I play Jack of Information Disclosure

Video in TIB AV-Portal: I play Jack of Information Disclosure

Formal Metadata

I play Jack of Information Disclosure
How to do threat modeling via playing cards
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
There is an almost iunescapable conflict between software developers and security engineers. Multiple areas struggle from this conflict: one specifically being threat modeling that does not work because of the lack of cooperation between security engineers and software developers. With the existing methods, security engineers do not get a proper picture of the real risks and software developers get no feeling of what to improve. Gamified threat modeling approaches like Cornucopia and Elevation of Privilege are designed to provide the missing common ground and a process that encourages exchange. As with playing cards, in their turn everyone plays their hand and the group discusses the threat that is described on the played card. The presentation will go through an example application and show the difference between the classical approach to threat modeling and Cornucopia/EoP. The audience is going to learn about a new methodology and get hands- on experience on how to do threat modeling by playing cards.

Related Material

Facebook Hacker (term) Memory card Information Plastikkarte Process modeling Boss Corporation
Multiplication sign Presentation of a group Real number Video game Information Solid geometry Plastikkarte Information security Process modeling
Word Personal digital assistant Information Instance (computer science) Plastikkarte Proper map Information security Process modeling Subset
Forcing (mathematics) Sampling (statistics) Plastikkarte Information Unit testing Plastikkarte Information security Process modeling
Thread (computing) Strategy game Internetworking Chemical equation Information Plastikkarte Process modeling
Group action Stress (mechanics) Maxima and minima 3 (number) Axiom Plastikkarte Vector potential Special unitary group Event horizon Arm Process modeling Category of being Data model Authorization Convex hull Right angle Information Authorization Physical system Vulnerability (computing)
Greatest element Word Software Moment (mathematics) Planning Information Endliche Modelltheorie Plastikkarte Traffic reporting Process modeling Physical system
Finitismus Email Order (biology) Energy level Information Endliche Modelltheorie Plastikkarte Traffic reporting Process modeling Physical system
Point (geometry) Jackson-Methode Scaling (geometry) Software developer Software developer Online help Plastikkarte Proper map Dressing (medical) Process modeling Formal language Process (computing) Strategy game Software Spherical cap Different (Kate Ryan album) Software testing Information Information security Traffic reporting Descriptive statistics Physical system God World Wide Web Consortium
Point (geometry) Slide rule Group action Server (computing) Functional (mathematics) Service (economics) Identifiability INTEGRAL Multiplication sign System administrator Bit rate Mass Plastikkarte Raw image format Mereology Law of large numbers Front and back ends Product (business) String (computer science) Energy level Diagram Information Endliche Modelltheorie System identification Physical system World Wide Web Consortium Area Stapeldatei Email Information Key (cryptography) Software developer Archaeological field survey Sampling (statistics) Database Cartesian coordinate system Process modeling Connected space Data flow diagram Logic Order (biology) Website Configuration space Right angle Object (grammar) Game theory Information security
Classical physics Complex (psychology) Identifiability Multiplication sign Process modeling Set (mathematics) Online help Bit rate Plastikkarte Permutation Goodness of fit Type theory Bit rate Whiteboard Different (Kate Ryan album) Software testing Information Information security YouTube Physical system Boss Corporation Information Software developer Sampling (statistics) Expert system Process modeling Type theory Bootstrap aggregating Enumerated type Software testing Whiteboard Quicksort Information security
Game controller MUD Table (information) View (database) Information systems Virtual machine Maxima and minima Water vapor Insertion loss Plastikkarte Infinity Emulation Finite element method Pointer (computer programming) CNN Different (Kate Ryan album) Moving average Selectivity (electronic) Information Drum memory Summierbarkeit Traffic reporting Computer architecture Physical system Newton's law of universal gravitation Decision tree learning Metropolitan area network Information management Software developer Binary file Euler angles Process modeling Annulus (mathematics) Inclusion map Word Voting Process (computing) Pi Convex hull Hill differential equation Right angle
Point (geometry) Addition Software developer Multiplication sign Memory card Bit Bit rate Plastikkarte Graph coloring Process modeling Web application Personal digital assistant Software testing Information Game theory Information security Descriptive statistics Physical system Social class
