Are we making our engineers blue?

Presented at Diana Initiative 2019, Aug. 10, 2019, 9 a.m. (60 minutes).

Our engineers are going from software engineers to software + infrastructure + network + database engineers, and they’re delivering faster. In an environment of continuous deployment how do security teams scale? Can we?

Let's talk about TTP's for are engineering teams, to better equip them to secure our estate. We’re going to be using real threat models as examples to guide us through how we can increase our security teams and reduce our threat landscape. Like how to use incidents to evolve our threat models, why and how we should write and use security tests to validate our models and the power of POC’ing attack vectors from our models to evolve them further. Finally, how we build, evolve, share and ultimately transfer ownership of these models to our engineering teams - teaching them to be our blue team.

Presenters:

• Tash Norris - Senior Cloud Security Engineer at PhotoBox Group
  Tash is a Senior Cloud Security Engineer at Photobox Group (which includes Moonpig, PosterXXL, Greetz! and Hofmann) and previously a threat modeling engineer in financial services. She is currently building tools and processes to automate all the things/ make the Cloud more secure. Currently she is also contributing to threat modeling projects and resources via OWASP and other community events. Tash is also on the review panel for DevSecCon, an OWASP contributor and an avid advocate for Women in Tech/Cyber, appearing at various tech and security events and meetups to talk about both technical and behavioural topics.

Links:

• https://dianainitiative2019.busyconf.com/schedule#activity_5c44e8b2be95e2a83e000039

Similar Presentations:

• GrrCON 2014 / Exercising with Threat Models
• Black Hat USA 2018 / Protecting the Protector, Hardening Machine Learning Defenses Against Adversarial Attacks
• DeepSec 2020 „The Masquerade“ / No Need to Teach New Tricks to Old Malware: Winning an Evasion Challenge with XOR-based Adversarial