Defensive team – who are security engineers and how they help teams to develop secure applications

Transcript

1. Blue teams security engineering @vixentael

2. @vixentael Product Engineer github.com/vixentael/ my-talks cryptographic software, security consulting, developers

   training
3. None

4. Real risk Compliance demands 1999 @vixentael

5. Business Risk Compliance demands 2018 @vixentael

6. “Bad security” leads to reputation risks (Equifax) legal responsibility (GDPR,

   HIPAA, PCI DSS) operations (Google, Facebook) https://www.cossacklabs.com/blog/gdpr-for-engineers.html competitors advantage @vixentael

7. financial damage “Bad security” leads to @vixentael

8. twitter.com/c_pellegrino/status/981409466242486272 @vixentael @vixentael

9. @vixentael twitter.com/c_pellegrino/status/981409466242486272 @vixentael

10. @vixentael twitter.com/c_pellegrino/status/981409466242486272 @vixentael

11. mln records 0 200 400 600 800 1,000 February March

    April May June July August September https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month @vixentael

12. mln records 0 200 400 600 800 1,000 February March

    April May June July August September https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month @vixentael

13. financial damage “Bad security” leads to @vixentael

14. Blue team

15. Proactive vs reactive Secure Development Secure Architecture Secure Operations Processes

    Pentests / Audits Compliance Incident Response @vixentael

16. Blue team The Security Stakeholder (defining the what and what

    not) The Evangelist (raising the bar) The Security Expert (helping with the how) Security Automation (continuous security) Incident response, investigations and forensics https://xebia.com/blog/being-an-agile-security-officer/ @vixentael
17. None
18. None
19. None

20. prevent business risks against company assets Blue team @vixentael

21. Assets we protect 1. Sensitive data 2. Encryption keys 3.

    Credentials 4. Technical credentials 5. ACL 6. Systems and nodes @vixentael

22. @vixentael is any kind of data, that will break business

    objectives or prosperity of those who use data, if leaked. Sensitive data – @vixentael

23. Confidentiality Integrity Availability CIA triad @vixentael

24. Processes we protect Continuity Capacity Availability } Component security Technical

    assets security SRE practices @vixentael

25. Business risk is the possibility a company will have lower

    than anticipated profits or experience a loss rather than taking a profit. @vixentael

26. Risks - unauthorized access - use - disclosure - disruption

    - modification - inspection - recording - destruction - Strategic risks - Operational risks - Reputational risks - Compliance risks @vixentael

27. Risks Can’t we just fix all the bugs? - unauthorized

    access - use - disclosure - disruption - modification - inspection - recording - destruction @vixentael

28. Secret of pragmatic security 1. Focus on real risks 2.

    Prioritize: - impact - probability @vixentael

29. InfoSec processes - Planning: Risk assessment - Building: - Secure

    Software Development - Infrastructure security - Doing: - Compliance / certification - Security verification (audit, pentests, appsec) - Operations / processes @vixentael

30. InfoSec processes - Planning: Risk assessment - Building: - Secure

    Software Development - Infrastructure security - Doing: - Compliance / certification - Security verification (audit, pentests, appsec) - Operations / processes @vixentael

31. Secure development, secure architecture, secure coding

32. Secure software development lifecycle methodology MS SDL OWASP S-SDLC www.microsoft.com/en-us/sdl

    www.owasp.org/index.php/ OWASP_Secure_Software_Development_ Lifecycle_Project @vixentael

33. SSDLC -distills common sense from experience
 of building secure software.

    -prescribes methodologies which covers 
 most risks in most cases. -is a good start. @vixentael

34. Risk evaluation Risk assessment Threat model Security plan Secure coding

    Security verification Secure operations SSDLC Response @vixentael

35. Risk evaluation Risk assessment Threat model Security plan Secure coding

    Security verification Secure operations SSDLC Response Requirements Design/architecture Development Testing Operations @vixentael

36. Secure architecture prevents the infosec-related business risks in a consistent,

    pre-designed structure that corresponds to the business goals. @vixentael

37. Addressing security risks at architecture level 1. Designing systems that

    focus on preventing risks instead of focusing on preventing vulnerabilities. 2. Implement security in cost-efficient, maintainable and verifiable way. @vixentael

