Starting Up Security
Starting Up Security
This section is a summary of the Starting Up Security website
Rainbow Series¶
🟪 Foundations ⭐️
- A mission for the security team
- A security team typically aims to:
- 📉 Reduce risks
- 📈 Increase trust
- Trust is often a byproduct of transparency from an organization’s risk reductions
- A security team will burn out unless they are working efficiently to improve risks and trust
- ✅ Comply with governance
- 🚀 Empower the organization
- There are two starting patterns that are safe to consider for early programs:
- Risk Assessments: Study and prioritize risks, then consider mitigations → ⭐️ magoo/minimalist-risk-management
- Best Practices: Study and prioritize gaps, then fill them
- They’re in conflict with each other: one wants to assume that best practices will be the most efficient mitigators of risk, and the other wants you to study those risks before deciding on a mitigation
- A security team typically aims to:
- How does a security team work?
- See also Classifying types of Security Work

| Area | Description |
|---|---|
| Business Projects |
|
| Operations |
|
| Engineering |
|
| Incidents (Unplanned) |
|
🟦 Management
- Hiring: Who the right will be, and when it makes sense to hire them
- Hire a team, not a person
- Task management is a reliable value across the workplaces cultures
- There are clear partners across the company
- Budget is available to support a security employee
- Self-organization has begun around security responsibilities: Security is not a vertical set of tasks. Rather, security is best shared horizontally across an organization
- Leadership: Qualities that might be desirable in a security leader
- Proper talent will want to become familiar with three things:
- Risks to the organizations
- Deficits of trusts to the customer
- Governance requirements
- They can balance work
- Risk: Prioritizing work to mitigate the consequences of an undesirable event
- Trust: Prioritizing work that develops trust among our customers or peers
- Governance: Prioritizing work that meets certain compliance objectives
- Proper talent will want to become familiar with three things:
- Budget: Reasoning through budget discussions with a security team
- Planning: Encouraging risk based knowledge workers to offer direction
- A collaborative planning process allows for the maximum available expertise about an organization’s risks
- All security team members are expected to think critically about risks
- Team leadership should set broad direction and strategy
- A collaborative process captures this knowledge and formulates a directed roadmap
- OKRs have issues
- Other engineering disciplines can directly measure their key results
- However, risk has roots in probability. Our teams cannot objectively measure “Probabilistic” outcomes. They can only forecast them, which is subjective
- Security teams often focus their key results on obtainable, actionable goals around a risk-based objective. Part of the objective discussion can include specific risk targets that discuss scenarios
- Objectives should have defensible roots in risk, trust, or compliance goals
- A collaborative planning process allows for the maximum available expertise about an organization’s risks
- Performance: Framing the performance problem of risk based knowledge work
🟩 Fundamentals ⚒️
- The fundamentals are practices (best practices, standards, checklists, maturity models) that eliminate wide areas of risk
- Fundamental ojectives:
| Objective | Description |
|---|---|
| Centralize and improve logging |
|
| Improve employee responsiveness in reporting incidents |
|
| Reduce the risks associated with vendors |
|
| Reduce the risk of insider abuse |
|
| Reduce the risk of an endpoint compromise |
|
| Improve responsiveness to incidents |
|
| Reduce the risk of remote IaaS API compromise (leaked credentials) |
|
| Reduce the risks of a SaaS account compromise |
|
| Lay groundwork for secure development practices |
|
| Lay groundwork for future detection efforts |
|
| Lay groundwork for future risk management efforts |
|
| Lay groundwork for finding and fixing |
|
🟨 Building
- Avoid “shadow IT” anti-patterns:
- Security is hired into a non-engineering reporting chain
- Security is excluded from engineering roadmap discussions
- Security makes unique technology choices and owns separate source code management
- Security lower and has inconsistent hiring and interviewing standards
- Security has lower and inconsistent development and deployment standards (style, peer review, testing)
- Engineering Identity
- Builders should be indistinguishable from their partners: IT, Product, Engineering
- Share identity with partner organizations:
- Security reports to engineering leadership
- Planning and roadmapping should be inclusive of security efforts
- Security shares the organizations technology standards and development practices
- Security hiring maintains and contributes to the hiring bar
- Security mitigations are rolled out with product launch / deployment standards
- Philosophy of fixing security issues with no clear owner
- Security is not catch-all bug dumpster
- Security does step in for unowned or specialist problems
- Culture, values, leadership, and “whole team” approach to sharing the work
🟧 Breaking
- Breaking anti-patterns
- Breaking creates work for building
- Resourcing for breaking and building is a Explore / Exploit Tradeoff
- Law of the Lever:
- Breaking creates work
- Breaking can create more work than you can mitigate
- Incentives can worsen this this further
- Violating the lever can create internal hostility and toil
- Breaking creates work for building
- On Fixing Bugs
🟥 Incidents ⭐️
- Create an incident response plan to manage these changes → ⭐️ template, explanation
- A rolodex of contacts: Law enforcement, Forensic, Legal, Leadership, and PR contacts who can come online quickly and contribute to a response
- A template for collaboration: Incidents are often about managing uncertainty. What are questions we still have? Who is accountable for answering them? What are the short term emergency actions, and what are the long term learnings?
- Approval Points: Who approves an emergency blog post, an email to customers, or calls law enforcement? Pre-approvals for expected steps will avoid delays and meetings
- Internal Communications: Who communicates issues with employees?
- Dependencies
- Your readiness for an incident depends on leading project work
- Incident response can be practiced with tabletop or red team exercises
- See also Security Breach 101 and Security Breach 102
Security Strategy¶
From the Starting Up Security article
Products ⚒️
- Relates to the quality of application development
| Area | Description |
|---|---|
| Strict Engineering Standards | NOW:
|
| Vulnerability Disclosure and Bug Bounty | NOW:
|
| Engineer Onboarding | NOW:
|
| Manage Secrets | NOW:
|
Infrastructure ⚒️
- Relates to the quality of the systems that support the applications
| Area | Description |
|---|---|
| Authentication | NOW:
|
| Patching | NOW:
|
| Centralized Logging | NOW:
|
Employees ⚒️
| Area | Description |
|---|---|
| Endpoint | NOW:
|
| Shared Passwords | NOW:
|