Events Add an event Speakers Talks Collections
 
RSAC 365 Virtual Summit
January 27, 2021, Online
RSAC 365 Virtual Summit
Request Q&A
RSAC 365 Virtual Summit
From the conference
RSAC 365 Virtual Summit
Request Q&A
Video
When Application Security “The Wrong Way” Is the Right Thing for Your Organization
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
241
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About the talk

What’s a common challenge for application security teams? To drive meaningful change and scale to the pace and size of IT. Target’s experience was no different—so the team switched from enforcer to teacher. This session will describe successes in implementing a “credit score” to measurement practices, building an exclusive(!) security champions program, and changing how to “test all the things.”

About speaker

Jennifer Czaplewski
Director of the Product Security at Target

Jennifer Czaplewski is Director of the Product Security team at Target. In her role, she leads the product security engineering function, product intelligence and Target’s Security Ninja program. She has held several leadership roles within information security, including threat and vulnerability management, network security and security strategy. Prior to Target, Czaplewski was employed by Pfizer. She has an MBA from Western Michigan University and holds CISSP and CISM certifications.

View the profile
Share

Kyrie 1, Welcome to My RSA 365 talk called when application security. The wrong way is the right thing for your organization. My name is Jennifer czaplewski on the director of product, security, for Target Corporation. And today, we're going to talk about some myths in application security space, and weighs a Target, went a different direction, and busted those miss. This is all a bit of a reprisal from a top that I gave at RSA when we were in person and February of 2020. And following, this talk will be a moderator Q&A with Caroline Wang who's head of strategy

and HR. So before we get into Smith busting, let's back up. And just talk a little bit about Target and Rit environment. So Target is a fortune 30 retailer. We are based in Minneapolis Minnesota, which is where I'm coming to you from today. We have three hundred and fifty thousand team members across the world are stores, are in the us, but we have team members really across the globe. And if you stop at a Target store, you might know some of these things about Target, but what you might not know about Target is, how critical technology has become

to our daily operations. Things like order pick up or drive up, or paying with your app. Using the Target Mobile Wallet, for our partnership with shipt, for same-day delivery. All of those things weren't sort of decided by some folks were working in business rolls and thrown over the wall to the IT team, Our IT team partners with our business team members every day to come up with innovative ways that Target can best serve our guests. And in order to be that really valuable and skilled partner for targets business teams. Are it organization went through a pretty

significant transformation in 2015 prior to our transformation. We were a really project. Heavy vendor heavy, contractor, heavy organization. And in our transformation, we adopted the product methodology as a devops delivery mechanisms. We brought in a lot of engineering talent and started developing a lot of what we use everyday and house. And in order to make that work. We really had to focus on Innovation and skills development. So at Target, we have a program called 50 days of learning and it's basically a literal title. Every ITT member is expected to spend 50

days a year or about one day a week developing and enhancing and building new and continuing to develop their it skills to be that valued partner with our business teams. So now that you know, a little bit about Target and you know, a little bit about how RIT operation runs, let's get to miss busting and the first met that we were talking about is that there is no single metric to measure application security. So I've been in an application security role for five years and I've heard this myth quite a few different times while I've been working in that SEC and it's an interesting

question. How do we help teens understand their security posture some options that I've seen? A different organizations are security test coverage. So what coverage of tests do we have on our applications are on my code that we have people have thought about using defects security defects per lines of code. We've at Target adopted, historically, how fast teams are resolving security issues in that worked for a while, on some of the ways that we were able to incentivize teams to think more seriously about security, but all those things require you to really understand

a lot of things. Outside, just the security of your application. And so we thought is there a way that we can better serve our it partners with how to measure application security. So in 2017, we launched a system called Product intelligence and product intelligence pulls a lot of different security data together. And the first thing that you'll notice when you log into the product intelligence system, is that it gives a product team a single number. This number ranges on the low-end from 300, to the highest. It can be as 8:50. And that scale new, mix the same scale that you would see in

like a personal credit score. But really the scale between the low and high and numbers. For the credit score is where we differ from a personal credit score with this product intelligence Corps. We're very transparent every single element. Every single point is very clear to product teams for what makes up their score. So, this is a fake product. If you zoom in, you can see that this product is called Big asaurus Rex. We don't have a product at Target called bake. A Saurus Rex though. We might someday and say thesaurus. Rex with the fake date of that. We've plugged in here has a

