Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure by design
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Laura Bell
May 20, 2015
Technology
98
1
Share
Secure by design
Presented by Laura Bell (SafeStack) at ANZTB annual conference, Auckland (New Zealand)
Laura Bell
May 20, 2015
More Decks by Laura Bell
See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
290
Hackcon 11 - Protecting our people
ladynerd
0
250
Security in a container based world
ladynerd
0
160
Securing Microservice Architectures
ladynerd
2
370
Better Connected
ladynerd
0
82
Continuous Security
ladynerd
3
1.2k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.7k
Blindsided by security
ladynerd
0
140
Practical tools for privacy audit
ladynerd
0
220
Other Decks in Technology
See All in Technology
Vision Banana: Image Generators are Generalist Vision Learners
kzykmyzw
0
230
アクセシビリティはすべての人のもの
tomokusaba
0
270
Digital Independence: Why, When and How
wannesrams
0
290
FessのAI検索モード:検索システムとLLMへの取り組み
marevol
0
280
需要創出(Chatwork)×供給(BPaaS) フライホイールとMoat 実行能力の最適配置とAI戦略
kubell_hr
0
2k
多角的な視点から見たAGI
terisuke
0
120
Agent の「自由」と「安全」〜未来に向けて今できること〜
katayan
0
340
Oracle Exadata Database Service on Cloud@Customer X11M (ExaDB-C@C) サービス概要
oracle4engineer
PRO
2
7.9k
自動テストだけで リリース判断できるチームへ - 鍵はテストの量ではなくリリース判断基準の再設計にあった / Redesigning Release Criteria for Lightweight Releases
ewa
7
3.4k
M5Stack CoreS3とZephyr(RTOS)で Edge AIっぽいことしてみた
iotengineer22
0
430
GKE Agent SandboxでAIが生成したコードを 安全に実行してみた
lamaglama39
0
200
Forget technical debt
ufried
0
170
Featured
See All Featured
Getting science done with accelerated Python computing platforms
jacobtomlinson
2
190
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
54k
Are puppies a ranking factor?
jonoalderson
1
3.4k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.4k
Avoiding the “Bad Training, Faster” Trap in the Age of AI
tmiket
0
140
B2B Lead Gen: Tactics, Traps & Triumph
marketingsoph
0
110
[SF Ruby Conf 2025] Rails X
palkan
2
1k
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.2k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
38
2.8k
Evolving SEO for Evolving Search Engines
ryanjones
0
190
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
250
Believing is Seeing
oripsolob
1
120
Transcript
Secure by Design Building secure and useable systems in a
connected world Laura Bell F O U N D E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
the world is a terrible place
the internet is a festering pool of toxic waste
None
somebody probably wants to do bad things to your computer
the security situation is beyond hope
None
we can build amazing things
None
None
None
doing this securely is hard
developers and testers you can avoid common pitfalls. bring security
to any dev/test environment
Security for everyone
None
Security needs a hero
security is a team sport
Security is a tester superpower
security starts with education
Tools and Techniques
1. Requirements capture 2. Language 3. Design level security 4.
Automation 5. Consistency
Requirements Capture
security starts with requirements
Forgotten Password Example Functional/Story requirements: User enters username on forgotten
password page User receives link to reset password page Password is reset User can login to system
Forgotten Password Example Security requirements: Password reset link expires after
24 hours Password reset link is unique to password reset request Password reset link is complex and pseudo random Password reset link can only be used once Error messages on password reset form do not allow username or email enumeration
Language
Language creates barriers and divides
Get the language right Critical High Medium Low Informational False
Positive
Security vulnerabilities hide behind acronyms, jargon and assumptions.
Design level security
Vulnerabilities cluster between components
Our environments are complex
Bad things happen when low risk security issues cluster together…..
Automation
Human error threatens testing effectiveness
Test data creation and scrubbing Test case definition Load testing
Regression testing Integration testing Security testing Test environment deployment
Automated security testing gives a continuous assessment of risk.
Consistency
Don’t leave security to chance
All testers All stories All the time
1. Requirements capture 2. Language 3. Design level security 4.
Automation 5. Consistency
Common Challenges
1. Avoid security theatre 2. Stop ignoring legacy code 3.
Maintain momentum 4. Face your fear
Avoid security theatre
Dealing with a legacy
Aim for continuous steady improvement
It’s OK to be afraid
1. Avoid security theatre 2. Stop ignoring legacy code 3.
Maintain momentum 4. Face your fear
developers and testers you can avoid common pitfalls. bring security
to any dev/test environment
Questions? Laura Bell F O U N D E R
& L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
ladynerd
kzykmyzw
tomokusaba
wannesrams
marevol
kubell_hr
terisuke
katayan
oracle4engineer
ewa
iotengineer22
.jpg){kind=avatar}
lamaglama39
ufried
jacobtomlinson
destraynor
jonoalderson
tammyeverts
tmiket
marketingsoph
palkan
charlesmeaden
eileencodes
ryanjones
techseoconnect
oripsolob
