Secure by Design: Security as a First-Class Citizen in Software Manufacturing

Transcript

1. © Okta and/or its affiliates. All rights reserved. © Okta

   and/or its affiliates. All rights reserved. Secure by Design BuildStuff 2025 Vilnius - Lithuania (he/him) José Carlos Chávez Security Software Engineer

2. © Okta and/or its affiliates. All rights reserved. José Carlos

   Chávez Security Software Engineer - Okta • Peruvian • Open Source contributor and maintainer for 12+ years • OWASP Coraza WAF co-leader • Loving father of 2 • Mathematician in quarantine

3. © Okta and/or its affiliates. All rights reserved. Tasteful by

   Design

4. © Okta and/or its affiliates. All rights reserved. at the

   traditional Šakotis oven or rotisserie to 180°C (356° arge bowl, combine the sugar and butter. Mix until the re is creamy and smooth. ually add the eggs into the butter and sugar mixture one by making sure each egg is fully incorporated before adding the n the heavy cream, vanilla extract, and lemon zest. ually add the flour to the mixture. Mix until all ingredients are ombined and the batter is smooth. the batter in the fridge for about an hour to rest and chill. re the Šakotis spit by greasing it with some butter. the oven or rotisserie and let it reach its operating heat. the spit is rotating, start spooning the batter onto the spit. nue adding batter in layers, allowing each layer to brown e adding the next. t this process until all the batter is used up. This could take al hours, but rotating and basting should be done nuously.

5. © Okta and/or its affiliates. All rights reserved. The "Bolted

   On" Approach - (Historically) security was a final checkpoint before release. - Expensive rework and delayed launches. - Systemic vulnerabilities that are impossible to patch effectively once deployed. - Security as state not as a process The "Secure by Design" Way - Security as a functional requirement from Day 0. - Systems are inherently robust. - Reduces the attack surface and maintenance burden over time. - Security flows across the stages of the SDLC Can I rotate and bast the Šakotis after cooling it down? The Traditional Pitfall

6. © Okta and/or its affiliates. All rights reserved. Baked in,

   not bolted on

7. © Okta and/or its affiliates. All rights reserved. The monks’

   secret recipe

8. © Okta and/or its affiliates. All rights reserved. Users and

   processes should only have the bare minimum permissions necessary to perform their function. • Prevents lateral movement if an account is compromised. • Limits the "blast radius" of a security breach. • Applies to humans, applications, and system processes. 1. Least Privilege

9. © Okta and/or its affiliates. All rights reserved. Never rely

   on a single defensive mechanism. If one fails, others must stand in the way. • Combine physical, technical, and administrative controls. • Redundancy ensures system resilience. • Avoid the domino effect. 2. Defense in Depth Firewall WAF AuthN AuthZ …

10. © Okta and/or its affiliates. All rights reserved. When a

    system fails or encounters an error, it should not reveal data or grant access. • If authentication fails, access is denied (not granted). • Error messages should not reveal stack traces or database info. • Failures shouldn’t reveal weaknesses. 3. Fail Securely

11. © Okta and/or its affiliates. All rights reserved. Complex systems

    are harder to understand, harder to test, and harder to secure. • Keep the design as simple and small as possible. • Auditing simple code is more effective. • Reduces the number of failure modes. • "Economy of Mechanism" ensures streamlined defenses. 4. Keep It Simple A B A B

12. © Okta and/or its affiliates. All rights reserved. Critical actions

    should require the collaboration of multiple parties to prevent fraud and errors. • Prevents a single bad actor from compromising the entire system. • Essential for high-value transactions and admin tasks. • Limits the "blast radius" of a security attack. 5. Separation of Duties Separation No Separation

13. © Okta and/or its affiliates. All rights reserved. System security

    should not depend on the secrecy of its implementation or its components. • Assume the attacker has the source code and blueprints. • Allows for independent auditing and peer review. • Kerckhoffs's principle: A system should be secure even if the enemy knows the system. 6. Open Design

14. © Okta and/or its affiliates. All rights reserved. Break the

    system up into pieces to create isolation • Isolated components may have different levels of sensitivity. • Promotes efficient security measures. • Promotes degradation of service instead of outages. 7. Segmentation

15. © Okta and/or its affiliates. All rights reserved. Security controls

    should not hinder the user experience to the point where users bypass them. • If security is too difficult, users will find a workaround. • Be a security enabler not a gatekeeper. • User friction leads to shadow IT and poor hygiene. 8. Usability

16. © Okta and/or its affiliates. All rights reserved. Every feature,

    interface, and service is a potential point of failure. • Disable unnecessary features and services. • Close unused ports and restrict API access. • Simpler systems have fewer vulnerabilities. 9. Minimize Attack Surface

17. © Okta and/or its affiliates. All rights reserved. A system

    should be secure "out of the box." Users should not have to be security experts to be safe. • Features should be disabled by default. • Permissions should be restrictive (Deny All) by default. • Safety is the baseline, not an upgrade. 10. Secure By Default $ docker run nginx:latest $ docker run \ --hostname myapp-host \ --env-file ./env/redis.env \ --mount type=volume,src=myapp-data,dst=/var/l ib/myapp \ --network my_overlay_net \ --port 8080:80 \ --publish 8443:443 \ --cap-add NET_ADMIN \ nginx:latest Default Customized

18. © Okta and/or its affiliates. All rights reserved. Adding the

    taste to my SDLC

19. © Okta and/or its affiliates. All rights reserved. SDLC &

    SSDLC Deployment Testing Development Design Requirements Security Assessment & Secure Configuration Security Testing & Code Review Static Analysis Threat Modeling & Design Review Risk Assessment

20. © Okta and/or its affiliates. All rights reserved. Secure by

    design Continuous Monitoring Risk Assessment Education and Training Collaboration Secure by Design and Friends

21. © Okta and/or its affiliates. All rights reserved. 1. Security

    must be a foundational design principle, not an afterthought. 2. Adopting Secure by Design does not imply adding tooling, it implies a shift of mindset, often involving landing of tooling to ensure a continuous process. 3. Building security early reduces long-term cost, complexity, and risk. 4. You must try Šakotis if you haven’t. Conclusions

22. © Okta and/or its affiliates. All rights reserved. Questions? ©

    Okta and/or its affiliates. All rights reserved. You can also reach me at • josecarlos.chavez@{okta.com|owasp.org} • https://www.linkedin.com/in/jcchavezs/ • jcchavezs.bsky.social

23. © Okta and/or its affiliates. All rights reserved. Thank you!

    © Okta and/or its affiliates. All rights reserved.