Are We too Early for the Party? (the perils of Baking Cyber in from the Beginning)

Presented at BSidesLV 2023, Aug. 9, 2023, 5:30 p.m. (Unknown duration)

A common cybersecurity trope often stated during/after security design and testing is "we/they should have built cyber in from the beginning." BUT….How many of us have actually built cyber in from the beginning? The presenters have an uncommon perspective on this matter, and are living the build cyber in dream/nightmare right now. We discuss the perils: product teams unwilling to incorporate cyber, lack of business processes incorporating good cyber design, the reluctance to develop secured designs during demonstration phases versus "certification-only" focus. We discuss the benefits (obvious & not so obvious): requirements documentation, identifying cybersecurity controls, interfacing with product teams, and building a value chain from the start. Just don't expect being involved early to be the easy button.

Presenters:

• Lillian Ash Baker
  Lillian Ash Baker (aka Zap!) is a Product Security Engineer with a major aviation manufacturer, securing the next generation of civil aviation aircraft. She is responsible for driving cybersecurity requirements across the entire aircraft ecosystem and maintaining DO-356/326 compliance. Prior to their time in Product Security, Lily was at Collins Aerospace for 15 years, responsible for the development, test, manufacturing, and integration of civil avionics equipment with a focus on Navigation and Inertial Systems. They have dealt with civil avionics certification to ARP-4754A, DO-160, DO-178, D…Ok, you get the idea. From particle accelerators to inertial flight testing, Lily has plenty Certified Scars and their stories to tell. When not designing aircraft, she volunteers as the CFP Organizer at the Aerospace Village.
• Steve Bichler
  Steve "Bic" Bichler is a Product Security Test Engineer with Boeing Test & Evaluation and Wisk Aerospace focusing on cybersecurity testing of ground and autonomous systems, threat modeling and penetration testing. He reluctantly conducts cyber audits against NIST 800-53 and DO 356/326. Bic is a retired Air Force Lieutenant Colonel who previously worked as a squadron commander of Air Force Cyber Protection Teams, at NSA Red Team as a Mission Commander, and with Air Force Cyber as an Offensive Planner, among a plethora of other military jobs. He has a bunch of cyber security certification alphabet soup that nobody here really cares about, but makes him feel better about himself. He listens to far too much Texas Country music and Boston punk music for someone who lives in Colorado.

Links:

• https://www.bsideslv.org/talks#URD8MB

Similar Presentations:

• GrrCON 2017 / Cyber, Cyber, Cyber - Using the killchain to accomplish something
• DEF CON 19 (2011) / An Insider's Look at International Cyber Security Threats and Trends
• GrrCON 2017 / The Future of Cyber Security