The Art of Secure Architecture

The Art of Secure Architecture Julia Potapenko

Security Software Engineer @julepka We help companies to protect their
sensitive and valuable data.

Secure architecture

Secure architecture for small startup companies

Secure architecture for small startup companies Fast-pacing development Prioritized feature
delivery Smaller team No security team & decision making Tight deadlines & budget

… security decreases usability … and performance … … security
feature is in conﬂict with another feature … We want it secure but…

We want it secure but…

We want it secure but… Why do we postpone security
features?

Security is invisible - No direct business value. - You
can’t see if it’s working, you can see when it fails.

Secure architecture –

Secure architecture – is a combination of structural security decisions…

Secure architecture – is a combination of structural security decisions
that efﬁciently addresses risks…

Secure architecture – is a combination of structural security decisions
that efﬁciently addresses risks considering business goals.

People make poor decisions under pressure. Secure architecture is about
decision making. People mess up the processes under the pressure. Secure architecture is about following the process.

SSDLC Requirements Design Develop Test Deploy

Requirements Design Develop Test Deploy Security review, security features Design
review, threat model Secure coding, static analisys Security code review, pentesting Security monitoring, security assessment SSDLC

Building Secure Architecture See also: TOGAF BUSINESS GOALS BUILD THE
ARCH ARCH DECISIONS & DESIGN RISKS & TRADEOFFS

Building Secure Architecture BUSINESS GOALS BUILD THE ARCH ARCH DECISIONS
& DESIGN RISKS & TRADEOFFS Document risks!

… you assess risks every and do security decisions every
day…

Imagine you are an artist. You want to gift your
friend a painting: a portrait. You know your friend is somewhat picky.

Watercolor Pros: trendy, not expensive Cons: mistakes not allowed Imagine
you are an artist. You want to gift your friend a painting: a portrait. You know your friend is somewhat picky.

Watercolor Pros: trendy, not expensive Cons: mistakes not allowed Oil
paint Pros: mistakes allowed Cons: expensive, not trendy Imagine you are an artist. You want to gift your friend a painting: a portrait. You know your friend is somewhat picky.

Watercolor Pros: trendy, not expensive Cons: mistakes not allowed Oil
paint Pros: mistakes allowed Cons: expensive, not trendy Gouache water-based as watercolor but not that opaque, not expensive, allows minor mistakes Imagine you are an artist. You want to gift your friend a painting: a portrait. You know your friend is somewhat picky.

What could go wrong? Lack of time Not assessing risks
and tradeoffs Picking tools before sticking to the core idea Lack of awareness

Risk assessment for beginners

What is important for your business? What I don’t want
to share or loose as a user? What sensitive data or PII can be there? Do I need to be compliant to any regulations? Why may the company loose a lot of many? How much do I care about reputation damage? Risk assessment for beginners

What is important for your business? - Proﬁt What I
don’t want to share or loose as a user? - Credit card What sensitive data or PII can be there? - Name, address, phone Do I need to be compliant to any regulations? - GDPR, CCPA Why may the company loose a lot of many? - Availability issues How much do I care about reputation damage? - I care a lot Food delivery service example

What is a possible damage from this or that attack?
What is our attack surface? How often this or that attack may appear? How probable it is? How interesting (proﬁtable) it may be for an attacker? What skill level is required for it? Do we have (plan) other security controls covering it? What is the cost of implementing the security control? What is the cost of attack mitigation? See also: FAIR, NIST RMF Measure and prioritize

Building Secure Architecture BUSINESS GOALS BUILD THE ARCH ARCH DECISIONS
& DESIGN RISKS & TRADEOFFS Document risks!

Be creative! Building Secure Architecture BUSINESS GOALS BUILD THE ARCH
ARCH DECISIONS & DESIGN RISKS & TRADEOFFS Document risks!

Be creative! Pick tools here! Building Secure Architecture BUSINESS GOALS
BUILD THE ARCH ARCH DECISIONS & DESIGN RISKS & TRADEOFFS Document risks!

Creativity

Creativity Industry Guidelines Technology expertise Tools

Creativity - the ability to create - the use of
imagination or original ideas to create something; inventiveness Synonyms: imagination, vision, inventiveness Industry Guidelines Technology expertise Tools

Be creative! Pick tools here! Building Secure Architecture BUSINESS GOALS
BUILD THE ARCH ARCH DECISIONS & DESIGN RISKS & TRADEOFFS Document risks!

BUSINESS GOALS BUILD THE ARCH ARCH DECISIONS & DESIGN RISKS
& TRADEOFFS Document risks! Be creative! Communicate! Pick tools here! Building Secure Architecture

Communicate! Business owner view Architect’s view Designer’s view Software engineer’s
view Manager’s view See also: SABSA Building Secure Architecture

Communicate! Business owner view Architect’s view Designer’s view Software engineer’s
view Manager’s view QC engineer’s view Marketing view Infrastructure engineer’s view People management view Graphical designer’s view Legal view Support team view See also: COBIT 5 Building Secure Architecture

Why engineers can’t make it secure?

