Our engineers are going from software engineers to software + infrastructure + network + database engineers, and they’re delivering faster. In an environment of continuous deployment how can we ensure that as security teams we’re scaling as fast as our applications are?
In this talk we’re going to be covering how we turn our engineers blue. Not sad; not by telling them to fix every possible threat vector before building any new features and not by saying no. We’re going to start turning them into our extended blue team, giving them tools, techniques and processes to better secure our estate.
We’re going to be covering off a few different TTP’s for our engineers using real threat models as examples;
How to use incidents to evolve our threat models
- Using incidents to better evolve our understanding of the threat landscape
- Determining other attack vectors that could contribute to the same outcome as the incident (with threat example)
- How to create incremental threat models/ rapid threat models
- Why and how we should write and use security tests to validate our models
- How to use BDD tests (and contribute to the Cloud security OWASP project)
- Why we should write tests for threat vectors we have proven mitigations for (with threat example)
- How to use tests to educate product owners/ project managers on threat vectors
The power of POC’ing attack vectors from our models to evolve them further.
- Example: Cloudfront subdomain hijacking
- Using POC's to discover new threat vectors and provide security awareness training for engineers
How we build, evolve, share and ultimately transfer ownership of these models to our engineering teams - teaching them to be our blue team.
- How to create security champions (building programs, what programs should include)
- How to integrate rapid threat modeling into the SDLC
