Leveraging Security Asset Inventories

Leveraging Security Asset Inventories

May 18, 2023

Asset inventories enable you to know what you have to secure, and to monitor it for deviations. The pace of iteration in the world of software engineering makes those platforms inevitable.
In this episode we welcome Sacha Faust, director of security engineering at Grammarly, who built Cartography, one of the first open source asset inventory. Sacha describes what led them to building this (funnily: an offensive use case!), how inventories enable spreading ownership to software teams, the solution that exist off the shelf today, …

Mentioned:
https://twitter.com/alexchantavy (builds cartography right now)
https://twitter.com/JohnLaTwC (author of the quote: attackers think in graphs, defenders think in lists)

Sacha Faust (Twitter, Linkedin) is Director of Security Engineering at Grammarly.

00:00 Introduction

03:09 What is an asset inventory?

04:36 How do you best leverage an inventory from a security standpoint?

07:41 What was the trigger to build an inventory?

12:30 Did you have specific risks that you wanted to protect against?

16:32 The owner: the security team owns cartography, but the engineers use it

21:20 The green team and developers accountability

32:54 The cloud as an enabler of inventories, and the challenge of diversity of environments

38:45 Inventories performance challenge

43:25 Demo: asset inventory in Cartography

46:24 Demo: asset inventory in Datadog

53:46 Linking resources to owners