Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Why can't developers make it secure?

Julia Mezher
September 03, 2021

Why can't developers make it secure?

Julia Mezher

September 03, 2021
Tweet

More Decks by Julia Mezher

Other Decks in Programming

Transcript

  1. • Tight deadlines • Feature priorities • Lack of security

    expertise • Security controls con f lict with other features If you ask developers what is the problem…
  2. • Tight deadlines • Feature priorities • Lack of security

    expertise • Security controls con f lict with other features • Lack of secure architecture If you ask developers what is the problem…
  3. https://www.guardsquare.com/state-of-mobile-application-security-report Security controls con f lict with other features Necessity

    of communication https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/
  4. Secure coding is a separate skill Developers can learn general

    best practices and platform speci f ic recommendations. • Security trainings • Online education materials • Conferences
  5. Secure coding is a separate skill Examples: • Data minimisation

    principle (do not store what you don’t really need) • Validate any input from external sources (user input, network requests, etc) • Deny access by default
  6. Security is invisible - No direct business value. - You

    can’t see if it’s working, you can see when it fails.
  7. The more we delay security – the more effort it

    takes to be added – the more chances it has to be ignored
  8. The longer it takes to f ix an issue, the

    less chances it has to be f ixed https://www.veracode.com/state-of-software-security-report
  9. Secure SDLC Requirements Design Develop Test Deploy Risk assessment Threat

    modelling & design review Secure coding & static analysis Code review & security testing Security assessment & secure con f iguration
  10. Secure SDLC Requirements Design Develop Test Deploy Risk assessment Threat

    modelling & design review Secure coding & static analysis Code review & security testing Security assessment & secure con f iguration Software developers
  11. Secure SDLC Requirements Design Develop Test Deploy Risk assessment Threat

    modelling & design review Secure coding & static analysis Code review & security testing Security assessment & secure con f iguration Software developers Architectural decision
  12. In a fast-pacing environment… People make poor decisions under the

    pressure. Secure architecture is about decision making. People mess up the processes under the pressure. Secure architecture is about following the process.
  13. Secure architecture – is a combination of structural security decisions

    that ef f iciently addresses risks considering business goals.
  14. Secure architecture – is a combination of structural security decisions

    that ef f iciently addresses risks… considering business g
  15. Secure architecture – is a combination of structural security decisions

    that ef f iciently addresses risks considering business goals.
  16. Secure Architecture - is about decision making process - is

    based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-speci f ic
  17. You operate risks and business goals, abstracting from the tools

    You operate tools, you don’t make business decisions Secure Architecture - is about decision making process - is based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-speci f ic
  18. You operate risks and business goals, abstracting from the tools

    You operate tools, you don’t make business decisions Creating structure Adding details Secure Architecture - is about decision making process - is based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-speci f ic
  19. BUSINESS GOALS BUILD THE ARCH DECISIONS & DESIGN RISKS &

    TRADEOFFS Building Secure Architecture
  20. Building Secure Architecture BUSINESS GOALS BUILD THE ARCH DECISIONS &

    DESIGN RISKS & TRADEOFFS BUSINESS OWNERS DEV TEAM
  21. Building Secure Architecture BUSINESS GOALS BUILD THE ARCH DECISIONS &

    DESIGN RISKS & TRADEOFFS BUSINESS OWNERS DEV TEAM SECURITY EXPERTS
  22. Building Secure Architecture BUSINESS GOALS BUILD THE ARCH DECISIONS &

    DESIGN RISKS & TRADEOFFS BUSINESS OWNERS DEV TEAM SECURITY EXPERTS
  23. Shared Responsibility No one can know everything Who makes decisions?

    Who plans the work and sets priorities? Who will address security?
  24. • Business owners • Product and project managers • Software

    developers • UI/UX Designers • DevOps team • QA engineers • … Shared Responsibility No one can know everything Who makes decisions? Who plans the work and sets priorities? Who will address security?
  25. Shared Responsibility No one can know everything Each platform is

    different. Secure architecture requires security expertise in each of them. Example: Force upgrade Unlike web, you can’t control when the user updates desktop or mobile app, unless you have implemented additional feature for that. It requires changes from both client and backend.
  26. Shared Responsibility No one can know everything Each platform is

    different. Secure architecture requires security expertise in each of them. Example: Screenshot prevention You can’t prevent screenshots for web apps. Why would you want it for Android app? Because users usually automatically sync photos with Google Photos, iCloud, etc.
  27. Ownership • Understand your role • Know what you are

    doing are what for • Communicate The goal: each team member knows who to ask questions. If you own, you care
  28. Ownership Example: Owning the features • Understand its value •

    Closer look at related PRs • Keep an eye on updates • Be ready to speak up If you own, you care
  29. Ownership Example: Reading security docs “Have you read security policy

    of your compony?” “Have you read risk assessment and threat modelling docs of your project?” If you own, you care
  30. Want to learn more? “Designing stack agnostic, modern, secure architectures”

    by Eugene Pilyankevich https://www.infoq.com/presentations/design-secure-architectures/ “Secure Development Lifecycle” by Jim Manico https://youtu.be/M7qMP3C5bkU https://owasp.org/www-pdf-archive/Jim_Manico_(Hamburg)_-_Securiing_the_SDLC.pdf Collections of security stats reports https://techbeacon.com/security/27-data-security-stats-matter https://techbeacon.com/security/30-app-sec-stats-matter