Friday, 25 March 2011

I Hate You All

Security Presenter Character Assassinated

Last Monday was our "Day O' Security", when I finally gave our design, development and test departments the first "Introduction to the SDL" presentation. Months in preparation, the material was revamped numerous times, evolving in the process from an extravaganza of clowns and dancing girls, into its final form: a very modest, half-day coverage (presented twice) of CIA and STRIDE.

The material presented included Adam Shostack's 10-minute CC-licensed video explaining his threat modelling card game Elevation of Privilege. Also included were individually wrapped chocolate chip muffins and Mr Kipling's French Fancies.

My beautiful assistant ScaleThis!, who handled all the scheduling aspects, also sent out requests for audience feedback - three questions - at the end of the day. I'd already received and reacted to some comments about the morning session, and the afternoon presentation proceeded quite a bit faster as a result. That might account for some of the variation in these replies.

Here are links to the PowerPoint presentation, both native and pdf (minus Adam's video, for which see above): O' Security.pptx O' Security.pdf
And in the spirit of Scalzi's treatment of negative reviews, here is the feedback. Anonymized, but otherwise uncensored. Overall, this level of comment is terrific; although in the interests of continuous improvement, I'd just like to restate that more complaints are always welcome. You can be damn sure that I'll be working through Guy Smith-Ferrier's Video Series: How To Give Great Presentations this weekend...

Did You Find It Useful?
  • Yes, we need to follow up on this.
  • I did, I think there are certainly a number of areas we should be building into our processes as we develop our new offerings.
  • Yep. Although to be really useful I think we need a formal review process in place in order to threat assess our applications, especially now when moving towards cloud based solutions and potentially SOA.
  • I think the day of security was informative but feel as if I never learned very much from it.
  • Yes, very useful. I have a very basic knowledge of security. I found the discussions about [Project#1] and [Project#2] in connection with STRIDE very useful as this put it in a real life situation which I was finding hard to do when John asked. I think however an existing knowledge of how [Project#1] and [Project#2] processes data and how that data is stored was necessary to answer the card game but I liked hearing the comments from others.
  • Yes it was useful as I didn’t know of STRIDE or CIA.
  • Yes. It was a good introduction to security considerations and gave an indication of what factors you should be considering when building any application.
  • I found it very informative. certainly planted a little seed in terms of getting us to start thinking about these things.
3 Things That Were Bad...
  • I’m afraid [John's] presenting skills come top of the list. Too much detail and not enough practicality which reduced opportunities for interactivity. The setup, too many people for PCs and all forward facing.
  • Lot of "dead air" and I was uncertain if JK was looking for input at times... He seemed to wander off on his notes.
  • Too deep on process at the end when a summary of the model would have done.
  • I think JK suffered from a lack of structure and intent at points (was he planning a break?)
  • Pace. Could have been a bit quicker.
  • Better concrete examples – ideally from our own code base if possible!
  • Having very little knowledge with security designs and techniques I feel like the lecture was [too advanced] for me. Most of it did not make sense.
  • There was very little interaction we just sat and listened which made me lose concentration very easily.
  • A bit slow to get to the core information.
  • Not enough real world examples.
  • No code related examples (I know it’s more about the broad topics, but some specifics would have been nice).
  • John was at times difficult to hear.
  • Did you see the calorie count on those muffins!!
  • Maybe a bit more interaction for the audience, it felt a little like a lecture. However I think he’ll be doing this in the next session. Working in pairs is always quite good in workshops/training, makes it more fun and less scary for those who don’t quite know what they are doing.
  • A little quiet at times.
  • I found the presentation style a difficult to follow (sorry John), I’d guess that is the reason we only got half way through the material.
  • Assumed we already knew the terminology and exploits already.
  • Would have liked concrete, how-to examples on security, i.e. how-to do authentication, how-to techniques on securing the transport, how stuff works in our domain etc.
  • No real life exploiting of security [stories], i.e. Gary McKinnon probably used X method or Google got hacked one time because of X.
  • Too much flicking off and on the presentation slides, no real flow.
  • Could probably do with more slides, but using images to convey a message. He also zipped through these quite quickly.
  • John spoke too quietly.
  • Network rack in the room was too noisy.
  • Only one muffin :-J
  • John struggled to get all the material in due to the duration having been cut by half a day.
  • Would have been good to hear about real world examples of specific attacks.
  • Interactive part was a bit flat – should have possibly split us into groups to discuss to make sure that everyone was contributing.
3 Things That Were Good...
  • The subject matter was good, it was good that we did it, umm
  • Sharing experiences of our own product weaknesses ! Good interaction driven by the attendees.
  • JK's sense of humour.
  • Overall "Thought provoking" ( but needed to be delivered a bit more snappier than it was).
  • Thinking about our own application vulnerabilities is good.
  • Good explanations of terminology, general research by John I think was top notch and presented well.
  • Everyone was involved. We need more awareness of these concerns in each of our disciplines from design through to test. Even a basic awareness is a good thing, but as per 1 I think we need people who can review and threat assess projects periodically and provide advice on mitigation techniques to other developers or at least highlight the risks and ensure it is acceptable to the stakeholders…..
  • Muffins!!
  • Brings security which is often an afterthought to the forefront for everyone.
  • Good discussion around security relating to [Project#2].
  • Finally found out what CIA and STRIDE mean!
  • The card game was great and well presented, took his time going through definitions of each and provided examples together with the video. It all came across really clear and simple.
  • It was light hearted; this made me feel relaxed, making it easier to learn things from it.
  • John didn’t assume the audiences existing knowledge of security and thus covered all levels, starting with glossaries and definitions helped people like me understand the whole presentation. This was very helpful and refreshing.
  • Got people thinking about, perhaps some obvious, and some not so, security concerns, by way of the playing card examples, that we simply don’t think about.
  • Pointer to
  • Suggestion/Push/Nudge/whatever at getting earlier involvement from folks other than a high level design team on security concerns. Not design by committee, but not excluding those that might have valid input either. Not sure the card game (… really? Blackjack it ain’t) is the best approach, but interesting to try.
  • He has a good relationship with everyone in the room.
  • Some good humour worked in.
  • Had a game for the audience (needed more work to engage people though).
  • Developed an awareness of threat modelling.
  • Learned that identifying weaknesses need not be a highly technical exercise.
  • Developed an awareness of various attack vectors.
  • Lively and interesting presentation with just the right amount of injected humour.
  • Interesting discussions related to our products.
  • The fact we are involved in something that potentially will have practical results.
  • Card game aspect – interesting way of categorising the threats and makes it a bit more memorable than an unordered or ordered list.
  • Mapping the threats and categories onto [our] applications clarified some of the terminology.
  • John’s dry sense of humour in his presenting skills – I like it!
Other Comments
  • But do you know what? It's a difficult thing to do, JK was nervous and he hasn't done it for a long, long time; I think most of the senior members of the team should be doing sessions like this to build up confidence and share the love!
  • Kudos to John. Can’t wait for the next part.
Thanks To All Who Contributed

You deserve better.

1 comment:

  1. In conclusion: obvious lack of muffins and next time make sure everyone has a hammock. Drinks on CV (but make sure he's not in the room) :)