| Channel | Publish Date | Thumbnail & View Count | Download Video |
|---|---|---|---|
 | Publish Date not found |  0 Views |
“These security tickets are ruining my product roadmap”
“This is the most obscure special case of security, something like this can never happen in real life”
“Yes, I will fix this in………2022.”
We've all heard these things from engineering teams when it comes to vulnerability management (or mismanagement). And on the other hand, security teams constantly feel like engineers aren't listening to them or don't care about security.
How can we move beyond this hostile relationship and work together to address vulnerabilities to make real progress?
How can we create a sense of urgency and ownership for safety so that everyone is responsible for it?
How do we provide a great customer experience for everyone involved in the vulnerability management process?
In this talk, we share how we transformed our vulnerability management process from a tedious or invisible process to a collaborative process that promotes accountability and transparency.
To change the perception of vulnerability management, we wanted to engage with the people who have the most to do with the program. During the initial research, we conducted interviews with security experts, development teams, release management, development leadership, security engineers, and compliance staff. It was important to understand the perspective of our users so we could steer the discussion of vulnerability management toward a more decentralized model. From the moment a vulnerability is opened (whether by an automated tool or a human), many decisions must be made. In this talk, we'll discuss the parameters we've put in place to set up every commit in the life of a bug. Whether it's using CVSS V3 scores to prioritize vulnerabilities, recommending due dates, allowing engineers to estimate the scope of work and suggest a due date, or how tickets are acknowledged in the first place, you'll learn the best practices we've found to be successful in building a strong but increasingly mature vulnerability management program. Additionally, we will share screenshots and demonstrate the lifetime of a vulnerability managed in our Jira Kanban boards from both the security team and engineering team perspectives, which support a self-service model. When you decentralize and give engineers decision-making power in the workflow, they can now take ownership of security.
With all the decision-making power comes accountability. This is an area we really cared about to ensure that the decisions made are accountable and that there is transparency throughout the management chain. We defined key metrics that are important to leadership and that are also important to the success of the security strategy. While the metrics showed long-term trends, we found effective ways to tactically manage escalations and drive accountability through real-time dashboards. In the talk, we will share the specific metrics/charts we reported on, as well as the various forums (meetings) we set up with stakeholders at all levels of the hierarchy that helped us drive daily vulnerability remediation execution.
To summarize, in this talk we will discuss the pain points most organizations face when remediating vulnerabilities, how we decided to tackle this challenge, the solution we developed, and how we drove accountability to improve metrics. We will talk about the key decisions we made that the audience can understand and improve their own vulnerability management program. Finally, we will show templates of our Jira boards, metrics, and charts that helped measure the success of the program.
Alexandra Nassar
Senior Technical Program Manager, Medallia
Alexandra works at Medallia – a customer experience management software company – as a Senior Technical Program Manager supporting the security organization. She started her career as a project coordinator in the nutritional supplements industry and then took the big step into software development.
Harshil Parikh
Security Director, Medallia
Harshil Parikh leads the security team at Medallia, Inc. He is currently helping to democratize security within Medallia for functions such as Secure Product Development Lifecycle, DevSecOps, Monitoring, and IR.
–
Maintained by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
Please take the opportunity to connect with your friends and family and share this video with them if you find it useful.
