Susan Sons

Sometimes, we have to do information security without a playbook.  Sometimes, we have to evaluate the playbook and figure out if it's well-written, or if it is the right playbook for a specific context.  In order to practice information security beyond compliance regimes and best practices lists, we need to understand where security comes from.

In this presentation, Susan Sons will introduce the Information Security Practice Principles developed by her and colleagues at Indiana University's Center for Applied Cybersecurity Research.  The ISPPs offer a  mental model for reasoning about, planning for, and communicating security needs that starts from the basics and is easily translated into practical social and technical controls.  While most information security professionals, programmers, and systems administrators who can secure the unknown got there through years of hard-won trial-by-fire, there's now a guidebook, in the form of the ISPPs, to help technology practitioners not just get to that point faster, but to help their management and other non-technical contacts get on board with security needs and processes.  CACR's work with research and development technologies across throughout the US and abroad have forced them to learn to be adaptable while also demonstrating that recommendations and critiques were not pulled from a hat.  We hope to pass on these tools to others.

This day-long workshop will provide practical instruction in six essential activities that every security-conscious software engineer, software architect, and software project manager should know:

• Code Triage, Code Rescue -- Take on a new, complex code base and rapidly find out where the biggest burning issues are, then make and execute a plan to untangle them.
• Building and Maintaining Security Programs  -- Build security into the development process in a way that enables the production of great software, rather than inhibits it.
  
• Security Culture 101 -- How to get an organization on board with secure software development practices, from the top down and bottom up.
  
• Distribution Logistics -- How many vulnerable points exist in the chain between your developers and consumers, where malicious software could be injected into your trusted product?
  
• Communicating Security -- How to get credit for your security accomplishments, and how to keep security expectations clear and reasonable within and outside the team.
  
• Vulnerability Response Without Losing Your Mind -- Take a first responder's approach to fixing software vulnerabilities: get it done right and fast, without destroying your people or your code base along the way.
  

Preparing For the Workshop

• Attendees should have experience developing software as part of a team, in any programming language.
• Attendees should understand spoken and written English.
  
• Bring a note-taking medium of choice.
• You may also want a laptop or tablet to reference web resources during the workshop.

What to Expect

We won't get very deep into any particular code base: this is a completely programming language neutral presentation. We'll be focused on the process of producing secure and reliable code: what your team needs and what they need to do. The workshop is a combination of lecture, Q&A, and some planning and communication activities.

You'll  receive, included with the workshop, some print and digital reference material to help you put what you've learned into action.