751 So, what's very easy for collecting to understand is in summary, how am I doing from a product security perspective. And this number is made up of four different categories. The first categories of the rain between 300 and 8:50. The first grouping is called findings and vulnerabilities and it makes up 45% of the score. What we measure in the findings and vulnerability, space is not how many findings you have, or how many vulnerabilities, you have. What we measure is for each of the findings and vulnerabilities that products have? Are they meeting the commitments

at the team committed to for closing? Those findings are addressing those vulnerabilities. So if you have 10 findings and you closed nine of them on time and you get a 90% for this findings and vulnerability category, and you're probably going to have a pretty high score for that section. So the first category, findings and vulnerabilities, measures are, they closing findings according to the schedule that the product teams themselves set? The second category at 35% is Security Services and what we measure here, as are you using the security services that the security team has deemed

important. For example, if you have a finding that's 45% of your findings or 45% of your score, but we really want to make sure that teams don't avoid the pain test entirely. So 35% of it is are you doing the pain test that you need to are you filling out the risk register? And using those Security Services that are important for the security of products? The last 20% to the store has split evenly between security culture which makes up 10%. And essentially measures our product teams, doing the cultural things that we want them to do to have good software security. And in

this case, do you have a security ninja and is your ninja doing the things that we want the ninjas to do. And lastly sort of the ultimate measure of any application, security posture habits. Have you been the root cause of an security event or incident in the last 12 months? So, the score 751 kind of measures all of those things. And that's an important tool for different every everyone to have sort of clear information about how they stand. But what's incredibly important? And the most important secret sauce of this system is the actions to take. We don't just tell teams your 751

and hears all of the ways of that was made up. But we tell them for 39, more points. There's some sculpin, your particular application that hasn't been tested. You have 26 points that you could gain by causing some security findings, you have some critical vulnerabilities that need to be addressed. So this specific actions to take is where we really in our teams, to take the steps to better improve the security of their product. Some other elements that you might notice on. The score is the relativity. So we also show teams your 751. Here's the actions, but here's how you compared

to other products at Target. And this one has been a really powerful to have good conversations when we launched the system in 2017. I sat down with a peer. Walked her through. Here, is your sister coming your at a 650? And here's the actions. You should take and she was. Yep, sounds good. But when we talked about the product Rank, and at that time, this product was in the bottom 10% of all products, conversation changed, and she's like, oh, that can't be true. We take security very seriously and allowed me to have a really good conversation about how we actually consider and measure security.

So this relativity It's good for all of us Taipei folks, who feel strongly about being in the top 20 or 10% compared to other products? The last information that you can see on the first page is the historical Trend. We want to compare teams, not only to everyone else but to themselves and it's not uncommon when we were in the office. So we are currently to walk around the floors and see different team. Sort of talking about the trends of their high score on their team, whiteboards and celebrating when they've hit thresholds that they're trying to do. So. The main page. As you

continue to go to the system, I've mentioned transparency and that's in a really important element in order for people to trust that this data is accurate, in that they should take the actions that we are asking that. We give them every element every Source data. We show them everything about their system so that they can see what they need to do. And kind of in context of all of the other things. What are the things that we're also trying to do is not just require a product team, counterparts to go to the system all the time and pull down information. We try to meet teams were they were

so we offer Integrations with GitHub in. You're a backlogs as well as email notifications. People can sign up and be notified when certain things change about the score and they can download all of the findings of the actions that they need to take into their team backlogs. So they can prioritize security work alongside all of the other features and functions that they're trying to offer want to see all of this data together for Stegosaurus. Rex is really helpful to see everything together. But let me just kind of rewind and paint for you all what it was like before we had a

system like this. So, prior to 2017, we had and tired of security analyst whose job was to go into the GRC system on a weekly or monthly basis of all of the information out, consolidate it into spreadsheets. Send those spreadsheets over to the teams, go back and forth with them about actions that needed to be taken. And we sent for years and and believe then that product teams are responsible and accountable for the security of their products. But in reality, I couldn't get to any of the data. They really had to work through the security team

to make a lot of changes. So in reality, we created a system where the security team had more accountability than the product even that's been a really big with the system, the ability to take accountability for the security of their products. Not too long. After we launched the product view, the leaders of those particular systems asked or summarized information. And that's been really helpful as well to drive changes within our teams. So not only can later see the scores for the different systems that they're responsible for. They can also see Trend

information. How are we doing on pentesting? How are we doing on an appointment or ability? We have sections that talk about security coding flaws, that happened within their portfolios. We've been able to Target each kind of portfolio or teams with specific training opportunities based on trends that they see in the in the different sections here. It's just been a really valuable to again put that accountability back into teams and they can make some decisions about where they want to invest. And also lets leaders understand sort of overtime. How are we doing? Are we better or worse than