Suite (music) Complex (psychology) Length Multiplication sign Mereology Data dictionary Web syndication Formal language Optical disc drive Roundness (object) Strategy game Formal verification Moving average Diagram Information Information security Descriptive statistics Physical system Social class Memory card Electronic mailing list Bit Price index Process modeling Web application Data management Configuration space Pattern language Right angle Ranking Asynchronous Transfer Mode Point (geometry) Game controller Server (computing) Identifiability Link (knot theory) Motion capture Maxima and minima Plastikkarte Code Number Authorization Data structure Conditional-access module Authentication Addition Standard deviation Validity (statistics) Information Suite (music) Forcing (mathematics) Plastikkarte Cryptography Cartesian coordinate system Software maintenance Limit (category theory) Enumerated type Blog Game theory
Group action Multiplication sign Source code Bit rate Malware Information Logic gate Position operator Descriptive statistics Physical system Boss Corporation Algorithm Rational number Software developer Memory card Moment (mathematics) Data storage device Stress (mechanics) Electronic mailing list Lattice (order) Sequence Flow separation Process modeling Process (computing) Order (biology) Configuration space Summierbarkeit Quicksort Writing Point (geometry) Server (computing) Game controller Service (economics) Patch (Unix) Plastikkarte Login Event horizon Law of large numbers Field (computer science) Product (business) Number Permanent Form (programming) Validity (statistics) Information Weight Interface (computing) Expert system Database Cryptography Word Personal digital assistant Password Interpreter (computing) Game theory Table (information)
Classical physics Building Context awareness Software developer View (database) Sampling (statistics) Plastikkarte Thermal expansion Plastikkarte Process modeling Goodness of fit Information Game theory Information security
Information Plastikkarte Process modeling
so hello everybody to my talk 1st of all I hope everyone had a good lunch with the stomach flu so
which poses a picture of the food who has ever posted a picture of the food OK you're not going to admit them let us get away who is not on Facebook or Instagram I know that here thank you very much so before you
fall asleep because of the food get the loaded the activity because the the hacker conference
they're talking about all kinds of fun stuff so teacher up because
you're going to uni mind-blowing presentation right now this presentation is going all about the
about competition and this
presentation is going to talk about the real threats of life real danger is you have to face this presentation is going
to take over all of your minds it will take all your solids and this is a sad my
marking go working in secured engineered long and so this is a slight people usually talk about themselves but I don't want to have too much but there's no
disclaimer for talk 1st of all
as I stand here right now our problem if you would search Google for proper that this instance it would drop pictures of me it's true I'm going to give you words of wisdom I'm going to give you choose and its role so sit back and accept everything I'm telling you unconditionally but remember if you go home and it doesn't work but I mean I'm just a profit I'm getting the guarantees here so the profit but
I'm saying is the world is not going to end but I don't know if you heard it at this conference are you heard it at idle conferences here going to hear securities broken everything is lost you cannot do anything and the on telling you that's not the case and I'm going to give you a solution i'm going to give you a solution to happiness to better manage to your car consuming less and what I'm
going to tell you it's not magic so it's a very simple everyone can do it so if you have no scar on your forehead or the forces not strong within you don't worry this talk is exactly for you but if you are the kind of security engineer always says no and it cannot be done by Harry Potter is going to take away so
let's talk about traveling and before we start playing cards because I know that when the money came from 4 that's what discuss what sampling is how you should do is what the purpose of it is and was traveling is like unit testing or plain text is the 1 but before we go into the
following 1st let's go and find out what strategy because a lot of trouble already begins with the misinterpretation of this work
no when I was searching the Internet for what this thread is this is the picture I found it seems all really nice like right crocodiles are distracted you definite your balance the 1 ability now if you think about it if a crocodile will be a stretch there were traveling will be something like this OK this is not traveling is a lot so I'm going
to give you more proper definition of what is right is from the European Network and Information Security Agency which says this threat is any circumstances or events that I like to add person here with the potential to adversely impact on asset through unauthorized right access destruction disclosure modification of the and or denial no I can't give you a picture as much as the 1 with the property that I'm going to give you a picture of that almost provides
here I'm going to guide you through this picture what it is all about the 1st of all as red starts this strategic there's always a threat of the crocodiles in the picture that would have been a threat agent notes for data modeling with it made sense that and also illustrate always impacts and asset more importantly it impacts something with a business impact so drinking all the espresso or anything I P out of the booth that's open up the threat because it doesn't have a business impact for you and finally as Fred always goes through some kind of weakness through some kind of attack so when you get an attack which tries to adversely affect your system then you're really talking about the stress so to summarize strength is not something like a ubiquitous and if it's not the end of which is a threat as threat is something more specific you can action on you can deal with it you can do something about it and now if I discussed threat but
