Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure by design
Search
Laura Bell
May 20, 2015
Technology
1
89
Secure by design
Presented by Laura Bell (SafeStack) at ANZTB annual conference, Auckland (New Zealand)
Laura Bell
May 20, 2015
Tweet
Share
More Decks by Laura Bell
See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
270
Hackcon 11 - Protecting our people
ladynerd
0
240
Security in a container based world
ladynerd
0
150
Securing Microservice Architectures
ladynerd
2
360
Better Connected
ladynerd
0
71
Continuous Security
ladynerd
3
1.2k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.7k
Blindsided by security
ladynerd
0
110
Practical tools for privacy audit
ladynerd
0
200
Other Decks in Technology
See All in Technology
ゼロコード計装導入後のカスタム計装でさらに可観測性を高めよう
sansantech
PRO
1
500
だいたい分かった気になる 『SREの知識地図』 / introduction-to-sre-knowledge-map-book
katsuhisa91
PRO
3
1.5k
Behind Postgres 18: The People, the Code, & the Invisible Work | Claire Giordano | PGConfEU 2025
clairegiordano
0
150
AI駆動で進める依存ライブラリ更新 ─ Vue プロジェクトの品質向上と開発スピード改善の実践録
sayn0
1
330
.NET 10のBlazorの期待の新機能
htkym
0
150
ヘンリー会社紹介資料(エンジニア向け) / company deck for engineer
henryofficial
0
400
AIエージェントによる業務効率化への飽くなき挑戦-AWS上の実開発事例から学んだ効果、現実そしてギャップ-
nasuvitz
5
1.4k
dbtとAIエージェントを組み合わせて見えたデータ調査の新しい形
10xinc
6
1.2k
会社を支える Pythonという言語戦略 ~なぜPythonを主要言語にしているのか?~
curekoshimizu
3
880
激動の時代を爆速リチーミングで乗り越えろ
sansantech
PRO
1
140
re:Invent 2025の見どころと便利アイテムをご紹介 / Highlights and Useful Items for re:Invent 2025
yuj1osm
0
220
From Natural Language to K8s Operations: The MCP Architecture and Practice of kubectl-ai
appleboy
0
290
Featured
See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
658
61k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
9.7k
Building a Scalable Design System with Sketch
lauravandoore
463
33k
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.6k
Balancing Empowerment & Direction
lara
5
700
Music & Morning Musume
bryan
46
6.9k
RailsConf 2023
tenderlove
30
1.3k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Building Adaptive Systems
keathley
44
2.8k
A designer walks into a library…
pauljervisheath
209
24k
Optimizing for Happiness
mojombo
379
70k
Being A Developer After 40
akosma
91
590k
Transcript
Secure by Design Building secure and useable systems in a
connected world Laura Bell F O U N D E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
the world is a terrible place
the internet is a festering pool of toxic waste
None
somebody probably wants to do bad things to your computer
the security situation is beyond hope
None
we can build amazing things
None
None
None
doing this securely is hard
developers and testers you can avoid common pitfalls. bring security
to any dev/test environment
Security for everyone
None
Security needs a hero
security is a team sport
Security is a tester superpower
security starts with education
Tools and Techniques
1. Requirements capture 2. Language 3. Design level security 4.
Automation 5. Consistency
Requirements Capture
security starts with requirements
Forgotten Password Example Functional/Story requirements: User enters username on forgotten
password page User receives link to reset password page Password is reset User can login to system
Forgotten Password Example Security requirements: Password reset link expires after
24 hours Password reset link is unique to password reset request Password reset link is complex and pseudo random Password reset link can only be used once Error messages on password reset form do not allow username or email enumeration
Language
Language creates barriers and divides
Get the language right Critical High Medium Low Informational False
Positive
Security vulnerabilities hide behind acronyms, jargon and assumptions.
Design level security
Vulnerabilities cluster between components
Our environments are complex
Bad things happen when low risk security issues cluster together…..
Automation
Human error threatens testing effectiveness
Test data creation and scrubbing Test case definition Load testing
Regression testing Integration testing Security testing Test environment deployment
Automated security testing gives a continuous assessment of risk.
Consistency
Don’t leave security to chance
All testers All stories All the time
1. Requirements capture 2. Language 3. Design level security 4.
Automation 5. Consistency
Common Challenges
1. Avoid security theatre 2. Stop ignoring legacy code 3.
Maintain momentum 4. Face your fear
Avoid security theatre
Dealing with a legacy
Aim for continuous steady improvement
It’s OK to be afraid
1. Avoid security theatre 2. Stop ignoring legacy code 3.
Maintain momentum 4. Face your fear
developers and testers you can avoid common pitfalls. bring security
to any dev/test environment
Questions? Laura Bell F O U N D E R
& L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o