《Sharing Security Secrets_ How to Encourage Security Advocates (1).pdf》由会员分享,可在线阅读,更多相关《Sharing Security Secrets_ How to Encourage Security Advocates (1).pdf(34页珍藏版)》请在三个皮匠报告上搜索。
1、Cailyn EdwardsShopifySharing Security Secrets:How to Encourage Security Advocates1.The Basicsa.Whatb.Whoc.Why2.Howa.Mangersb.Individual Contributors3.Examplesa.Security Reviewsb.Security Self AssessmentsCailyn EdwardsSenior Infrastructure Security EngineerWhat are security advocates?“Cybersecurity a
2、dvocates attempt to reduce exposure to cyber attacks by promoting security best practices and encouraging security adoption.”Cybersecurity Advocates:Discovering the Characteristics and Skills for an Emergent RoleWho are(should be)security advocates?ok.waitThey dont have to be cybersecurity experts-o
3、r even work in a security orgWe cant do it allWhy do we need security advocates?We are small fish in a big pond.Photo by zhengtao tang on Unsplashhttps:/ integrating security as early as possible throughout the development lifecycle,or even earlier with interactive developer training,security organi
4、zations can enable preventative security rather than reactive security-Cloud Native Security Whitepaper v2 What can managers do?Photo by Ameer Basheer on UnsplashWhat can ICs do?Be security advocates themselves.Consult-dont dictate.EducateFocus points when planning a security education talk at your
5、companyHow does security work in your company?Whats the size?Are the multiple teams with varied responsibility?orci.explain the security orgWhat tools do you use internally for security?How can attendees use them more effectively?orci.go over security toolsDont assume any prior knowledge.Go over the
6、 basics,limit acronyms and make sure everyone leaves knowing what cyber security is.orci.cover the basicsThis is a great way to teach non security folks to look at their services through a security mindset!It can also lead to actionable solutions.orci.how to threat modelWhat security incidents has y
7、our company faced?How did they go?What did you learn orci.talk about security incidentsMake it RelevantMake it InformativeSecurity ReviewsGoal:Infrastructure Security EverywhereGSD at ShopifyProposalPrototypeBuildReleaseThis very often results in the creation of a new service or major change to an e
8、xisting serviceshorter lead time for security reviews30%Faster team onboarding to review process70%Fewer tier move blocking change requests Better relationships with service ownersStarting GoalsWinsSecurity Concerns Surfaced in Github UI01Promotes security awareness at CI,rather than waiting to surf
9、ace concerns at deploy time or worse:allow vulnerable workloads to run in production.It empowers developers and allows them to make informed decisions.Report Generated for Service Owners02The review results in a list of vulnerabilities for the service.Our extensive documentation explains each potent
10、ial vulnerability and how it should be addressed.Issues Opened from Scan Results03We now also surface vulnerabilities via Github issues for project owners/maintainers.This is another avenue of communication with devs and ensures security work is tracked.Security Self AssessmentsPrograms by TAG Secur
11、ity and k8s SIG-SecurityThe Self-assessment is the initial document for projects to begin thinking about the security of the project,determining gaps in their security,and preparing any security documentation for their users.TAG Security DocsTL;DR(takeaways)Attend this talk(start looking at how othe
12、r companies do it)Start advocating yourself-tell people about the cool things you are doing Get support and buy in from managers DO NOT GATEKEEP,share security basics openly and often!Make security education relevant to your audience Create opportunities for hands on learning Stop,Collaborate and Listen!Get security goals at the top level(OKRs,company mission,guiding themes)How to Encourage/Build a Security Advocate CultureThank youFind me on twitter:CailynEdwards,github:cailynse or in the Kubernetes slack:cailyn_codesFeedback is a gifQ and E