Rani Nagib06/15/2022, 8:16 AM
Schuyler Bishop06/15/2022, 4:22 PM
Martynas Dabašinskas06/15/2022, 5:07 PM
Rani Nagib06/15/2022, 7:46 PM
Have a measurable strategy for what they need to achieve@Schuyler Bishop Agreed! The challenge i’m experiencing at the moment is: where do I begin from when wanting to define the security vision and success metrics that come along with it? Some thoughts that’ve come to mind so far: • Perform some threat modelling activities on our current setup to fuel the security vision and therefore giving us more measurable and targeted success metrics. In other words, let’s avoid boiling the ocean in our attempt to make things secure. The cons of this approach IMO being: ◦ Threat modelling seems to be a speculative approach that could result in security-gaps due to one not foreseeing potential scopes for system infiltration • Start with the compliance schemes (HIPAA/GDPR etc) and use those to define the security initiatives. Cons: ◦ Being compliant with a particular scheme also isn’t a good measure of how secure one’s infrastructure/IT systems are Of the 2, I prefer the former but i’d love to hear your thoughts on this.
with the due dates based on CVSS scores@Martynas Dabašinskas Ah, that’s an interesting approach! Wasn’t aware of CVSS scores.
identify owner of vulnerable libraries if those are shared between few dev teams,Have you been able to identify any automation/tooling geared towards automatically aggregating/mapping code ownership based on source control (git)? I imagine the process of having to hunt down teams and dependancies manually being super daunting.
we still had to build process to remediate security findingsWould these be automatically triggered playbooks or set/s of pre-aggregated documentation on how a team impacted by a certain class of vulnerability can remedy their systems?
Michael Galloway06/16/2022, 2:29 PM
The issue in my experience is adapting an older company’s policies to be more platform-centric, developer-focused and adapting the organization’s approach to risk identification and mitigation.
What I've experienced is that the hardest part of introducing security into platform, especially with an existing business, is the cultural changes necessary. The security industry has built quite a long backlog of rigid interpretations of best practices, and many folks in the that space are reluctant to focus on the spirit vs the letter of those practices. This results in security theater that quickly diminishes trust with engineering teams and undermines engagements. I'd emphasize a concerted effort to connect the “why” of security for your Eng customers, hire security folks with an Eng background, and make empathy and communication a critical skill set for those you bring on.
Ralf Huuck06/16/2022, 11:12 PM
Rani Nagib06/17/2022, 7:43 AM
Michael W06/22/2022, 5:54 PM
Ryan Grimard08/25/2022, 3:01 PM
Michael Galloway09/22/2022, 4:59 PM