we were three months ago? 6 months ago. So if any of this sounds interesting and you wanted to build something like this within your own organization when we started we had two or three folks working on the system. We have more now, but when we started we kind of started small and we had just a few people working on it. We used open-source technology as much as possible. So the screenshots that I was showing earlier. Those are a product called super set which is an open-source technology that you can use for tables and graphing systems to give us data. So we

connect via API to all these different Source systems and in the secret sauce of the product intelligence system is kind of putting that information together. So a part of team can see it and really translating all of that to actions that we want folks to take. Prerequisites perspective. Some things that we had to get in place before we were able to take this step with product intelligence was at least a basic understanding of the assets that you have. What systems? What software do you have and pulling that information together? A policy was really helpful. So nothing in the product

intelligence system is new. It's all things that are already included in the security policy. We're just being more transparent about what we expect of product teams to do is for pulling that together for them to look at. And last, you can have all of the numbers and the actions in the things that you can pull together, but it was out a lot of commitment from the organization. It's just another metric from our CIO on down the pie score. The pie actions are something that seems to care about and the leaders care about, we talk about on a regular basis. All right, we're going to bust

another myth and that is to welcome any and all Engineers to a security Guild better. Mandate participation. And why is this concept even important? Well at Target, we have a 4500 developers spanning across 200 product teams and our security, team need to find a way to be everywhere at once. And so looking at the industry. There's a lots of organizations that have programs like this. They could be called security Champions, or Advocates, or security ninjas. That's the term that we landed on for our program, for our program differs from other programs that you might see is

that ours is not a tiered system for learning where everyone participates and you start as a lower belt and kind of move your way up the program. Our hypothesis in 2016 is that if we created a program that was exclusive and somewhat prestigious, we could get the right people who are going to be the most engaged and could have the better chance to actually permeate the culture of the organization. We landed on the term security ninjas because we were looking for in this program are people who are Nimble and at the top of their game. And the thought, when we launched the program and has proven

true is that with a smaller group? We can create a more curated program. We can be more transparent about the security threats that were facing. We can have a more meaningful trainings and offer better swag, t-shirt. It tchotchkes that can go on your desk. So let's talk a little bit about Target's, exclusive security ninja program. So we are looking for participants in the program that are seasoned influential and passionate. And what we really mean here are the end of the individuals that are influential when they talk their team. Listen. We also want books were passionate about

security and want to be here at my organization. We have this concept of being voluntold. I personally have been voluntold for a great many things over the years and we don't want anybody who's voluntold. We want you to be excited and to really want to make a difference in the security posture of your team's product, the program itself. I've mentioned exclusive, we set a ceiling that no more than 5% of the tech population can be part of the program. So at 4,500 people that's about 225 Ninja at any time. We're currently at 170. So we're still underneath that feeling

their primary goal is to build security awareness, and excitement within their teams and what the program has actually become. Even though we didn't set out to make this is that it's been an accidental Talent pipeline for the security organization, every year in the five years that we've had this program between five and eight people who are developers in product teams, get so excited and so interested in the security work that we're doing. They leave their development teams and joined security team. So that's been very exciting in a world where security Talent is so hard to find to have

created this accidental Talent pipeline was Exciting and surprising for us. So what does it mean to be a security ninja? That first means that if you're an extension of the security team, we'd at least like you to have some basic security knowledge. So, the first responsibility is to build and then maintain that security knowledge II responsibility and probably the largest element of being a security ninja is to guide your teams and security. Best practices. Don't just take in a bunch of information but really use that information that you've learned to guide your teams and

doing things in the most secure possible way, a very small but important element of the security ninja program is to maintain the application inventory data that usually just means nudging teams to populate the risk register. And the last element that's very important for us is that they are a voice of customer for the infosec. Team are security ninjas. Know what we're trying to do, but they sit organizationally with their product teams. And so they can help us gauge whether or not the things that were trying to do actually are landing the way that we think they are to give us. Really

great and put on ways that we can improve the services that we offer. Ninjas agree when they join the program to spend about 20% of their time doing these things. And, as I've mentioned, we consider them an extension extension of the security team. They are absolutely empowered to make security decisions within their teams. As long as they don't violate security policy. And these are the basic four things that all the security ninjas. All 170 people have agreed to do. What we've seen is because we've chosen people who are very engaged, very passionate the right folks who really want to be