also discuss about modeling should be about no modeling with the
words of moment and also should consider 3 main things which are the target audience the purpose and the scope I'm going to go through these from the bottom because it's easier to to spend it so what is the scope construct modeling a lot we'll see this global threat modeling should be your system or your software or something like that so that the was the purpose of struggling with the purpose of threat modeling should be to make the system more secure now let's stop here because a lot of people don't threat modeling to make the system more secure but rather to generate a report or create paper planes or whatever so whenever you had
the purpose of things that I just mentioned said modeling hyperedge going to take away so please if you're doing some modeling always think about how can I make the system more secure by doing this from all a finite target audience now with the target audience is important that as what is said you consider your target audience you know was going to read this what he can do about this and how we can deal with so just handing out a report by itself is not going to happen is as a matter of fact if you're doing it that way the target audience for it
looks something like this now you can recognize if you reach a target audience you can recognize it by worth saying and then edited landed in my spam filter uh sorry I have a new mail agent i don't know how it works order of my favorite this avenue level by having that may yes so if you see any of these sentences you know you reach target audience now if you ever heard sentence before I beg you never use traveling again because if you reach your target audience like this you really started an epic battle you started the epic battle between
security and development now as I've been on both sides of lot to talk about this at the battle obviously what a comment is much better so I'm on the very side of it but it's not the point but let's start with what security engineers think of to that security engineers are always complaining that they didn't get a proper description of the system they're complaining that the system that testing is not up to date the documentation is not appropriate they say the engineers don't know what the system so actually doing they say the solution to fuzzy they say it's raining I'm behind world whatever so they're going to complain why they cannot provide you a proper job Nelson looking on other side while the developers think of the security engineer I going to say when they receive a report that they can't do anything about it is that it doesn't make sense it will say well this report has been created the divergent we had to mothers ago so it's irrelevant by or their going to look at it and say well I don't want you to understand the strategy described it they're irrelevant nothing I could do about this it's not a development passed to the evidence that something completely out of Moscow so so I would have a look at this picture who is that guy that everyone is happy in that picture he's like 0 my god help me on the occasion I been Kidnapped this is the 2nd dress I have to work now let's
keep this poor guy so let's say he's or developer cap so when we think about the target audience when we think about the average developer what are the the things that should assume allow allowed a developer is a good technician he knows his technology he knows he's the system is working with broadly is quite proficient in it and he's going to understand claim technical English but this is something security engineers but considered a think developers I'm not going to understand the speaking the same language as you are if you try to a most importantly developers are proud of their craftsmanship they're proud of what they're doing they're proud what they're delivering and they want to provide with software if you give them the circumstances and the possibilities that going to deal with the important stuff if you're working with them and telling them how to make something even better that absolutely happy to work for you if you let them and if you are cooperating with them now having gone through the different scale aspects of modelling that's fine go into
straddling you an example
now I have to stop here this is the only slide i have a bullet points I'm really sorry about it I had no idea how to please hand this in a different way if you ask me I'm completely against what point if there was a petition against bullet points I would sign it immediately I saw a headline just the last time it said something murdered by bullet points were so but let's go through this slide 1 steps the threat modeling 1st of all you have to identify your objectives so open application to compose it and then you identify document and phrase distract the something missing in an area so if you think again about your target audience is he going to understand well this is quite clear at this more right there's nothing fancy about these steps so your developers specifically can can work with this now I said we're going to use traveling then example so the example is going to be a damn about actions now what I like you to do when we talk about this dam about so is that you imagine