Security is a property of human outcomes, not technical systems. Development teams have an increasing body of knowledge to draw on when thinking about the security of code, and increasingly even for the security of large, deployed systems. However, we’ve barely begun to think about how that knowledge changes security outcomes for humans. In many cases, teams ship systems without a clear understanding of what the humans that interact with them are trying to accomplish and what security means for those people’s goals. Let’s take a look at how security for humans affects the entire software development lifecycle, where it has the biggest impact, and some tools that can help teams get it right.
Eleanor Saitta is a practice lead at Systems Structure Ltd, a security architecture and strategy consultancy with media, finance, healthcare, infrastructure, and software clients across the US and Europe. She’s worked in security for 16 years, covering everything from core security engineering and architecture work for Fortune 50 software firms to cross-domain security for news organizations and NGOs targeted by nation states. She’s a cofounder and developer for Trike, an open source threat modeling methodology and tool that partially automates the art of security analysis, and has contributed to the Briar and Mailpile secure messaging projects. She’s also a regular speaker at industry conferences; past venues include the O’Reilly Velocity Conference, Kiwicon, ToorCon, CCC, Hack In The Box, and HOPE, among others. You can find her on twitter as @dymaxion and at https://dymaxion.org. SSL lives at https://structures.systems.
©2015, O’Reilly UK Ltd • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org