Speaker
Description
This presentation proposal aims to showcase to the TNC community how we are improving the information security culture and engaging stakeholders in more effective vulnerability management within our DevSecOps process.
To achieve this, we have developed a vulnerability management process with three layers: operational, tactical, and strategic. Each layer controls the one below it, allowing for better risk management of human errors and ensuring teams are not compromised in addressing known vulnerabilities.
Operational Layer:
Responsible: Software developers or infrastructure architects.
Role: Create the environments (software or infrastructure) and address known vulnerabilities.
Action: Address vulnerabilities in the next daily meetings or sprints as soon as they are identified. If they are unable to do so due to business reasons or significant technical impact, they escalate the issue to the tactical layer.
Tactical Layer:
Responsible: Coordinators or project leaders.
Role: Monitor and prioritize sprint activities with development and infrastructure teams.
Action: Prioritize the remaining vulnerabilities that the operational layer couldn't resolve. They assess what can be developed without significant impacts on the schedule, finances, or business. More critical issues are escalated to the strategic layer.
Strategic Layer:
Responsible: Project managers.
Role: Responsible for the strategic vision of the entire project, liaising with both business and technical areas, and ultimately defining the project direction.
Action: Prioritize the actions needed to address the remaining vulnerabilities from the tactical layer that have a significant impact on the project, such as those that could affect the schedule, finances, or business aspects. For instance, if a critical vulnerability in an essential component needs to be urgently addressed, this layer will work with the business area to allocate the necessary resources to tackle the issue, whether they are financial, personnel, scheduling, or accepting the risk.
This new process can serve as a reference for the entire TNC community. We would like to present the results of how the division of teams into layers has increased the security of our assets, with each layer controlling the one below it. This has engaged our teams and fostered a more robust security culture, resulting in better management and quality of the software and assets due to the periodic fixing of security vulnerabilities by the layered teams.