all kinds of functionality you know from a bachelor and saying it is in there OK so if you anything in a matchup and you think it's relevant let's assume this functionality is in this exam but if he quickly so way what them when a batch consist of it consists of about science obviously the website has an integrated admin functionality it'll have a back-end server world the logic is running the server is going to have a configuration with the production he's made connection strings with the keys to external services you're going to have a database related products and you're going to have a mail server where you can send out announcements or updates or sent shipping information but you can also receive orders by hand the other mass which then the employers are going to put into the database now the 2nd step for traveling was well OK so this text uh should be saying and wasn't union and that and so what are your assets your assets are where you want to protect the interests of infrastructure obviously you want to protect your customer data hopefully you have some privileged employer accounts in your system and you want to protect the reputation of the company in question is is is understandable for a target audience again there's nothing difficult about this so if you explained this to a developer it should be fine dealing with OK so the next steps or the sampling was to survey up at the application and the composer's now I already presented the high level diagram of this but what we usually do is raw data flow diagram of the system now when I'm doing this step usually involve the developers solicit together with the developers and talk about the system draw this diagram together and identify what's happening way data flow diagram is really good for this purpose is because there you can identify the transboundary of your system and you can say what kind of data is leaving her system what kind of data is coming in again that's a development understand what is the understands I would also emphasized in more your developers and doing this because my experience was that I will senior developers and was working with them what drawing of diagram moles of developers will like prove this is how a system works but he didn't say proved but he really didn't know how the system works under so the diagram of now for the next steps I'm going to divide this talk into 2 parts so we're going to talk about the classical approach of struggling not going to talk about the game if I approach to strap modeling so and the 2
stage classical approach to strap on so I'm going to go through these last 3 steps which are identifiers threats document them and rate them specifically now only talking about the classical approach now the 1st time in my boss came to me and said well what could you do traveling with the seeing I was like yeah sure easy and isn't it so I've heard about it I learned about its size and that's just through some literature research now I'm going to find all the details about the magic how to do it what is the best methodology how to identify the really important France how to rate the risks of these items now as it turns out what's out there regarding methodology for straddling the through disappointing so you actually are going to get no real help into doing it let me show you some examples
so as I was searching the literature this was the 1st piece of advice that I came across it says bring members of the development and test things together to conduct an informed the brainstorming session in front of a bike or not I don't know how you of it is they have no clue what an informed brainstorming should be have never heard of something housing as an informed brainstorming but it must be something if there's a whiteboard it gets informed or something OK so this didn't help so I moved on to the next piece which said you had a set of experienced experts in a room and give them a way to take notes I let them go the quality of the brainstorm is bound by the experience of the brainstormers and amount of time spent now really its experience and time spent that's what what's going to define a strip good so the question is how much time what how much time do I need for a bootstrap model but everybody's going to cut it depends the whole complex the system is how good your experts are whole many threats you want to identify OK this is not having there must be some more more specific information how much time I so I read this line over and over there realized it actually gives you a hint about it it tells you you have to let them go so put your secure the engineers who often to provide a good sample all and that's it they're gone you never see them again you have to let them go but this is something which is like we said the device like this so let's remove on there must be something about there right so I will sort of looking at all kinds of lectures lectures on YouTube videos so 1 guy said this or process that you're going to go through is what are all of the different types of attacks that could make sense for this red agent to get an answer so reading this it says goes through all of the different types of attacks but I don't know if you're familiar with the column because enumeration it contains 1 solves and if you go through all the permutations of spread agent and an essay and well some of them have of a text that us all process that if you try to do that is a sort of you going to explode so quickly let's move on to the next 1 was just as most security professionals can just think and know what that all comes there are right that have to be just a single no everything so next time and this guy comes along and security engineer you should hire him because he can just think and all of all all outcomes there are not if this is the advice we can give a methodology I don't know what to expect in the next steps but let's try so documenting
