Building a Security Culture: Strategies and Case Studies

Slide Note
Embed
Share

Explore insights shared by industry experts on establishing a security culture within organizations, including building buy-in from founders, integrating threat modeling, leveraging secure frameworks, and learning from real-life case studies like Cross-Site Scripting (XSS) vulnerabilities and prevention techniques.

hel_b
hel_b Follow

Uploaded on Sep 13, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Welcome Frank H. Wu Chancellor and Dean, UC Hastings College of Law

  2. Introductory Remarks Tom Dahdouh Regional Director, Federal Trade Commission

  3. Opening Remarks Chairwoman Edith Ramirez Chairwoman, Federal Trade Commission

  4. Starting up Security Building a Security Culture

  5. Featuring Devdatta Akhawe, Security Engineer, Dropbox Jonathan Carter, Project Lead, OWASP Mobile Top Ten Frank Kim, Chief Information Security Officer, SANS Institute Window Snyder, Chief Security Officer, Fastly Moderator: Laura Riposo VanDruff, Division of Privacy and Identity Protection, FTC

  6. Building a Security Culture Founder Buy-In Founders and executives as security champions Building Security Expertise Engineers with interest can become security evangelists Leveraging the Security Community OWASP, BSides, SANS, and other free and proprietary resources ntegrating Threat Modeling Consider potential threats early ing Secure Frameworks Don t reinvent the wheel: platforms often provide secure APIs Consider building secure abstractions for your developers

  7. Cross-Site Scripting (XSS) Case Study High-risk, easy to exploit vulnerability 1. Victim visits your organization s vulnerable page 2. Hacker injects malicious software into page 3. Victim executes this malicious software on their own machine Why is XSS bad news for your customers? Hacker s malicious software typically: Steals sensitive information about the user Does things on behalf of the user they didn t authorize Injects malware / adware / spyware onto victim s machine

  8. How to Identify and Prevent XSS Risks Are you vulnerable? Ask yourself: 1. Is your server receiving data (even hidden data) that is coming from the user s web browser? Inspect and verify every piece of data before you trust it in your own systems. 2. Are you sending data coming from your server to the user s web browser? HTML Encode that data before you send it to the user s browser. HTML Encoding prevents malicious software from being executed on the user s machine. Consult the OWASP XSS Prevention Cheat Sheet

  9. How does training help prevent XSS? Training serves very important functions: 1. Identify underlying assumptions and planned inputs coming from users. 2. Think like a hacker by providing unexpected inputs. Observe how the system responds. 3. Eliminate flaws during the design / implementation stages before a hacker has a chance to find them in a production environment.

  10. Building a Security Culture Founder Buy-In Founders and executives as security champions Building Security Expertise Engineers with interest can become security evangelists Leveraging the Security Community OWASP, BSides, SANS, and other free and proprietary resources Integrating Threat Modeling Consider potential threats early Using Secure Frameworks Don t reinvent the wheel: platforms often provide secure APIs Consider building secure abstractions for your developers

  11. Scaling Security Adapting Security Testing for DevOps and Hyper-Growth

  12. Featuring Michael Coates, Trust and Information Security Officer , Twitter Zane Lackey, Founder and Chief Security Officer, Signal Sciences Jeff Williams, Founder and Chief Technology Officer, Contrast Security Moderator: Laura Berger, Division of Privacy and Identity Protection, FTC

  13. Scaling security Start with the basics Harness existing resources Make security visible Automate testing and feedback Streamline feedback (and send it to the right people) Detect risky changes/features

  14. Investing in Security Accel Partner Arun Mathew FTC Chief Technologist Ashkan Soltani

  15. Bugs and Bounties Vulnerability Disclosure and Response

  16. Featuring Raymond Forbes, Security Engineer, Mozilla Paul Moreno, Security Engineering Lead, Pinterest Katie Moussouris, Chief Policy Officer, HackerOne Moderator: Nithan Sannappa, Division of Privacy and Identity Protection, FTC

  17. Develop Bug Disclosure Policy & Capability to Receive Bug Reports Develop Bug Handling Policy & Organizational Framework Response Identify Bug Internally Receive Bug Report Disclosure Verify Bug Acknowledge Receipt Bug Inform Bug Reporter Verified? No Yes Release Security Update Develop Security Update Adapted from Katie Moussouris, RSA 2013 presentation 'Application Security Response: When Hackers Come A-Knockin http://www.rsaconference.com/events/us13/ agenda/sessions/122/application-security- response-when-hackers-come-a Improve SDLC

  18. Bug Response 101 Roll out the red carpet security@company.com (+ PGP key) company.com/security Bug Verification Steps Initial Investigation Root Cause Analysis Communicate Bug Reporters Customers Improve SDLC Training Design Industry Guidelines ISO 29147 Vulnerability Disclosure ISO 30111 Vulnerability Handling Processes

  19. 1995 2002 A Non-Exhaustive History of Bug Bounties 2004 2015 2012 2005 2010 2013 2014 2011 2007

  20. Bug Bounties No One Size Fits All Scope What domains, apps, versions (e.g., beta) are in scope? What types of bugs are in scope? Incentives Cash Swag Hall of Fame Time & Resources Expect an initial ramp-up Consider outsourcing

  21. Beyond Bugs Embracing Security Features

  22. Featuring Pierre Far, Product Manager, Google Jon Oberheide, Co-founder and Chief Technology Officer, Duo Security Yan Zhu, Security Engineer, Yahoo! Moderator: Jessica Lyon, Division of Privacy and Identity Protection, FTC

  23. Embracing Security Features Implement as soon as you can; it only gets harder with time Optimize and configure smart and security features won t slow down or break your product Take advantage of tools that can automate the process Put metrics to work for you

