Building a Modern Security Program

Table of contents

1. 1. Shifting the Security Team to a DevOps Mindset
   1. How DevOps and the Cloud Change the Challenges Security Teams Face
   2. The Problems with Waterfall
   3. Developing and Iterating on Production: A Perspective Shift
   4. Focusing on Mean Time to Reaction
2. 2. The Future of Development and Security
   1. Tools for Continuous Development
      1. Feature Flags
      2. Ramp Ups
      3. A/B Testing
   2. Instrumentation and Visibility to the Organization
      1. Make Information Available for Everyone, Not Just the Security Team
      2. Change Binary Thinking About Threats
   3. Access Control
3. 3. The Keys to an Effective Security Culture
   1. Communicate with Empathy (aka Don’t Be a Jerk)
   2. Make Realistic Trade-offs
   3. Explain a Vulnerability’s Impact Without Jargon
   4. Reward Communication with the Security Team
   5. Take the False-Positive Hit Yourself
   6. Scale via Team Leads
4. 4. Building a New Feedback Loop by Starting a Bug-Bounty Program
   1. The Concerns about Bug-Bounty Programs
   2. The Goals of a Bug-Bounty Program
   3. Launching a Bug-Bounty Program
      1. Provide Specific Guidelines and Processes
      2. Record Expectations and Goal-Based Metrics
      3. Inform All Teams Before the Bug-Bounty Launch
      4. Review Helper Systems for Scaling Problems
      5. Attacks Will Begin Almost Immediately
   4. Communicating with Researchers
5. 5. Obtaining Better Feedback by Shifting from Penetration Testing to Attack Simulations
   1. Attack Simulations versus Pen-Testing
   2. Laying the Groundwork for an Attack Simulation
      1. Goals
      2. Full Organization in Scope
   3. Conducting the Attack Simulation
      1. Simulate Realistic Compromise Patterns
      2. Simulate Varied Attack Profiles
      3. Break the Simulation into Iterations
   4. Attack Simulation Output
   5. Conclusions