writing the threat the report is usually going to look something like this but I would like to take a moment and take this reporting we so that's where well written right it's talks about threats he talks about efforts and impacts and possible controls so this is something you can give your developers that they should work us right now always if you give this to a developer is going to kill you is going to use those 2 fingers and cause you agony is going to cozy pain and death really if you look at some of the sentences yeah OK I that this is an example I call for a vote to provoke from water system a look at the sentence as it says water bed selections are access all selection information system by individuals but also I think to these machines resulting in a loss of what the problem was I don't even understand that sentence and if I understood what could I do about this it's completely irrelevant there's nothing you can do it is just telling you what you shouldn't do it telling you what the problem can be now if you take this example and try to apply it to a different view that's applied to architecture if I'm telling architects what could go wrong this is what you get the
cart may get stolen on the ground floor or the overhead cables may appear down or I don't even know what's best here I don't know I guess might be insulted by by the words straightforward something like that so if you're doing going like this if you just telling people what could go wrong what they shouldn't do again please stop doing it you just harming you're just starting that they'd battle search for different job please so let's talk
about the game if I'd approach to this again going through these 3 steps so for a 1st step it
says identified threats for which you can use the the game cornucopia innovation of printed so this against a quite similar cornucopia has a better more focused approach to web applications while elevation of privilege tries to be a little bit more generic discussing the wider class of test and as a matter of fact these gains really work like a card game so what you do is you get your developers senior engineers the security engineering 1 room you going to hand out the cards and around so then you playing around always playing 1 color at the time so everyone has to play the specified color and the person with the highest card Ron is going to get a point so that's quite easy the addition to it is that each card contains a description of a stretch so when you're playing the card it tried to apply that threat to your system you try to identify some specific threat in your system that could be exploited and if you succeed in finding something you'll get a point for that so in the end you will have someone with the most points so there is also some kind of reward them for the winner or some kind of motivation to participate in this case so let's look at the
details in Kolkata looks card has since the suit is different classes of the text or 1 of those threats so this user authentication authorization data validation cryptography session management and the you've got all world class which is cornucopia then the card is going to have a rank so the higher the rank is the more severe the threat would be to your system also this is going to define like who want the round of the game and the most important part of the course is a description of the structure so every time someone plays a card is reading this rather allowed and he's trying to apply this from the specified system there are investigating no if there any questions about what this threat is or what to do about it there are also a number of references on the card like to build less secure coding practices were application security verification standards for the common at that pattern enumeration so if you've got is and what to do about it there's also a lot of additional material you could look into this can understand this yes of course you can understand it it's absolutely natural English language with a lot of addition if you have any problems at a simple game just have to participate and it's going to use all the experience and knowledge he has about it so what we're
going to do next and going to play a game so some of you received cards when they came in so we're going to use or band runnable that to try out how it works to apply the threats from the cards to this system so let me recap what they're going to they're going to go once by time so we're going to start this you authentication everyone who has a card with authentication on it should read whether they find how this strategy could be applied to the system and then you put your hands up uh and they're going to read aloud the description of the threat that are going to look how to apply the abstract to this system and then we have finished at all syndication they're going to move on so the point is to play at the highest ranked card in the given set so if you start by playing the 4 of authentication the next person who tried to play something higher like the age or the jack of all syndication so 1st of all who has an all syndication card in their hand please hands up there must be more than that and no OK so please have a look at your