A Fully Trained Jedi, You Are Not

Presented at Black Hat USA 2022, Aug. 10, 2022, 11:20 a.m. (40 minutes).

As software organizations try to bring security earlier in the development processes, what can or should regular software or operations engineers know about security? Taking as given that we want them to build secure systems, that demands a shared understanding of the security issues that might come up, and agreement on what that body of knowledge might entail. Without this knowledge, they'll keep building insecure systems. With them, we can have fewer recurring problems that are trivially attackable.

Training everyone at a firm is expensive. Even if the training content is free, people's time is not. If you have 1,000 people, one hour per person is half a person year (before any overhead). So there is enormous pressure to keep it quick, ensure it meets compliance standards like PCI, and … the actual knowledge we should be conveying is almost an afterthought. We need to design knowledge scaffolding and tiered approaches to learning, and this talk offers a structure and tools to get there.

We don't need every developer to be a fully trained Jedi, and we don't have time to train everyone to that level or even as much as we train security champs. So what could we ask everyone to know, and how do we determine what meets that bar?


Presenters:

  • Adam Shostack - President, Shostack & Associates
    Adam Shostack is a leading expert on threat modeling, and a consultant, author and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft. His accomplishments include: helping create the CVE, fixing Autorun, and leading the design and delivery of the Microsoft SDL Threat Modeling Tool (v3). Adam also created the Elevation of Privilege threat modeling game, wrote "Threat Modeling: Designing for Security", and co-authored "The New School of Information Security". While not consulting or training, Shostack serves as an advisor to a variety of companies and academic institutions and is an Affiliate Professor at the Paul G. Allen School of Computer Science and Engineering at the University of Washington.

Links:

Similar Presentations: