Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure by design
Search
Laura Bell
May 20, 2015
Technology
1
88
Secure by design
Presented by Laura Bell (SafeStack) at ANZTB annual conference, Auckland (New Zealand)
Laura Bell
May 20, 2015
Tweet
Share
More Decks by Laura Bell
See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
260
Hackcon 11 - Protecting our people
ladynerd
0
230
Security in a container based world
ladynerd
0
150
Securing Microservice Architectures
ladynerd
2
350
Better Connected
ladynerd
0
70
Continuous Security
ladynerd
3
1.1k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.7k
Blindsided by security
ladynerd
0
98
Practical tools for privacy audit
ladynerd
0
190
Other Decks in Technology
See All in Technology
VISITS_AIIoTビジネス共創ラボ登壇資料.pdf
iotcomjpadmin
0
150
Model Mondays S2E02: Model Context Protocol
nitya
0
200
AWS テクニカルサポートとエンドカスタマーの中間地点から見えるより良いサポートの活用方法
kazzpapa3
1
240
LinkX_GitHubを基点にした_AI時代のプロジェクトマネジメント.pdf
iotcomjpadmin
0
160
Microsoft Build 2025 技術/製品動向 for Microsoft Startup Tech Community
torumakabe
2
230
プロダクトエンジニアリング組織への歩み、その現在地 / Our journey to becoming a product engineering organization
hiro_torii
0
120
Create a Rails8 responsive app with Gemini and RubyLLM
palladius
0
140
Абьюзим random_bytes(). Фёдор Кулаков, разработчик Lamoda Tech
lamodatech
0
310
解析の定理証明実践@Lean 4
dec9ue
0
140
Clineを含めたAIエージェントを 大規模組織に導入し、投資対効果を考える / Introducing AI agents into your organization
i35_267
4
1.4k
AIのAIによるAIのための出力評価と改善
chocoyama
2
520
あなたの声を届けよう! 女性エンジニア登壇の意義とアウトプット実践ガイド #wttjp / Call for Your Voice
kondoyuko
2
270
Featured
See All Featured
Facilitating Awesome Meetings
lara
54
6.4k
A Tale of Four Properties
chriscoyier
160
23k
Why Our Code Smells
bkeepers
PRO
337
57k
Fireside Chat
paigeccino
37
3.5k
Adopting Sorbet at Scale
ufuk
77
9.4k
Testing 201, or: Great Expectations
jmmastey
42
7.5k
Reflections from 52 weeks, 52 projects
jeffersonlam
351
20k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
8
670
Into the Great Unknown - MozCon
thekraken
39
1.9k
Faster Mobile Websites
deanohume
307
31k
Transcript
Secure by Design Building secure and useable systems in a
connected world Laura Bell F O U N D E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
the world is a terrible place
the internet is a festering pool of toxic waste
None
somebody probably wants to do bad things to your computer
the security situation is beyond hope
None
we can build amazing things
None
None
None
doing this securely is hard
developers and testers you can avoid common pitfalls. bring security
to any dev/test environment
Security for everyone
None
Security needs a hero
security is a team sport
Security is a tester superpower
security starts with education
Tools and Techniques
1. Requirements capture 2. Language 3. Design level security 4.
Automation 5. Consistency
Requirements Capture
security starts with requirements
Forgotten Password Example Functional/Story requirements: User enters username on forgotten
password page User receives link to reset password page Password is reset User can login to system
Forgotten Password Example Security requirements: Password reset link expires after
24 hours Password reset link is unique to password reset request Password reset link is complex and pseudo random Password reset link can only be used once Error messages on password reset form do not allow username or email enumeration
Language
Language creates barriers and divides
Get the language right Critical High Medium Low Informational False
Positive
Security vulnerabilities hide behind acronyms, jargon and assumptions.
Design level security
Vulnerabilities cluster between components
Our environments are complex
Bad things happen when low risk security issues cluster together…..
Automation
Human error threatens testing effectiveness
Test data creation and scrubbing Test case definition Load testing
Regression testing Integration testing Security testing Test environment deployment
Automated security testing gives a continuous assessment of risk.
Consistency
Don’t leave security to chance
All testers All stories All the time
1. Requirements capture 2. Language 3. Design level security 4.
Automation 5. Consistency
Common Challenges
1. Avoid security theatre 2. Stop ignoring legacy code 3.
Maintain momentum 4. Face your fear
Avoid security theatre
Dealing with a legacy
Aim for continuous steady improvement
It’s OK to be afraid
1. Avoid security theatre 2. Stop ignoring legacy code 3.
Maintain momentum 4. Face your fear
developers and testers you can avoid common pitfalls. bring security
to any dev/test environment
Questions? Laura Bell F O U N D E R
& L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o