here is that they go above and beyond this list. So many times in the last 12 months. We have Brian. He's a ninja and our point-of-sale system who recognized that are static scanner are sassed system was not covering languages that they use for some of the functionality in a point-of-sale system. So he researched and implemented an augmentation that we then plugged into our static scanner that covered languages that they used within our point-of-sale. We have Mohit and our Bangalore. Best, who liked what we were doing with product intelligence, but recognize that it might not cover

all of the things that he wanted to measure for the systems that he was responsible for. So he had it an entire like augmentation library of things that he wanted to also be looking at in terms of measurements for the systems that he was responsible for. These are two examples, but we see are ninjas doing stuff like this all the time. And that's how we're really excited to have those right individuals who really want to be here and make meaningful change in the OR. So what does it mean to have that knowledge development? We do want people to be making informed decisions

when they're out doing that. And the first thing is, when you are nominated by your leave here, and then accepted to come into the program. You start with initial onboarding and that usually is 90 minutes of security fundamentals, followed by a three-hour Hands-On. Hacking course, where were used on an intentionally, vulnerable, web app that you can get from any open source, like the new shop is what we use. And we walk them through some of the ways that vulnerable websites can actually have an impact to the organization. And we see that that Hands-On hacking class, really helps people

understand, not just conceptually and sort of from a book. What is SQL injection? Or cross-site scripting is, but it really translates those types of laws into actual web development. Then we don't just train them and never see them again. We do monthly information sharing that could be I'm meeting for we come together. We do deep Dives on certain topics. It could be either. Really continual chat apps that we have a private slack room for our security men just to ask questions of each other. We recently started issuing a newsletter that outlines things that

we want ninjas to know. But more importantly identifying actions and things that we want them to do. One of the questions that we always ask ourselves is just information. That's interesting or they're specific actions that we want are ninjas to take or security teams to take sorry. Our product teams to take knowing that information. So, I'm in addition to the monthly information-sharing. We also offer a quarterly Hands-On events are security ninjas have told us that they learn best from Hands-On learning. And so we try every quarter to offer some kind of orderly Hands-On event where they

can either come together or individually work to some challenges or different things. And lastly for those individuals who just continually show us that they can do more. They want to do more. They're very engaged. When you join the program. We have a tiered system and everyone who joins comes in as a white belt, but then as you are able to make some meaningful change, show some projects in some ways that you've I'm gone above and beyond. We have opportunities for folks on the program to become Purple, belt, sanding, and black belts. So we know the people who are in the program enjoy being

in the program, but the impact is really where we are excited about what this program has. Brought in terms of enjoying the program. We survey are ninjas every year with the questions about what they like. And don't like and it's kind of end that with a net promoter, score question. Net promoter score is essentially a scale between - 100 + 100 and everybody just chooses a number. It takes out people who are sort of neutral and gauges, who really cares about this thing and The NPS, the net promoter score for the security ninja program. Last year was a plus 49 for some

context. A + 49 is also the net promoter score for iPhones. Do people like their iPhone about as much as they like being in which to me seems like a pretty high bar. We also here and it's only from the ninjas that it's hard to leave the program. They when they're offered opportunities in other teams and Target, they're hesitant to take those. Jobs, if it means they have to give up their role as security ninja. But we also hear from the teams that these ninjas participate with and sit on and influence that the team's and the leaders of those teams also really think that they're helping

change the culture, some other quotes that you can see from last year's survey are ninjas, tell us that their team cares more about security, then. And they've done a better job considering security early. The product teams, tell us that are ninjas influenced team culture toward a security aware mindset of the leaders. Tell us that the way that our security, the way that our team thinks about Security today is different, in my personal favorite quote is, we have really skilled folks in the program who still have imposter syndrome. And the quote is that the program really helps me get

over my imposter syndrome and realize I'm good at this, I can do this. When we asked product teams, collectively to raid the effectiveness of their security ninja, 79% of the respondents said that their security Dinger was effective. Very effective at changing the security culture in promoting that security culture within their teams. All right, the last message that will be busting is around testing. All of the things. The reason that this is an interesting one to me is in the security World. There are so many scary things that can exist there, so many threats

against your system in there. So many ways, that things can go wrong, and it makes sense that if I were a product him, I would want to know about all of those things and all the ways that I could get better, to make sure that those things that could go wrong, don't go wrong. And that was our hypothesis going into a system that we called Spotlight fast and our goal was to start with fast and test. All of the things, give teams a lot of information, really help them improve the security of their systems and be really transparent about what we're finding and what they needed to do. So

