Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Doing IT SecurityOrganizational challenges
1
Laura Kocksch Fraunhofer Institute for Secure Information Technologies/Ruhr University Bochum
RISCS Developer-Centred Security Workshop: 24th November 2016
Study I: „Can security become an organizational routine?“
2
Research interest (CS):
• Security Tool adoption
• Anectodal evidence in Computer Science
What happens when the topic "security" enters a software company?What effects do security consultings have on security
in a software compancy?3
Research interest (S):
• Technology adoption and sociotechnical situations• Organizations consist of structure and agency
What practices are triggered by a security consulting? How does a security consulting effect organizational
routines in a software development group?
4
What happens during a securityconsulting?
5
Penetration Test Submission of found Security defects (internal tracking system) Face-to-face Workshop Training In depth presentation of vulnerability types Hands-On Hacking exercises„Hacking Challenge“Fixing of found security defects
Long-term change?
Methods:
6
Results I: I:
• Great „euphoria“ right after the workshop…• fixing activities ambitious…• … but one-time event.• Developers were dissatisfied about the outcome.
Why this results?
7
Organizational Routines:
8
Radschläger (Eigene
s Werk) [C
C BY
‐SA 2.5‐2.0‐1.0] via W
ikim
edia Com
mon
s
The ostensive [structural] aspect of a routine is […] useful in that it helps us describe what we are doing in ways that make sense of our activities. It enables us to ask others to account for actions that seem unusual, and to provide reasonable accounts when we are called to explain.
(Feldman and Pentland 2003)
Manager and Developer Agreements:
9
“[any added feature] is gonna have to have security baked into it,''
“I would say, because we are working Scrum‐like, every team should take up these questions [of security].”
“There exists no rule book saying `for finishing this feature please spend two hours on security' [...] The idea is to set up teams to be self‐learning so that they consider it in the process from the very beginning, kind of trying to channel the `‐ilities.’”
“Actually I don't want that [strict guidelines] ... I don't wanna say it is necessary that someone from the top starts asking us to do certain things.”
Manager and Developer Agreements:
10
``But if we only develop security features [...], the product manager has nothing [...] for the next sales training. [...] he has no shiny new features to show [...] no further checkbox to tick in a sales brochure. This is the mindset these folks are thinking in.''
“[...] if security is not on the list [of features], then is it really worth the time and extra energy to do it?
Developer´s Agreements:“I mean we are developers because we enjoy it, I don't think any software developer does it because they are just making a paycheck [...] what you really enjoy is putting something together and seeing it work. [...] Security is not one of those things for most people I think, but it does need to be emphasized and we do need to prevent something from happening [...].”
Security lacks a „story line“
“Apart from the findings from the workshop there was never any feedback from the customer [...] That [feedback] would definitely motivate us.”
11
Lessons Learned
12
Make security work accountable and tangible for all actors…Make security interesting…Establish security stakeholder respecting the organizational framework
Lessons Learned:
Study II: „Can a system be plannedsecure? “
How to design SecurityByDesign?
Threat Modelling Techniques
13
Modelling Threads and Risks:
14https://techne
t.microsoft.com
/en‐us/security
/hh8
5504
4.aspx
By Chris Creagh
(Own work) [C
C BY
‐SA 3.0]
Modelle ein „Boundary Object“?
15
Boundary Objects are objects which are both plastic enough to adapt to local needs and the constraints of the several parties employing them, yet robust enough to maintain a common identity across sites. They are weakly structured in common use, and become strongly structured in individual use […]
(Star and Griesemer 1989)
Results II: Chicken and Egg
16
What are the IT securityconstraints for the software solution we want to build?
What shall the IT system looklike that we need to secure?
By Sun
Ladde
r (Own work) [C
C BY
‐SA 3.0] via W
ikim
edia Com
mon
sBy
The
greenj(Own work) [C
C‐BY
‐SA‐3.0] via W
ikim
edia Com
mon
s
Results II: Chicken and Egg
17
By Sun
Ladde
r (Own work) [C
C BY
‐SA 3.0] via W
ikim
edia Com
mon
sBy
The
greenj(Own work) [C
C‐BY
‐SA‐3.0] via W
ikim
edia Com
mon
s
What IT system can youbuild?
What IT system do you need?
„Doing IT Security“
• Security poses challenges for organizational structure• Security definition no linear process• Security not just like any other „-ility“ • Security sociotechnical challenge• SecurityByDesign incorporates challenges at developer´s and
user´s side (e.g. nudging/Soft-Paternalism)
18
Selected Publication:A. Poller; L. Kocksch; S. Türpe; F. Epp; K. Kinder-Kurlanda: Can Security Become a Routine? A Study of Organizational Change in an Agile Software Development Group. Forthcoming: Proc. CSCW'17, Portland, OR, February 25–March 1, 2017.S. Türpe, L. Kocksch, A. Poller: Penetration Tests a Turning Point in Security Practices? Organizational Challenges and Implications in a Software Development Team. SOUPS´16, Denver, CO, Juni 22-24, 2016.A. Poller; S. Türpe; K. Kinder-Kurlanda: An Asset to Security Modeling? Analyzing Stakeholder Collaborations Instead of Threats to Assets. Proc. NSPW'14, Victoria, BC, September 15-18, 2014.
19
20
Andreas Poller & Sven Türpe{andreas.poller, sven.türpe}@sit.fraunhofer.de
Laura Kocksch (RUB Bochum)[email protected]@gmail.com
Dr. Katharina Kinder-KurlandaGESIS-Leibniz-Institut für [email protected]
Fraunhofer-Institute forSecure Information TechnologyRheinstrasse 7564295 Darmstadt, Germanywww.sit.fraunhofer.de