authentication can't read the threat to find the it and remember this is a typical that so which is then go about so probably I was saying certainly that's right you have in your hand is going to apply to this system so they can check the Stratton your card and if you find where your cards could be applied to the system raise a hand and are going to look it up it could we have some lights for Dolly and so they can read their car thank you so that are playing all syndication so anyone who can apply in all syndication card in their hand please raise your hands we I think my notes so I know what cards you have well you can think of problems for like finding out user names in the system right that's something you shouldn't be able to find out how could you find the user names in the system so that you can read about the odds of given my from so say the rank of the car and the rank used for yeah Sebastien can easily that identify user names or can enumerate them yes exactly how could Sebastien identify user names in this system so as I said it's a typical web application holder you usually find using maintenance system yes to the right is the part of the of the of the of the In the light of the data at the time of the year we have corresponding we would like talk what year that those are great examples but this is a bamboo another that's up you don't need to go that far you can find all the user names in the customer reviews you can find the user names by trying to reduce the ended telling you about this is how it yeah exactly yeah out own recording the neuron so we see that again now let let's move on to the gun limited time so next card so we've had 4 of authentication any higher cards in all syndication data 1 of the ranks 7 yeah sissy I can use brute force and dictionary attacks against 1 or many accounts without him it's always a practice simplified due to insufficient complexity length x duration and reuse requirements for cross what's great so how could you apply this well where would you try to brute-force here and this party you log in there so in or you could use a simple uninformed because there are no capture as there is no strong link and then and 1 must thing like that OK so the 1 with the higher cardinals indication that OK so let's move on syllables indication 1 next let's goes through authorization so authorization cards who has authorization cards that we see it yet OK so I I tried to apply this strategy when your card to this system and if you can please put and so we can go there with the mike while also rization OK there together Michael mode so the rank is an object OK and then this can access security confirmation information or access control lists OK so why would this happen actually Dennis can access to the walls and the these things and exactly so if you look at the diagram so that's why it's important to have a bit of a diagram that I don't have the most of so here you see that employees can actually access to that configurations so they're going to be able to access all the server configuration on all the information like blogs and whatever which you probably shouldn't do OK so well that was already the highest court also
positions so let's move on to data validation allocated joker card yes you can play the joker card at any moment that's that's your privilege 1 moment you get them might so I also realize that the blame for the command axis through the w's and the maybe have a big yeah exactly so you should limit the access to the database because we said that there are manual products requests or orders that employers are going to write into the database manually so that's something you shouldn't do you should limit who has access to the database and most of the stuff shouldn't have access to so great that and singing data validation data alright I got a king which says gate can inject data in the server side interpreter SQL always commands XPath ever Sejnowski SMTP because the strongly typed parameterize interface is not being used has not been implemented correct I would start by the longing for their loading word simply a sequence of actions by the user anyway fields fossil fuel whatever financing make note of that yeah it's like being so close only the highest card so we've got to cryptography anyone cryptography got that the tag of the lowest free of cryptographic axle commodified transcend permanent data store stored or in transit or source code patches or contribution here because it is not subject and duty checking that why would that happen you of I think basically can do in here but 1 interesting point is anything of the sort patches so you can actually were critical to so so rational boss something different so for example it doesn't it it blocks orders for someone else or modifies the payments to 0 so you can buy stuff for free exactly yeah so it's something which is often neglected are militias employs insider threats so if you have a cold updates or configuration of database update your your internal employees you also have to put some controls and there you have to ensure that someone is not just inserting some malicious code in your system because you say you trust all your developers of bad news is 80 per cent of the attacks happened by insiders rats OK so you should consider that so cryptographic an arrest or you had you already had a job overcome all that the air a J again just think and the credentials for accessing the internal or external resources services and other assistance because they are stored in an unencrypted form saved in the source