Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure by design

Laura Bell
May 20, 2015
Technology
1
82

Secure by design

Presented by Laura Bell (SafeStack) at ANZTB annual conference, Auckland (New Zealand)

Laura Bell

May 20, 2015
Tweet

More Decks by Laura Bell

See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
220
Hackcon 11 - Protecting our people
ladynerd
0
220
Security in a container based world
ladynerd
0
130
Securing Microservice Architectures
ladynerd
2
340
Better Connected
ladynerd
0
52
Continuous Security
ladynerd
3
1.1k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.6k
Blindsided by security
ladynerd
0
79
Practical tools for privacy audit
ladynerd
0
170

Other Decks in Technology

See All in Technology
「 SharePoint 難しい」ってよく聞くけど、そんなに言うなら8歳の息子に試してもらった
taichinakamura
1
630
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
170
顧客が本当に必要だったもの - パフォーマンス改善編 / Make what is needed
soudai
24
6.8k
CyberAgent 生成AI Deep Dive with Amazon Web Services / genai-aws
cyberagentdevelopers
PRO
1
480
カメラを用いた店内計測におけるオプトインの仕組みの実現 / ai-optin-camera
cyberagentdevelopers
PRO
1
120
プロポーザルのつくり方
〜個人技編〜 / How to come up with proposals
ohbarye
1
110
新卒1年目が挑む!生成AI × マルチエージェントで実現する次世代オンボーディング / operation-ai-onboarding
cyberagentdevelopers
PRO
1
170
物価高なラスベガスでの過ごし方
zakky
0
390
2024-10-30-reInventStandby_StudyGroup_Intro
shinichirokawano
1
640
新R25、乃木坂46 Mobileなどのファンビジネスを支えるマルチテナンシーなプラットフォームの全体像 / cam-multi-cloud
cyberagentdevelopers
PRO
1
130
初心者に Vue.js を 教えるには
tsukuha
5
390
急成長中のWINTICKETにおける品質と開発スピードと向き合ったQA戦略と今後の展望 / winticket-autify
cyberagentdevelopers
PRO
1
160

Featured

See All Featured
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
22k
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
107
49k
Building Applications with DynamoDB
mza
90
6.1k
We Have a Design System, Now What?
morganepeng
50
7.2k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Build The Right Thing And Hit Your Dates
maggiecrowley
32
2.4k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
167
49k
Agile that works and the tools we love
rasmusluckow
327
21k

Transcript

  1. Secure by Design Building secure and useable systems in a

    connected world Laura Bell F O U N D E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o

  2. the world is a terrible place

  3. the internet is a festering pool of toxic waste

  4. None

  5. somebody probably wants to do bad things to your computer

  6. the security situation is beyond hope

  7. None

  8. we can build amazing things

  9. None
  10. None
  11. None

  12. doing this securely is hard

  13. developers and testers you can avoid common pitfalls. bring security

    to any dev/test environment

  14. Security for everyone

  15. None

  16. Security needs a hero

  17. security is a team sport

  18. Security is a tester superpower

  19. security starts with education

  20. Tools and Techniques

  21. 1. Requirements capture 2. Language 3. Design level security 4.

    Automation 5. Consistency

  22. Requirements Capture

  23. security starts with requirements

  24. Forgotten Password Example Functional/Story requirements: User enters username on forgotten

    password page User receives link to reset password page Password is reset User can login to system

  25. Forgotten Password Example Security requirements: Password reset link expires after

    24 hours Password reset link is unique to password reset request Password reset link is complex and pseudo random Password reset link can only be used once Error messages on password reset form do not allow username or email enumeration

  26. Language

  27. Language creates barriers and divides

  28. Get the language right Critical High Medium Low Informational False

    Positive

  29. Security vulnerabilities hide behind acronyms, jargon and assumptions.

  30. Design level security

  31. Vulnerabilities cluster between components

  32. Our environments are complex

  33. Bad things happen when low risk security issues cluster together…..

  34. Automation

  35. Human error threatens testing effectiveness

  36. Test data creation and scrubbing Test case definition Load testing

    Regression testing Integration testing Security testing Test environment deployment

  37. Automated security testing gives a continuous assessment of risk.

  38. Consistency

  39. Don’t leave security to chance

  40. All testers All stories All the time

  41. 1. Requirements capture 2. Language 3. Design level security 4.

    Automation 5. Consistency

  42. Common Challenges

  43. 1. Avoid security theatre 2. Stop ignoring legacy code 3.

    Maintain momentum 4. Face your fear

  44. Avoid security theatre

  45. Dealing with a legacy

  46. Aim for continuous steady improvement

  47. It’s OK to be afraid

  48. 1. Avoid security theatre 2. Stop ignoring legacy code 3.

    Maintain momentum 4. Face your fear

  49. developers and testers you can avoid common pitfalls. bring security

    to any dev/test environment

  50. Questions? Laura Bell F O U N D E R

    & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o