Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value...
Transcript of Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value...
![Page 1: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/1.jpg)
#StartwithSecurity
![Page 2: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/2.jpg)
WelcomeBobby Chesney
Director, Robert Strauss Center for International Security and Law, University of Texas
![Page 3: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/3.jpg)
Introductory RemarksDama Brown
Regional Director, Federal Trade Commission
![Page 4: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/4.jpg)
Opening RemarksTerrell McSweeny
Commissioner, Federal Trade Commission
![Page 5: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/5.jpg)
Panel 1: Starting up Security Building a Security Culture
![Page 6: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/6.jpg)
FeaturingChristophe Borg, VP Engineering Operations, RetailMeNotAlan Daines, Chief Information Security Officer, DellJosh Sokol, Information Security Owner, National Instruments
Moderator: Laura Riposo VanDruff, Division of Privacy and Identity Protection, FTC
![Page 7: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/7.jpg)
Building a Security CultureSecurity as Core Value– Founders, executives, and employeesBuilding Security Expertise– Engineers with interest can become security championsLeveraging the Security Community– OWASP, BSides, (ISC)2, ISSA, SANS, and other free and proprietary resources
ntegrating Threat Modeling– Consider potential threats early
![Page 8: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/8.jpg)
Common Vulnerabilities1. Injection2. Broken Authentication and
Session Management3. Cross‐Site Scripting4. Insecure Direct Object
References5. Security Misconfiguration6. Sensitive Data Exposure7. Missing Function Level Access
Control8. Cross‐Site Request Forgery9. Using Components with Known
Vulnerabilities10. Unvalidated Redirects and
Forwards
![Page 9: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/9.jpg)
Cross‐Site Scripting (XSS)
High‐risk, easy to exploit vulnerability– Present in 7 out of 10 web applications– Vulnerability not affected by language choice– Attacker can run JavaScript in victim’s browser
Consequences for company, consumers– Risks consumers’ personal information through malware, adware, spyware
– Reputation and other harms to company
![Page 10: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/10.jpg)
Training to Prevent XSS
Look for places where user input is displayed back on a web pagePass in html tags to see if you can inject special charactersConsult OWASP XSS Prevention Cheat Sheet and other resources
![Page 11: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/11.jpg)
Building a Security CultureSecurity as Core Value– Founders, executives, and employeesBuilding Security Expertise– Engineers with interest can become security championsLeveraging the Security Community– OWASP, BSides, (ISC)2, ISSA, SANS, and other free and proprietary resources
Integrating Threat Modeling– Consider potential threats earlyUsing Secure Frameworks– Don’t reinvent the wheel
![Page 12: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/12.jpg)
#StartwithSecurity
![Page 13: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/13.jpg)
Panel 2: Scaling SecurityAdapting Security Testing for DevOps
and Hyper‐growth
![Page 14: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/14.jpg)
FeaturingMatt Johansen, Directory of Security, Honest DollarMatt Tesauro, Senior Software Security Engineer, PearsonJames Wickett, Engineer of Awesome, Signal Sciences Corp.
Moderator: Laura Berger, Division of Privacy and Identity Protection, FTC
![Page 15: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/15.jpg)
Vulnerabilities are Everywhere
![Page 16: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/16.jpg)
They get fixed slowly…
![Page 17: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/17.jpg)
…if at all
![Page 18: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/18.jpg)
Scaling Security: a Rugged DevOps AppSec Pipeline Template
![Page 19: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/19.jpg)
Integrating into the DevOps Pipeline
DevOps Pipeline AppSec Pipeline
![Page 20: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/20.jpg)
Gauntlt Example
![Page 21: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/21.jpg)
#StartwithSecurity
![Page 22: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/22.jpg)
Investing in Security:Fireside Chat with LiveOak Venture Partners
Co‐founder Venu Shamapant
Moderated by Commissioner Terrell McSweeny
![Page 23: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/23.jpg)
Panel 3: Third‐party AppSecDealing with Bugs, Bug Reports, and
Third‐party Code
![Page 24: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/24.jpg)
FeaturingHD Moore, Chief Research Officer, Rapid 7Katie Moussouris, Chief Policy Officer, HackerOneWendy Nather, Research Director, Retail Cyber Intelligence Sharing Center
Moderator: Jarad Brown, Division of Privacy and Identity Protection, FTC
![Page 25: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/25.jpg)
Managing Third‐party Software Security
More information– Third Party Software Security Working Group, Appropriate Software Security Control Types for Third Party Service and Product Providers, http://docs.ismgcorp.com/files/external/WP_FSISAC_Third_Party_Software_Security_Working_Group.pdf
![Page 26: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/26.jpg)
Managing Service Provider and Vendor Security
Evaluating Vendors– Standard Information Gathering Questionnaire, https://sharedassessments.org/
– Cloud Security Alliance Consensus Assessments Working Group Questionnaire, https://cloudsecurityalliance.org/group/consensus‐assessments/
– OWASP Secure Software Contract Annex, https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
![Page 27: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/27.jpg)
Managing Vulnerability Reports
Roll out the red carpet– [email protected] – [email protected]– company.com/security
Process to Verify ReportsProcess to Address Reports
![Page 28: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/28.jpg)
Identify Bug Internally
Inform Bug Reporter
Receive Bug Report
Develop Bug Disclosure Policy & Capability to Receive Bug Reports
Develop Bug Handling Policy & Organizational
Framework
Acknowledge Receipt Verify Bug
No
Bug Verified?
Develop Security Update
Yes
Release Security Update
Improve SDLC
Disclosure
Response
Adapted from Katie Moussouris, RSA 2013 presentation 'Application Security Response: When Hackers Come A‐Knockin’http://www.rsaconference.com/events/us13/agenda/sessions/122/application‐security‐response‐when‐hackers‐come‐a
![Page 29: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/29.jpg)
![Page 30: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/30.jpg)
![Page 31: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/31.jpg)
![Page 32: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/32.jpg)
![Page 33: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/33.jpg)
![Page 34: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/34.jpg)
![Page 35: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/35.jpg)
#StartwithSecurity
![Page 36: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/36.jpg)
Panel 4: Beyond BugsEmbracing Security Features
![Page 37: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/37.jpg)
Featuring
Robert Hansen, VP of White Hat Labs, White Hat SecurityClare Nelson, CEO, ClearMark ConsultingCaleb Queern, Manager, KPMG Cyber
Moderator: Katherine McCarron, Division of Privacy and Identity Protection, FTC
![Page 38: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/38.jpg)
![Page 39: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/39.jpg)
Subscribe to the FTC Business Blog business.ftc.gov/blog
![Page 40: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/40.jpg)
![Page 41: Start with security - Austin.pptx [Read-Only] · Building a Security Culture Security as Core Value – Founders, executives, and employees Building Security Expertise – Engineers](https://reader034.fdocuments.us/reader034/viewer/2022042320/5f099ea87e708231d427b43f/html5/thumbnails/41.jpg)