Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure by design

Avatar for Laura Bell Laura Bell
May 20, 2015
Technology
1
86

Secure by design

Presented by Laura Bell (SafeStack) at ANZTB annual conference, Auckland (New Zealand)
Avatar for Laura Bell

Laura Bell

May 20, 2015
Tweet

More Decks by Laura Bell

See All by Laura Bell
DIY security for the amateur superhero
Avatar for Laura Bell ladynerd
0
250
Hackcon 11 - Protecting our people
Avatar for Laura Bell ladynerd
0
230
Security in a container based world
Avatar for Laura Bell ladynerd
0
150
Securing Microservice Architectures
Avatar for Laura Bell ladynerd
2
350
Better Connected
Avatar for Laura Bell ladynerd
0
64
Continuous Security
Avatar for Laura Bell ladynerd
3
1.1k
Automated Human Vulnerability Scanning with AVA
Avatar for Laura Bell ladynerd
3
2.7k
Blindsided by security
Avatar for Laura Bell ladynerd
0
93
Practical tools for privacy audit
Avatar for Laura Bell ladynerd
0
190

Other Decks in Technology

See All in Technology
「経験の点」の位置を意識したキャリア形成 / Career development with an awareness of the “point of experience” position
Avatar for Pauli pauli
4
130
LINE 購物幕後推手
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
260
Databricksで完全履修!オールインワンレイクハウスは実在した!
Avatar for Akihiro Kuwano akuwano
0
140
AIコーディングの最前線 〜活用のコツと課題〜
Avatar for PharmaX(旧YOJO Technologies)開発チーム pharma_x_tech
4
2.9k
グループ ポリシー再確認 (2)
Avatar for Murachi Akira murachiakira
0
200
OPENLOGI Company Profile
Avatar for OPENLOGI hr01
0
63k
もう難しくない!誰でもカンタンDocker入門 〜30分であなたのPCにアプリを立ち上げる〜
Avatar for とことんDevOps devops_vtj
0
170
Running JavaScript within Ruby
Avatar for Kengo Hamasaki hmsk
3
430
3D生成AIのための画像生成
Avatar for 伊藤光祐 kosukeito
2
580
エンジニアリングで組織のアウトカムを最速で最大化する!
Avatar for ham ham0215
1
270
C++26アップデート 2025-03
Avatar for Akira Takahashi faithandbrave
0
1.2k
2025-04-24 "Manga AI Understanding & Localization" Furukawa Arata (CyberAgent, Inc)
Avatar for Arata Furukawa ornew
2
320

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
357
30k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
137
6.9k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
129
19k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
136
33k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
126
17k
Building Applications with DynamoDB
Avatar for Matt Wood mza
94
6.4k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
85
4.7k
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
512
110k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
656
60k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
276
23k
Side Projects
Avatar for Sacha Greif sachag
453
42k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
378
70k

Transcript

  1. Secure by Design Building secure and useable systems in a

    connected world Laura Bell F O U N D E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o

  2. the world is a terrible place

  3. the internet is a festering pool of toxic waste

  4. None

  5. somebody probably wants to do bad things to your computer

  6. the security situation is beyond hope

  7. None

  8. we can build amazing things

  9. None
  10. None
  11. None

  12. doing this securely is hard

  13. developers and testers you can avoid common pitfalls. bring security

    to any dev/test environment

  14. Security for everyone

  15. None

  16. Security needs a hero

  17. security is a team sport

  18. Security is a tester superpower

  19. security starts with education

  20. Tools and Techniques

  21. 1. Requirements capture 2. Language 3. Design level security 4.

    Automation 5. Consistency

  22. Requirements Capture

  23. security starts with requirements

  24. Forgotten Password Example Functional/Story requirements: User enters username on forgotten

    password page User receives link to reset password page Password is reset User can login to system

  25. Forgotten Password Example Security requirements: Password reset link expires after

    24 hours Password reset link is unique to password reset request Password reset link is complex and pseudo random Password reset link can only be used once Error messages on password reset form do not allow username or email enumeration

  26. Language

  27. Language creates barriers and divides

  28. Get the language right Critical High Medium Low Informational False

    Positive

  29. Security vulnerabilities hide behind acronyms, jargon and assumptions.

  30. Design level security

  31. Vulnerabilities cluster between components

  32. Our environments are complex

  33. Bad things happen when low risk security issues cluster together…..

  34. Automation

  35. Human error threatens testing effectiveness

  36. Test data creation and scrubbing Test case definition Load testing

    Regression testing Integration testing Security testing Test environment deployment

  37. Automated security testing gives a continuous assessment of risk.

  38. Consistency

  39. Don’t leave security to chance

  40. All testers All stories All the time

  41. 1. Requirements capture 2. Language 3. Design level security 4.

    Automation 5. Consistency

  42. Common Challenges

  43. 1. Avoid security theatre 2. Stop ignoring legacy code 3.

    Maintain momentum 4. Face your fear

  44. Avoid security theatre

  45. Dealing with a legacy

  46. Aim for continuous steady improvement

  47. It’s OK to be afraid

  48. 1. Avoid security theatre 2. Stop ignoring legacy code 3.

    Maintain momentum 4. Face your fear

  49. developers and testers you can avoid common pitfalls. bring security

    to any dev/test environment

  50. Questions? Laura Bell F O U N D E R

    & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o