Put your keyboard in the safe - best in class for security~!

Security

Author
We'll give developers, engineers, we’ll give different practitioners the freedom to do what they want to do. But it’s their responsibility to do it to a certain standard... My security tools have to be in lockstep with that. My tools can’t block them from the freedom that is a core tenant of Netflix.

1. Definitions

  1. Note: This section assumes the cyber security professionals are competent and what is needed is getting the best outcome between cyber security and business.
  2. Common Vulnerabilities and Exposures, is a standard for identifying and cataloging cybersecurity vulnerabilities and exposures in computer software and hardware. Each CVE entry provides a detailed explanation of a vulnerability, including its potential impact, how it can be exploited, and, often, how it can be mitigated or resolved.

2. Goals

  1. Decide the appropriate trade-offs across threat vector, likelihood, severity, mitigation, timelines, cost, residual risk
  2. Mitigation is not free and even the best theorized mitigations can fail when not kept up with.
  3. Move beyond theorycrafting and indecipherable threat-risk assessments to outlining threats with actual impact and likelihood for business to assume risk
  4. Understand cloud is as secure, if not more, than on-prem systems. Especially if you use native cloud services for logging and triggering alerts for anomalous behaviors.

3. Questions

  1. What sensitive data will my product handle, and how will it be secured (encryption, access controls, etc.)?
  2. Who am I afraid of attacking me (attack vectors)?
  3. How will they attack me, how long will they take, how likely are they to succeed?
  4. If they succeed, what do I lose, for how long?
  5. What are the options for mitigation, how much does it cost, how long does it take to implement/maintain, how much man effort?
  6. Despite mitigation, what are the residual risks I need to live with, and how much additional cost is each mitigation?
  7. If I'm brought down, how can I do disaster recovery and data restoration/validation?
  8. What third-party components or services will the product use?
  9. What is the strategy for managing vulnerabilities (CVEs) and patches?
  10. How will my product handle and respond to security incidents and breaches?
  11. How will my product's security be monitored and audited on an ongoing basis?
  12. What are the potential legal and regulatory implications related to my product's security?

4. Dealbreakers

  1. Cyber security guidelines hinder innovation - "It can't be done!"
  2. Cyber security cannot be questioned and yet it is poorly explained/quantified/verifiable.
  3. Business is not confident of taking on any risk because they can't understand them, so they just go the most conservative possible.
  4. Tons of money is spent tightening up every possible doomsday scenario you can think of.
  5. Cybersecurity lock-downs prevent business from achieving its product outcomes (then what's the point?).
  6. We rely on threat risk assessments as scriptures, never mind that the scoring and likelihood multipliers are almost always done arbitrarily.
  7. We drink our kool-aid so much that we believe in the illusion of layering on more frameworks and theories, not what top tier companies do.

5. Suggestions

  1. I wish I could give you a solution, but I won't pretend to know the solution.