  24. Subscribe to the FTC Business Blog business.ftc.gov/blog

  25. ftc.gov/datasecurity

Related


Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin
International Approaches to Enhance Nuclear Safety and Security

International Approaches to Enhance Nuclear Safety and Security

mazarine
Understanding the Roles of a Security Partner

Understanding the Roles of a Security Partner

zaara
Plant Tissue Culture Methods for Growth and Reproduction Study

Plant Tissue Culture Methods for Growth and Reproduction Study

graciean
Cyber Security Toolkit for Boards: Comprehensive Briefings and Key Questions

Cyber Security Toolkit for Boards: Comprehensive Briefings and Key Questions

adalwolf
Understanding Culture Shock: Phases, Symptoms, and Coping Strategies

Understanding Culture Shock: Phases, Symptoms, and Coping Strategies

zarn708
Advances in Baryon Spectroscopy and Hadronic Matter Studies

Advances in Baryon Spectroscopy and Hadronic Matter Studies

kjud
Understanding Culture in Sociology: Key Concepts and Definitions

Understanding Culture in Sociology: Key Concepts and Definitions

adriana
Overview of Media Studies Disciplines and Historical Development

Overview of Media Studies Disciplines and Historical Development

persephone
Understanding Nigerian Culture, Government, and Economy: Module One

Understanding Nigerian Culture, Government, and Economy: Module One

yusra
Overview of Cell Culture Methods and Importance in Research

Overview of Cell Culture Methods and Importance in Research

jubal
Understanding Popular Culture: Classification and Impact

Understanding Popular Culture: Classification and Impact

elena
Understanding Plant Tissue Culture: Methods and Requirements

Understanding Plant Tissue Culture: Methods and Requirements

letitia
Proposed NRC Safety Culture Policy Statement Overview

Proposed NRC Safety Culture Policy Statement Overview

jal_ebi
Understanding Security Threats and Countermeasures

Understanding Security Threats and Countermeasures

grob_aid
BSc in Strategic Studies & International Relations at KDU

BSc in Strategic Studies & International Relations at KDU

brecken
AEP Enterprise Security Program Overview - June 2021 Update

AEP Enterprise Security Program Overview - June 2021 Update

aubriella
Exploring Peace, Violence, and Security Studies

Exploring Peace, Violence, and Security Studies

barl
Building Resilience and Changing Lives: Citizen Security and Justice Programme III

Building Resilience and Changing Lives: Citizen Security and Justice Programme III

keziah
Understanding Cyber Security and Risks

Understanding Cyber Security and Risks

kathryn
Food Security and Livelihoods Workshop in Northwest Syria - Highlights and Case Studies

Food Security and Livelihoods Workshop in Northwest Syria - Highlights and Case Studies

shona
Overview of Social Security and Health Care System in Turkey

Overview of Social Security and Health Care System in Turkey

violeta
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication

Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication

joso_597
Understanding Provable Security Models in Cryptography

Understanding Provable Security Models in Cryptography

donoghue_e

More Related Content

Comprehensive Guide to Designing Physical Security and Security Planning by Susan Lincke
Comprehensive Guide to Designing Physical Security and Security Planning by Susan Lincke
Certification and Training in Information Security
Certification and Training in Information Security
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
Evolving Security Practices in DevOps: A Holistic Approach
Evolving Security Practices in DevOps: A Holistic Approach
Understanding Computer Security Principles and Practices
Understanding Computer Security Principles and Practices
BCA 601(N): Computer Network Security
BCA 601(N): Computer Network Security
Enhancing Security Definitions for Functional Encryption
Enhancing Security Definitions for Functional Encryption
TSA Updates on Security Training Rule for OTRB Companies
TSA Updates on Security Training Rule for OTRB Companies
Understanding Transport Layer Security (TLS)
Understanding Transport Layer Security (TLS)
Understanding Security Onion: Network Security Monitoring Tools
Understanding Security Onion: Network Security Monitoring Tools
Cultivating an Effective Data Culture: Strategies and Insights
Cultivating an Effective Data Culture: Strategies and Insights
Understanding Culture and Society
Understanding Culture and Society
B.A. in Indian Cultural Studies Programme by Department of Vedic Sciences & Indian Culture
B.A. in Indian Cultural Studies Programme by Department of Vedic Sciences & Indian Culture
Latest Research and Studies on Lung Cancer - Update May 2024
Latest Research and Studies on Lung Cancer - Update May 2024
Understanding Clinical Trials: Types and Designs
Understanding Clinical Trials: Types and Designs
Perspectives on Youth Culture Through Functionalist and Neo-Marxist Views
Perspectives on Youth Culture Through Functionalist and Neo-Marxist Views
Perspectives on the Relationship Between Religion and Culture
Perspectives on the Relationship Between Religion and Culture
Understanding Just Culture in Leadership: Creating a Fair and Error-Preventive Environment
Understanding Just Culture in Leadership: Creating a Fair and Error-Preventive Environment
Understanding Popular Culture and Ideology
Understanding Popular Culture and Ideology
Hematological Cancer Clinical Studies Update and Recruitment Statistics
Hematological Cancer Clinical Studies Update and Recruitment Statistics
Cyber Threat Detection and Network Security Strategies
Cyber Threat Detection and Network Security Strategies
Real-Time Data-Driven Network Security Workshop by Joe St. Sauver
Real-Time Data-Driven Network Security Workshop by Joe St. Sauver
Understanding Plant Tissue Culture Media and Their Importance in In Vitro Growth
Understanding Plant Tissue Culture Media and Their Importance in In Vitro Growth
Leading to Safety
Leading to Safety