Secure Architecture - is about decision making process - is
based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-speciﬁc Why engineers can’t make it secure?

You operate risks and business goals, abstracting from the tools
You operate tools, you don’t make business decisions Secure Architecture - is about decision making process - is based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-speciﬁc Why engineers can’t make it secure?

You operate risks and business goals, abstracting from the tools
You operate tools, you don’t make business decisions Creating structure Adding details Secure Architecture - is about decision making process - is based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-speciﬁc Why engineers can’t make it secure?

“We’ve created a mobile app for our store! Now, you
can pay with the app! No need to interact with people!” Why engineers can’t make it secure?

can pay with the app! No need to interact with people!” “The fraud level is way too high. Let’s ask engineers to investigate and ﬁx the issue” Why engineers can’t make it secure?

can pay with the app! No need to interact with people!” “The fraud level is way too high. Let’s ask engineers to investigate and ﬁx the issue” After a couple of month engineering team arrived with nothing. One of them asked: “What is the actual percentage of fraudulent transactions?” Why engineers can’t make it secure?

can pay with the app! No need to interact with people!” “The fraud level is way too high. Let’s ask engineers to investigate and ﬁx the issue” After a couple of month engineering team arrived with nothing. One of them asked: “What is the actual percentage of fraudulent transactions?” The actual percentage was actually better the industry statistics. Why engineers can’t make it secure?

review, threat model Secure coding, static analisys Security code review, pentesting Security monitoring, security assessment Architectural decisions SSDLC

review, threat model Secure coding, static analisys Security code review, pentesting Security monitoring, security assessment Architectural decisions Software developers SSDLC

Force upgrade feature Essential for desktop and mobile apps (but
not for backend, web) But its logic includes both app and backend side. Why engineers can’t make it secure?

Force upgrade feature Essential for desktop and mobile apps (but
not for backend, web) But its logic includes both app and backend side. If the app is already released, it take more time to implement it (existing error handling logic created limitations). Why engineers can’t make it secure?

When security was postponed: 1. Error handling implemented 2. App
devs discover the risk 3. App devs communicate with architect and manager 4. App devs communicate with backend 5. Updating error handling 6. Adding force upgrade Why engineers can’t make it secure?

When security was postponed: 1. Error handling implemented 2. App
devs discover the risk 3. App devs communicate with architect and manager 4. App devs communicate with backend 5. Updating error handling 6. Adding force upgrade Security right from the start: 1. Architect communicates with devs 2. Architect discovers the risk 3. Error handling implemented 4. Adding force upgrade Why engineers can’t make it secure?

review, threat model Secure coding, static analisys Security code review, pentesting Security monitoring, security assessment … tips for small startups… SSDLC

Requirements Design Develop Test Deploy document risks and sensitive assets
design and discuss with security in mind Secure coding, static analisys Security code review, pentesting Security monitoring, security assessment … tips for small startups… See also: OWASP RAF SSDLC

design and discuss with security in mind secure coding knowledge sharing, static analysis Security code review, pentesting Security monitoring, security assessment … tips for small startups… SSDLC

design and discuss with security in mind secure coding knowledge sharing, static analysis security checklists, dependency checkers, SAST, DAST. Security monitoring, security assessment … tips for small startups… SSDLC

design and discuss with security in mind secure coding knowledge sharing, static analysis security checklists, dependency checkers, SAST, DAST. security events in analytics, responsible disclosure … tips for small startups… SSDLC

Have you ever caught your development team in the situation
when the very ﬁrst app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy

when the very ﬁrst app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy What are the most critical events that may happen to your business? Prioritise!

when the very ﬁrst app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy What are the most critical events that may happen to your business? Prioritise! Communicate. Assess what you already have. Book time.

when the very ﬁrst app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy Build step by step. Make sure basic security functionality is working. Then, improve. What are the most critical events that may happen to your business? Prioritise! Communicate. Assess what you already have. Book time.

when the very ﬁrst app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy Build step by step. Make sure basic security functionality is working. Then, improve. Create a checklist with all the security controls. What are the most critical events that may happen to your business? Prioritise! Communicate. Assess what you already have. Book time.

when the very ﬁrst app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy Build step by step. Make sure basic security functionality is working. Then, improve. Create a checklist with all the security controls. Set up alerting What are the most critical events that may happen to your business? Prioritise! Communicate. Assess what you already have. Book time.

when the very ﬁrst app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy Build step by step. Make sure basic security functionality is working. Then, improve. Create a checklist with all the security controls. Set up alerting Prepare Plan B What are the most critical events that may happen to your business? Prioritise! Communicate. Assess what you already have. Book time.

Summary - Book time for security in advance - Stick
to SSDLC as early as possible - Secure architecture is not a single person responsibility

Thank you! @julepka Photo by Lukas Blazek https://unsplash.com/@goumbik

The Art of Secure Architecture

The Art of Secure Architecture

More Decks by Julia Mezher

Other Decks in Programming

Featured

Transcript