2019-045-Part 2-Noid, Dave Dittrich, empowered teams, features vs. security
Published December 18, 2019
|
62 min
    Download
    Add to queue
    Copy URL
    Show notes

    The day after part 1

    Keybase halted the spacedrop the day after the first podcast is complete...

     

    Security failures in implementation

        “We need to push this to market, we’ll patch it later!”

     

    Risk management discussion for project managers (PMP)

     

    CIA Triad… where does ‘business goals’ fit? Security is at odds with the bottom line

        **Reference Noid’s Bsides Seattle talk and podcast earlier this year.**



    Other companies that have made security mistakes in the name of business

     

    Practical Pentest Labs storing passwords in the clear

    https://twitter.com/mortalhys/status/1202867037120475136

    https://web.archive.org/web/20191207132548/https://twitter.com/mortalhys/status/1202867037120475136 

    https://twitter.com/piaviation/status/1202994484172218368



    T-Mobile Austria partial password issues:

    https://www.pcmag.com/news/360301/t-mobile-austria-admits-to-storing-passwords-partly-in-clear

        No one was championing security, because no one considered the problems with partial disclosure of the passphrase in an account.

        Marketing people on your socMedia accounts do NOT help allay security issues (cause they didn’t have escalation procedures for vuln disclosure)

            Insider threats could takeover accounts

     

    Follow-up from last week’s show with Bea Hughes:

     

    I liked the interesting docussion about security and DevOps teams with Bea Hughes in your recent podcast. When you mentioned you are taking your PMP for agile I'm surprised you did not mention the term "product owner".  You were asking who cares about security that you, as a security guy can talk to. Bea mentioned that it was the "stakeholders", but in the agile process the "product owner" is the team's advocate for the "stakeholders".

     

    And, you also mentioned "PM", as in project manager. In an agile world, the typical PM role is minimized. Actually, the PM is removed entirely ideally in favor of empowered teams. Empowered teams understand that good products are reliable and secure. (Secure because the security CIA includes "availability" and "integrity" aka reliability.)

     

    As Directory of DevOps for my 4,000 persons strong consulting company I'm working with our security team to push responsibility for security to our development teams. Empowering them to take the time and bear the costs of using security tools prior to release and during system operation is what we are working on now, as we roll into 2020. 

     

    **If the ‘product owner’ or ‘empowered team’ does not consider security a priority/requirement, then who champions security? It only becomes a priority when something bad happens, like a breach. **

     

    “Empowered teams”

     Some people aren’t fans:   https://hackernoon.com/the-surprising-misery-of-empowered-teams-35c3679cf11e

    Check out our Store on Teepub! https://brakesec.com/store

    Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

    #Brakesec Store!:https://www.teepublic.com/user/bdspodcast

    #Spotifyhttps://brakesec.com/spotifyBDS

    #RSShttps://brakesec.com/BrakesecRSS

    #Youtube Channel:  http://www.youtube.com/c/BDSPodcast

    #iTunes Store Link: https://brakesec.com/BDSiTunes

    #Google Play Store: https://brakesec.com/BDS-GooglePlay

    Our main site:  https://brakesec.com/bdswebsite

    #iHeartRadio App:  https://brakesec.com/iHeartBrakesec

    #SoundCloudhttps://brakesec.com/SoundcloudBrakesec

    Comments, Questions, Feedback: bds.podcast@gmail.com

    Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

    https://brakesec.com/BDSPatreon

    #Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

    #Player.FM : https://brakesec.com/BDS-PlayerFM

    #Stitcher Network: https://brakesec.com/BrakeSecStitcher

    #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

     

     

      15
      15
        0:00:00 / 0:00:00