Ben Abrams has had various developer roles in his career where security teams got in the way and got bad reputations as the NO team, and now he's in the process of building his own security team. In this Sensu Summit 2019 talk, he'll discuss some tips on avoiding this and engineering seeing security as an asset rather than something to work around.
Building a security team without becoming “the bad guy”
1. How to build a security team without
becoming the “bad guy”.
Follow along at: http://bit.ly/2zz3py0
2. $ /usr/bin/whoami
● Ben Abrams / @majormoses
● Lead the Infrastructure security team @doximity
● Doximity: Medical Social Network serving over 1 Million medical professionals
● Sensu History
○ 2014: started a pet project to replace Nagios with Sensu
○ 2015: Sensu was in production, started giving back to the community
○ 2017: Became a maintainer for various areas across sensu ecosystem
■ Plugins
■ Chef Cookbooks
■ Slack
■ Documentation
■ OSS Mentorship
○ Maintain 200+ plugins for the sensu community
3.
4. Where to start
● Tools
● Knowledge
● Monitoring
● Alerting
● Service Ownership
● Triage Risk
● Red / Blue Teams
● Culture
6. Some Cultural Items
● Transparency
○ Open slack channels
○ SLA on pull request reviews
○ Security monitoring is
available to other teams.
● Make access easier where
possible without compromising
needs. https://sso.tax/
○ Moved 40+ apps to SSO
○ Another 30+ to go
● Incremental Improvement
● Secure By default