book

Building a Modern Security Program

August 2018

Intermediate to advanced

45 pages

1h 2m

English

Read now

Unlock full access

How DevOps and the Cloud Change the Challenges Security Teams FaceThe Problems with WaterfallDeveloping and Iterating on Production: A Perspective ShiftFocusing on Mean Time to Reaction
Tools for Continuous DevelopmentFeature FlagsRamp UpsA/B TestingInstrumentation and Visibility to the OrganizationMake Information Available for Everyone, Not Just the Security TeamChange Binary Thinking About ThreatsAccess Control
Communicate with Empathy (aka Don’t Be a Jerk)Make Realistic Trade-offsExplain a Vulnerability’s Impact Without JargonReward Communication with the Security TeamTake the False-Positive Hit YourselfScale via Team Leads
The Concerns about Bug-Bounty ProgramsThe Goals of a Bug-Bounty ProgramLaunching a Bug-Bounty ProgramProvide Specific Guidelines and ProcessesRecord Expectations and Goal-Based MetricsInform All Teams Before the Bug-Bounty LaunchReview Helper Systems for Scaling ProblemsAttacks Will Begin Almost ImmediatelyCommunicating with Researchers
Attack Simulations versus Pen-TestingLaying the Groundwork for an Attack SimulationGoalsFull Organization in ScopeConducting the Attack SimulationSimulate Realistic Compromise PatternsSimulate Varied Attack ProfilesBreak the Simulation into IterationsAttack Simulation OutputConclusions