Security
Definitions
Cybersecurity context
Note: This section assumes the cyber security professionals are competent and what is needed is getting the best outcome between cyber security and business.
Common Vulnerabilities and Exposures (CVE)
A standard for identifying and cataloging cybersecurity vulnerabilities and exposures in computer software and hardware. Each CVE entry provides a detailed explanation of a vulnerability, including its potential impact, how it can be exploited, and, often, how it can be mitigated or resolved.
Goals
- Decide the appropriate trade-offs across threat vector, likelihood, severity, mitigation, timelines, cost, residual risk
- Mitigation is not free and even the best theorized mitigations can fail when not kept up with.
- Move beyond theorycrafting and indecipherable threat-risk assessments to outlining threats with actual impact and likelihood for business to assume risk
- Understand cloud is as secure, if not more, than on-prem systems. Especially if you use native cloud services for logging and triggering alerts for anomalous behaviors.
Questions
What sensitive data will my product handle, and how will it be secured (encryption, access controls, etc.)?
Who am I afraid of attacking me (attack vectors)?
How will they attack me, how long will they take, how likely are they to succeed?
If they succeed, what do I lose, for how long?
What are the options for mitigation, how much does it cost, how long does it take to implement/maintain, how much man effort?
Despite mitigation, what are the residual risks I need to live with, and how much additional cost is each mitigation?
If I'm brought down, how can I do disaster recovery and data restoration/validation?
What third-party components or services will the product use?
How will my product handle and respond to security incidents and breaches?
How will my product's security be monitored and audited on an ongoing basis?
What are the potential legal and regulatory implications related to my product's security?
Alarm Bells
They say...
Why I'd be scared
We can't work on <insert critical backend task> yet, because it might derail our upcoming release, and I rather focus on deploying the new release.
Our haste to push out a new release should not prevent us from doing the right thing, especially patching and reliability.
I need a waiver for EOL/EOS stuff, because we're waiting for <insert workstream with multiple involved parties> before we can proceed with the upgrade/rebuild.
Upgrading from EOL/EOS precedes everything, especially if we're waiting for something long drawn to be decided.
You are shown rows of CVEs, package names, EC2 instances, and technical terms.
Request to know what the CVEs cover, the risks each present, and implication if breached. A runtime environment vulnerability is very different from a vulnerability for a UI library.