From ed08d10078eaf3474f5d7bf981894986b5813fce Mon Sep 17 00:00:00 2001 From: Dinis Cruz Date: Mon, 10 Oct 2016 00:44:32 +0100 Subject: [PATCH] updating content --- ...rt.md => Annual-reports-should-contain-infosec-[art.md} | 0 .../{Cloud Security.md => Cloud-security.md} | 0 ....md => I-dont-know-the-security-status-of-a-website.md} | 0 ...rity.md => Measuring-companies-application-security.md} | 0 ...sts To Communicate.md => Using-tests-to-communicate.md} | 0 .../Security-champions-dont-take-it-personally.md | 6 +++--- .../Security-champions/The-security-champions-concept.md | 4 ++-- .../Security-champions/What-is-an-security-champion.md | 7 ++++--- 8 files changed, 9 insertions(+), 8 deletions(-) rename content/2.Using-jira-workflow/For-management/{Annual Reports should contain Infosec Part.md => Annual-reports-should-contain-infosec-[art.md} (100%) rename content/2.Using-jira-workflow/For-management/{Cloud Security.md => Cloud-security.md} (100%) rename content/2.Using-jira-workflow/For-management/{I don't know the security status of a website.md => I-dont-know-the-security-status-of-a-website.md} (100%) rename content/2.Using-jira-workflow/For-management/{Measuring companies application security.md => Measuring-companies-application-security.md} (100%) rename content/2.Using-jira-workflow/For-management/{Using Tests To Communicate.md => Using-tests-to-communicate.md} (100%) diff --git a/content/2.Using-jira-workflow/For-management/Annual Reports should contain Infosec Part.md b/content/2.Using-jira-workflow/For-management/Annual-reports-should-contain-infosec-[art.md similarity index 100% rename from content/2.Using-jira-workflow/For-management/Annual Reports should contain Infosec Part.md rename to content/2.Using-jira-workflow/For-management/Annual-reports-should-contain-infosec-[art.md diff --git a/content/2.Using-jira-workflow/For-management/Cloud Security.md b/content/2.Using-jira-workflow/For-management/Cloud-security.md similarity index 100% rename from content/2.Using-jira-workflow/For-management/Cloud Security.md rename to content/2.Using-jira-workflow/For-management/Cloud-security.md diff --git a/content/2.Using-jira-workflow/For-management/I don't know the security status of a website.md b/content/2.Using-jira-workflow/For-management/I-dont-know-the-security-status-of-a-website.md similarity index 100% rename from content/2.Using-jira-workflow/For-management/I don't know the security status of a website.md rename to content/2.Using-jira-workflow/For-management/I-dont-know-the-security-status-of-a-website.md diff --git a/content/2.Using-jira-workflow/For-management/Measuring companies application security.md b/content/2.Using-jira-workflow/For-management/Measuring-companies-application-security.md similarity index 100% rename from content/2.Using-jira-workflow/For-management/Measuring companies application security.md rename to content/2.Using-jira-workflow/For-management/Measuring-companies-application-security.md diff --git a/content/2.Using-jira-workflow/For-management/Using Tests To Communicate.md b/content/2.Using-jira-workflow/For-management/Using-tests-to-communicate.md similarity index 100% rename from content/2.Using-jira-workflow/For-management/Using Tests To Communicate.md rename to content/2.Using-jira-workflow/For-management/Using-tests-to-communicate.md diff --git a/content/2.Using-jira-workflow/Security-champions/Security-champions-dont-take-it-personally.md b/content/2.Using-jira-workflow/Security-champions/Security-champions-dont-take-it-personally.md index e6e2154..3b9e2a8 100644 --- a/content/2.Using-jira-workflow/Security-champions/Security-champions-dont-take-it-personally.md +++ b/content/2.Using-jira-workflow/Security-champions/Security-champions-dont-take-it-personally.md @@ -1,11 +1,11 @@ ### Security Champions Don't Take it Personally -If you are a security champion, don't take it personally if teams aren't listening to you. Don't think that you are the problem, that you aren't good enough or that you are failing to communicate in some way. +If you are a Security Champion, don't take it personally if teams aren't listening to you. Don't think that you are the problem, that you aren't good enough or that you are failing to communicate in some way. -In most cases, the problem isn't you. The problem is actually the system; the company isn't structured in a way that allows the security champion's questions to be prioritised and answered. +In most cases, the problem isn't you. The problem is actually the system; the company isn't structured in a way that allows the security champion's questions to be prioritised and answered. In other cases the Security Champion is not included in security-relevant architectural meetings and decisions. So, if you find that you are struggling to get traction from a team, the team isn't responding, or it fights you, then drop those requests (as long as the Risk as been accepted). If they treat you as a TAX, as somebody who is giving them work they don't want to do, then also drop it. In the Risk ticket, explain that you tried to persuade the team to accept the risks of not doing security, and that they are now responsible for their security, because you cannot help them. -In such cases the problem lies not with the security champion, but with the company and the organisation, maybe even sometimes with the team itself. This is why it is important to have success stories you can point to and say, "Hey! It worked with that team, and it worked with that team. If it doesn't work with this team, then I am not the problem". +In such cases, the problem lies not with the Security Champion, but with the company and the organisation, maybe even sometimes with the team itself. This is why it is important to have success stories you can point to and say, _"Hey! It worked with that team, and it worked with that team. If it doesn't work with this team, then I am not the problem"_. diff --git a/content/2.Using-jira-workflow/Security-champions/The-security-champions-concept.md b/content/2.Using-jira-workflow/Security-champions/The-security-champions-concept.md index 3967378..3fce39a 100644 --- a/content/2.Using-jira-workflow/Security-champions/The-security-champions-concept.md +++ b/content/2.Using-jira-workflow/Security-champions/The-security-champions-concept.md @@ -1,6 +1,6 @@ ### The Security Champions Concept -> _"If everyone is responsible for security, then nobody is"_ [Patrick-Lencioni^] +> _"If everyone is responsible for security, then nobody is"_ [^Patrick_Lencioni] * What are Security Champions? * Why Security Champions @@ -14,5 +14,5 @@ * explain how JIRA Risk Workflow is connected to the Security champions -[Patrick-Lencioni^]: a variation of the quote: +[^Patrick_Lencioni]: a variation of the quote: “If everything is important, then nothing is.” from Patrick Lencioni diff --git a/content/2.Using-jira-workflow/Security-champions/What-is-an-security-champion.md b/content/2.Using-jira-workflow/Security-champions/What-is-an-security-champion.md index 5d396ed..bd845c0 100644 --- a/content/2.Using-jira-workflow/Security-champions/What-is-an-security-champion.md +++ b/content/2.Using-jira-workflow/Security-champions/What-is-an-security-champion.md @@ -4,11 +4,12 @@ Security Champions are a key element of an AppSec team, since they create an cro **What is an Security Champion?** -* Security Champions are active members of a team that may help to make decisions about when to engage the Security Team -* Act as the "voice" of security for the given product or team -* Assist in the triage of security bugs for their team or area + * Security Champions are active members of a team that may help to make decisions about when to engage the Security Team + * Act as the "voice" of security for the given product or team + * Assist in the triage of security bugs for their team or area **What do they do?** + * Actively participate in the AppSec JIRA and WIKI * Collaborate with other security champions * Review impact of 'breaking changes' made in other projects