institute forSecure Information TechnologyRheinstrasse 7564295 Darmstadt, Germanywww.sit.fraunhofer.de