Leveraging Security Asset Inventories
Asset inventories enable you to know what you have to secure, and to monitor it for deviations. The pace of iteration in the world of software engineering makes those platforms inevitable.
In this episode we welcome Sacha Faust, director of security engineering at Grammarly, who built Cartography, one of the first open source asset inventory. Sacha describes what led them to building this (funnily: an offensive use case!), how inventories enable spreading ownership to software teams, the solution that exist off the shelf today, …
https://twitter.com/alexchantavy (builds cartography right now)
https://twitter.com/JohnLaTwC (author of the quote: attackers think in graphs, defenders think in lists)
Sacha Faust (Twitter, Linkedin) is Director of Security Engineering at Grammarly.
03:09 What is an asset inventory?
04:36 How do you best leverage an inventory from a security standpoint?
07:41 What was the trigger to build an inventory?
12:30 Did you have specific risks that you wanted to protect against?
16:32 The owner: the security team owns cartography, but the engineers use it
21:20 The green team and developers accountability
32:54 The cloud as an enabler of inventories, and the challenge of diversity of environments
38:45 Inventories performance challenge
43:25 Demo: asset inventory in Cartography
46:24 Demo: asset inventory in Datadog
53:46 Linking resources to owners