38. Trust 1. System’s trust is equal to trust to the

    weakest link. 2. Good architecture allocates trust appropriate to practical constraints. @vixentael

39. perimeter firewall access control internal network Trust authentication internal access

    control access/key management configuration management code encryption node security @vixentael

40. Threats Threats are technical opportunities to materialize business risk in

    chosen architectures. Combined with actual trust and position of weak components they create attack vectors. @vixentael

41. Attack surface – the combination of nodes, processes and applications

    that need to be compromised for damage to be done. Attack surface is created by components that open potential opportunity to inflict damage and materialize business risk, along with their risk level. @vixentael

42. Managing attack surface Goal of security architecture is appropriate management

    of attack surface: observability minimization control attack surface @vixentael

43. data Defense in depth encryption authorization authentication / access control

    @vixentael

44. Bottom-up vs top-down maintain analyze risks, security plan SSDLC iterate

    find weakest part fix @vixentael

45. @vixentael Secure Development – a process of choosing and implementing

    security controls appropriate to business risks. @vixentael

46. Security controls Proactive: 
 - prevent risk Reactive: 
 -

    detect incident
 - correct / limit damage Physical Procedural Technical Legal @vixentael

47. Proactive + Reactive Data security Application security Infrastructure security Monitoring

    Intrusion detection Vulnerability management @vixentael

48. Proactive controls Data security encryption Access security authentication, firewalls, OS

    Node security firewalls, compartmentalization, OS @vixentael

49. Data security integrity checks, authenticated crypto Access security honeypots, access

    logging Node security IDS, monitoring Reactive controls: detect @vixentael

50. Data security key management, backups Access security credential management, jailbans

    Node security infrastructural management Reactive controls: limit damage @vixentael

51. 1. Identify sensitive data, understand sensitive data lifecycle, classify data.

    2. Identify risks to data. 3. Build trust model, understand risk impact. 4. Prioritize risk vectors. 5. Select and implement proper security controls for exploitable high risk vectors (to prevent risks and to identify leaks). Data protection 101 @vixentael

52. Encryption libraries should ★ use strong & audited crypto ★

    work everywhere ★ hide cryptographic details ★ be hard to mis-use ★ have integration with key storage @vixentael

53. ciphers abstraction level complexity libraries suites @vixentael Encryption libraries

54. libsodium themis tink @vixentael 3DES AES-256-GCM Salsa20 ChaCha ZeroKit Hermes

    Vault Ciphers libraries Suites Acra

55. @vixentael

56. @vixentael Core principles Principle of least privilege. “Secure by default”.

    Compartmentalization. Access separation. Echelonization. Defense in depth, security measures escalate with sensitivity/risk. Independent defences. No single point of security failure. @vixentael

57. @vixentael Core principles Balance security with usability. Break usability too

    much - security control will be overridden or broken. Log everything. Or be like ¯\_(ツ)_/¯ when things go bad. Have a contingency plan. Nobody is perfect. Have incident reaction plan from day 0. @vixentael

58. Ensuring security Monitoring Automated security testing Automated security verification Security-conscious

    SLOs and metrics IDS SIEM Security-centric tests SAST / DAST Dependency monitoring Automated vulnerability scanning Automated OSINT @vixentael

59. Problems with implementing security practices control override, angry users performance

    penalty additional operations lost access Usability vs security: Performance vs security: Maintainability vs security: Reliability vs security: @vixentael

60. #owaspkyiv @vixentael

61. Home reading https://github.com/forter/security-101-for-saas-startups/blob/english/security.md Organization security for startups https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27 Security as

    a Product https://www.cossacklabs.com/blog/hiring-external-security-team.html Hiring External Security Team: What You Need To Know https://www.cossacklabs.com/blog/what-we-need-to-encrypt-cheatsheet.html What Do We Really Need To Encrypt. Cheatsheet

62. Community https://github.com/sapran/Ukraine-infosec-conferences Ukrainian security events BSides, OWASP, UISGCon, NoNameCon, WIA,

    WWCode Kyiv – search in Facebook

63. @vixentael Product Engineer github.com/vixentael/ my-talks cryptographic software, security consulting, developers

    training