we created the system, we made sure that it could scale for the size of code that we have in the space in which were checking and cold and developing. We were very excited. We rolled it out. And our product teams, hated it. It was way too much information. It was way too hard for them to consume and prioritize. So let's back up a little bit and talk about what we were trying to do what we did. And then why the method of testing all the things may be needed to be adjusted when we started the system. Our goal, as I said, was to improve the application security of all of our software systems, by

integrating into engineering practices. We wanted to meet developers where they worked. We didn't want developers to stop developing and come over to the SAS system to your checking code or get the results. You wanted to offer end-to-end Solutions. So not just finding issues, but giving them meaningful and helpful ways to solve those issues when they were found and our goal always is to make the right way, the secure way of doing something the easiest way for a product team to do it. And so even though we've learned a lot over the last three or four years of this journey. These are still

the values that were bringing today. So what is spotlights at? This is just a screenshot that you can see of the system. And what it means is that it's an interface between our code management Technologies and the static scanning are SAS Technologies. It's meant to integrate these two things, really easily. So that within the code management technology teams in onward to the SAS and they can get the results and I can see everything that they need sort of in one place. What we learned in our first iteration of the system were many things. What we

launched in version 1 was All of the issues that were found we hypothesize like teams are going to want to know about all of these, and they're going to want to know about them individually so that they can address them individually. What we ended up doing was just standing teams with issues. Sometimes doesn't if not more dozens of issues being found within every skin that was run. We also made some assumptions about the kind of alerts that they want to have. For example, when we hypothesize that, when the system ran but didn't find any issues don't want to know about that.

We should only tell them when there's a problem. We also didn't tell them when the scan ran, but failed for some reason, it's a lot of times teams would run a scan and then not hear anything and be left to figure out on their own whether or not the scan was successful. No issues were found. So we did a really major overhaul about 18 months after we launched this system. We consolidate the way that we give information to team so that it was easier to consume. And we really let them customize the way that they could get all of this information. If they wanted an email. They could choose

that if they wanted their information in GitHub issues, are in 0 stories. They could do that. They can choose different ways to be notified when the system was performing or when scans were getting ready to be started. And so the iteration of the system in the really listening to customers has made the second and subsequent versions, a lot more successful. We still test all the things, but we only share information with teams that they've decided that we've decided are meaningful and it lets them take a little bit more thoughtful. Look at, actually, what needs to be done. And what may be is a

bit more noisy. So, in the last five years, this is the product security Journey that this entire team has gone. Through has been very interesting. We've learned so much. We've tried to make meaningful change wherever we could want to think about the things that we've learned for these three systems that I've talked about in programs, but really in some of the other programs that were running at Target as well. The Lessons Learned aren't all that different. First generation is key. I talked about that a lot with the spotlights task system, but you

can start with an m v p and be willing and able to Pivot your customers had them grow. We would really be much less successful than we have been today. If we hadn't gone back and overhaul, the system in the way that we did based on the customer feedback that we had with the spotlight system. II really important lesson learned and thing that we continue to ask ourselves almost daily is what Behavior do we want to drive with every change to the pi score product intelligence score with every communication that we sent to our security ninjas. It's just really asking

ourselves knowing is one thing. But what Behavior do we want to drive with this particular change? And if we can't answer that question, we really need to go back and say is this something that we really want to ask her team's to do. The last one is a struggle for me because the security world is inherently complicated. But Simplicity has been The Key to Our Success. We have 4,500 developers. We have hundreds of product teams, anything that's overly. Complicated has a really hard time being adopted. So with the product score, with the security ninja program, with the adjustments that we've

made the spotlights, ask taking a step back in simplifying. What we are. Giving two teams has really, really improved. Our ability to be successful. So, thank you for listening for the last Thirty or so minutes on some of the things that we've done, some of the myths that we've busted in a product security team here at Target. Following this talk. I'll be joined by Caroline Wang, who is again the chief strategist in HR head at Cobalt and will be taking some of your questions. I think she has a few questions. Little deeper on these and lots of Topics in the application security

space. Thank you.

Cackle comments for the website

Buy this talk

Access to the talk “When Application Security “The Wrong Way” Is the Right Thing for Your Organization”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “RSAC 365 Virtual Summit”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Joe Krull
Senior Analyst - Cybersecurity at Aite Group
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Brett Tucker
Technical Manager, Cyber Risk Management at Technical Manager, Cyber Risk Management Company NameSoftware Engineering Institute | Carnegie Mellon University
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Jason Rivera
Director, Strategic Threat Advisory Group at CrowdStrike
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video
Access to the talk “When Application Security “The Wrong Way” Is the Right Thing for Your Organization”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
843 conferences
34172 speakers
12918 hours of content