code so why would this happen here well obviously 1 of your employees can read the source code but I hope you're not that down so you can still be done enough to put a team and configuration and that and then then when it was that need probably exactly so please pass your password OK you're more use shall yes city work in which you have adaptive algorithms that they never tell developers to use that the exact I just it let my senses the complete I would say that you shall for it but user-script yeah thank you very much OK so i'm quickly before we run out of time cornucopia let's play 1 clinical the who has a cornucopia of so you unfortunately have to play so this is rank number for the case can perform an action that it's not possible to attributed to years so why would you do this policy to use another expert OK thank you so again as I said consider insider threat so if employees are allowed to do a privilege and actions on your system that's OK but have an audit log of it have the trace of what kinds of events that happened who did it so if anything goes wrong you have a chance to look out where it came from if you cannot stop the tech anymore at least be able to find out where it came from OK so thank you very much for participating in the game uh let's go on because I only have 5 minutes left so normally what you would do is during playing the game when someone applies this threat to the system then take notes in the notes you would write on which got as far as you would write down who played the card so you can count scores at the end and you would have no it's about the specific description what the strength was where it happened what the causes and solve now what I like to do and that's been the picture but I like to do is to have a developer do all these notes why because I usually don't know the names of all the people in the room with us but apart from that I can be sure that when he's taking notes is going to write something down he's going to understand is going to write something down that based on his system knowledge and his technology technological knowledge he can apply he can understand it later on and the developers looking at it they're going to understand what the threat is about it's not going to be me formalizing some strange text so the next
step would be writing your stress so I usually do here is after we have the discussion the game have the developers put up all the issues they have written into the usual ticketing system and then invite them into a meeting right usually like to having the product all like to have some senior engineer or developmental knowing that the sum of 2 senior developer so not everyone has to be in this meeting and what is are going to do not there and why it's important to have these people at 1 table is because then you can really assess the risk of individual items not going to be you as an outsider saying well this is a severe issue because it's has a high probability perhaps don't know but if you have these people and their problems I can tell you how many customers the you have how important is this feature that might be somewhere in the simplest saying but if you have important customers using that feature is going to get in risk items also you're going to have to developers there so they're going to tell you how difficult it is to exploit that's whether or not so we can work with this well of course you can because you're putting all the information his usual thickening system reporting the information into his usual workflow so when he's leading that meeting you already have a parameterized list of backlog items can immediately pick up he has a description of the specific item you should be working on and if he doesn't know what to do about it you've met him so many times that by now he's going to come to you and it's going to talk to you and you're also going to understand what happened because you were involved in the whole process and know what they're talking so
summarizing we compared to classical approach traveling to the game gamified approach but the question is what have
we learned so rely on this traveling we've learned that classical security engineers have no methodology they absolutely ad-hoc you get no inside so better get someone from the expansion to do it you learn that security engineers are constantly battling against developers that constantly bashing them what they did wrong but this actually is not going to cause any kind of improvement to the security and classical sampling is going to end up the buildings like this so classical sampling can be applied to everything and it's going to work with everything but it's as good as using a hammer with a screw you can do it it's going to cause a lot of damage but by the end you're going to have the school and all right so compared to this the unified approach is going to bring everyone together and everyone's going to get to know each other raise awareness in the developers in the security engineers and have some was struck by the end of the meeting and you're going to have items which are obvious which can be worked on by a developers which are actionable but as a final note take care that you don't go too much into details because you have just survived cards and developers like to go into beta so sometimes you have to make a step back and try to apply a little broader view but that's only trade off you have to many so with that thank you very much
thank you for having me and


  461 ms - page object


AV-Portal 3.20.2 (36f6df173ce4850b467c9cb7af359cf1cdaed247)