As mentioned in my last post, I’ve been cataloging my past talks and am posting the “missing” ones here.
Back in 2018, I spoke at Secure360 on “Integrating Security into Emerging DevOps”. This was a brand new talk, based on my experiences from my first three years running Application Security at Express Scripts:
Imagine building a software security practice. Now imagine building a security practice while your organization is modernizing software engineering, shifting from Waterfall to modern Agile/CI/DevOps.
Teams are excited. Agile means more freedom, less bureaucracy, less security. Security rules are blockers; they are preventing software from being written and deployed, and are problems to be removed. The security team resists, worrying that agile will mean only that security bugs are pushed into production faster.
In fact, modern software engineering and security are entirely compatible; the rigor and discipline that comes with DevOps supports strong security. The challenge is that security must evolve as the organization evolves, and must be part of the natural flow of how engineers develop software today.
This session will present solutions for building security in to a modern software engineering organization that reduce friction, making the engineers happy, and reduce security issues, making the security team happy. By understanding the motivation and habits of software engineers, we can design security controls that satisfy both groups.
I’ve been meaning to post this talk for some time, as it was well received and a good case study on integrating security into a software engineering practice. Much like when Herbie Hancock hired funk musicians to play Jazz on his fusion album Head Hunters, we hired people with a software engineering background to do security; our security engineers were developers, and our application security testing team had a QA background. In this way, we were able to extend the software engineering practice into security and avoid much of the conflict that can occur when staffing AppSec with traditional security professionals.
As I work through cataloging presentations I’ve done this week, I’ve come across a few that I haven’t yet posted here (or on https://transvasive.com). I’ll be posting them here over the next three days.
One of the “missing” talks was a short slide deck I put together as part of a “Papers We Love” discussion on Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity, a paper published by a working group organized by Harvard’s Belfer Center to explore the concept of creating a “Cyber NTSB”.
I came across this paper having met one of the lead authors, Adam Shostack. Adam especially has been interested in creating a “Cyber NTSB”, an idea we share, although I likely take a broader interest in adapting safety to cybersecurity.
The paper is well written and the workshop seemed well thought out, as it included presentations from people actually working at the NTSB, grounding the discussion in work-as-done instead of work-as-imagined at the NTSB. It also included a session led by the psychologist and safety scientist David Woods on cross-domain learning; as I discovered in my studies, safety doesn’t translate directly (for example between aviation and marine safety). The findings are sound and follow current safety science thinking and are included in the slides.
For me, the practical takeaways were and remain:
A recurring theme is discussion of blame, and how NTSB specifically avoids assigning liability in accident investigations, as avoiding blame improves learning
There are domain-specific challenges unique to Security; don’t blindly copy what works in aviation safety
Near Miss reporting is an important complement to incident investigation; share stories of the close calls
The session was very well attended, so if you were there, thank you! We filled the room - standing room only - 150 people checked in. I got some great and challenging questions at the end, I appreciated everyone’s engagement!
Cybersecurity, especially traditional security, has stagnated; adding security controls hasn’t appreciably improved outcomes and we continue to struggle with basic problems like vulnerabilities. Safety faced a similar problem 10-15 years ago; scientists and practitioners saw that safety outcomes were stagnant and concluded that the traditional method of avoiding accidents through centralized policies, procedures, and controls was no longer driving improvements.
I believe we’re seeing the same thing in security: historically, we’ve focused on constraining worker behavior to prevent cybersecurity breaches, and the limits of that approach are becoming increasingly clear. Adapting concepts from Safety Differently and Safety II offers a solution, by supporting success and focusing on positive capacities. In this talk, I will present practical advice on how to create a security program based on modern safety principles using evidence from both security and safety, and how it changes the role of the security professional.
Slides
My slides with notes, including references, are here.
Video
While the talk was not recorded, I did create a short video to promote the talk, you can watch that here.
