Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure by design
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Laura Bell
May 20, 2015
Technology
100
1
Share
Secure by design
Presented by Laura Bell (SafeStack) at ANZTB annual conference, Auckland (New Zealand)
Laura Bell
May 20, 2015
More Decks by Laura Bell
See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
300
Hackcon 11 - Protecting our people
ladynerd
0
250
Security in a container based world
ladynerd
0
160
Securing Microservice Architectures
ladynerd
2
370
Better Connected
ladynerd
0
83
Continuous Security
ladynerd
3
1.2k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.7k
Blindsided by security
ladynerd
0
140
Practical tools for privacy audit
ladynerd
0
230
Other Decks in Technology
See All in Technology
JICUG あなたのAI駆動開発パートナー IBM Bob を使ったアプリ開発
1ftseabass
PRO
0
110
Oracle Cloud Infrastructure:2026年5月度サービス・アップデート
oracle4engineer
PRO
1
220
CloudFront VPCオリジンとVPC Latticeサービスの内部ALBをマルチアカウントで一元利用しよう
duelist2020jp
5
260
Spring AI × MCP 入門〜AIエージェントへのツール公開、境界設計から始める最小構成 〜
yuyamiyamoto
0
160
Cloud Run のアップデート 触ってみる&紹介
gre212
0
210
最低限これだけ押さえれ大丈夫_Claude Enterprise/Team企業展開ガバナンス入門
tkikuchi
1
430
Kaggle未経験社員をメダリストに育てる「AIドラゴン桜」
lycorptech_jp
PRO
0
640
Claude Code x Accounting
kawaguti
PRO
1
340
「使われるデータ基盤」を目指してデータアナリストとワークショップをやった話
jackojacko_
2
920
ポスター発表&デモと総括 / Poster Presentations & Demonstrations and Summary
ks91
PRO
0
150
Anthropic AIネイティブ・スタートアップ構築のプレイブック を理解する
nagatsu
0
200
Java正規表現エンジン(NFA)の仕組みと パフォーマンスを維持するための最適化手法
takeuchi_132917
0
140
Featured
See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
39
3.1k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
11k
Building Flexible Design Systems
yeseniaperezcruz
330
40k
More Than Pixels: Becoming A User Experience Designer
marktimemedia
3
420
16th Malabo Montpellier Forum Presentation
akademiya2063
PRO
0
130
Making Projects Easy
brettharned
120
6.6k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
35k
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
techseoconnect
PRO
0
190
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
uxyall
0
300
Building the Perfect Custom Keyboard
takai
2
770
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
62
54k
Discover your Explorer Soul
emna__ayadi
2
1.1k
Transcript
Secure by Design Building secure and useable systems in a
connected world Laura Bell F O U N D E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
the world is a terrible place
the internet is a festering pool of toxic waste
None
somebody probably wants to do bad things to your computer
the security situation is beyond hope
None
we can build amazing things
None
None
None
doing this securely is hard
developers and testers you can avoid common pitfalls. bring security
to any dev/test environment
Security for everyone
None
Security needs a hero
security is a team sport
Security is a tester superpower
security starts with education
Tools and Techniques
1. Requirements capture 2. Language 3. Design level security 4.
Automation 5. Consistency
Requirements Capture
security starts with requirements
Forgotten Password Example Functional/Story requirements: User enters username on forgotten
password page User receives link to reset password page Password is reset User can login to system
Forgotten Password Example Security requirements: Password reset link expires after
24 hours Password reset link is unique to password reset request Password reset link is complex and pseudo random Password reset link can only be used once Error messages on password reset form do not allow username or email enumeration
Language
Language creates barriers and divides
Get the language right Critical High Medium Low Informational False
Positive
Security vulnerabilities hide behind acronyms, jargon and assumptions.
Design level security
Vulnerabilities cluster between components
Our environments are complex
Bad things happen when low risk security issues cluster together…..
Automation
Human error threatens testing effectiveness
Test data creation and scrubbing Test case definition Load testing
Regression testing Integration testing Security testing Test environment deployment
Automated security testing gives a continuous assessment of risk.
Consistency
Don’t leave security to chance
All testers All stories All the time
1. Requirements capture 2. Language 3. Design level security 4.
Automation 5. Consistency
Common Challenges
1. Avoid security theatre 2. Stop ignoring legacy code 3.
Maintain momentum 4. Face your fear
Avoid security theatre
Dealing with a legacy
Aim for continuous steady improvement
It’s OK to be afraid
1. Avoid security theatre 2. Stop ignoring legacy code 3.
Maintain momentum 4. Face your fear
developers and testers you can avoid common pitfalls. bring security
to any dev/test environment
Questions? Laura Bell F O U N D E R
& L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
ladynerd
1ftseabass
oracle4engineer
duelist2020jp
yuyamiyamoto
gre212
tkikuchi
lycorptech_jp
kawaguti
jackojacko_
ks91
nagatsu
takeuchi_132917
maggiecrowley
aleyda
yeseniaperezcruz
marktimemedia
akademiya2063
brettharned
eileencodes
techseoconnect
uxyall
takai
madoxten
emna__ayadi
