Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Nuclear powered software securty

carnage
July 01, 2017

Nuclear powered software securty

carnage

July 01, 2017
Tweet

More Decks by carnage

Other Decks in Technology

Transcript

  1. Nuclear Powered Software Security
    Chris Riley
    Dutch PHP Conference 2017
    1

    View Slide

  2. Introduction

    View Slide

  3. Beware of lists
    1

    View Slide

  4. Nuclear safety
    1By Avda (Own work) [CC BY-SA 3.0], via Wikimedia Commons
    2

    View Slide

  5. Nuclear bomb
    1By United States Department of Energy [Public domain], via Wikimedia
    Commons
    3

    View Slide

  6. Nuclear power plant
    1Emoscopes [GFDL, CC-BY-SA-3.0 or CC BY 2.5], via Wikimedia Commons
    4

    View Slide

  7. Fault Tree Analysis

    View Slide

  8. Loss of cooling
    5

    View Slide

  9. Loss of power
    6

    View Slide

  10. Inhibit gate
    7

    View Slide

  11. E-Commerce
    8

    View Slide

  12. E-Commerce
    9

    View Slide

  13. How to use your diagram
    • Consider risk from each item
    10

    View Slide

  14. How to use your diagram
    • Consider risk from each item
    • Consider mitigations
    10

    View Slide

  15. How to use your diagram
    • Consider risk from each item
    • Consider mitigations
    • Not all mitigations will be technical
    10

    View Slide

  16. Defence in Depth

    View Slide

  17. A big firewall
    1By Tukulti65 (Own work) [CC BY-SA 4.0], via Wikimedia Commons
    11

    View Slide

  18. Everything is connected
    11

    View Slide

  19. Defense in depth
    12

    View Slide

  20. Database Access
    13

    View Slide

  21. Adding encryption
    14

    View Slide

  22. Zonal analysis

    View Slide

  23. United Airlines Flight 232
    1By Steve Fitzgerald [GFDL 1.2], via Wikimedia Commons
    15

    View Slide

  24. What can we learn from this?
    15

    View Slide

  25. Zonal analysis for security
    • Administrator passwords
    16

    View Slide

  26. Zonal analysis for security
    • Administrator passwords
    • Shared systems
    16

    View Slide

  27. Zonal analysis for security
    • Administrator passwords
    • Shared systems
    • Operating system vulnerabilities
    16

    View Slide

  28. Assume everything is open to the internet.
    16

    View Slide

  29. Zonal analysis for data
    • Look for data hotspots
    17

    View Slide

  30. Zonal analysis for data
    • Look for data hotspots
    • Focus on hotspots
    17

    View Slide

  31. Zonal analysis for data
    • Look for data hotspots
    • Focus on hotspots
    • Reduce data in hotspots
    17

    View Slide

  32. Failing safe

    View Slide

  33. Chernobyl accident
    1By Jason Minshull [Public domain], via Wikimedia Commons
    18

    View Slide

  34. Passive safety
    1By Picoterawatt derivative work: OrbiterSpacethingy translation: Cryptex
    [CC0], via Wikimedia Commons
    19

    View Slide

  35. Failing secure
    19

    View Slide

  36. What happens when something goes wrong?
    19

    View Slide

  37. Conclusion

    View Slide

  38. Identify undesirable outcomes
    19

    View Slide

  39. Layer your defences
    19

    View Slide

  40. Look out for single points of failure
    19

    View Slide

  41. Handle failures securely
    19

    View Slide

  42. Thanks
    • @giveupalready
    • https://github.com/carnage
    • https://carnage.github.io
    • https://joind.in/talk/92308
    20

    View Slide