Nuclear Powered Software SecurityChris RileyDutch PHP Conference 20171
View Slide
Introduction
Beware of lists1
Nuclear safety1By Avda (Own work) [CC BY-SA 3.0], via Wikimedia Commons2
Nuclear bomb1By United States Department of Energy [Public domain], via WikimediaCommons3
Nuclear power plant1Emoscopes [GFDL, CC-BY-SA-3.0 or CC BY 2.5], via Wikimedia Commons4
Fault Tree Analysis
Loss of cooling5
Loss of power6
Inhibit gate7
E-Commerce8
E-Commerce9
How to use your diagram• Consider risk from each item10
How to use your diagram• Consider risk from each item• Consider mitigations10
How to use your diagram• Consider risk from each item• Consider mitigations• Not all mitigations will be technical10
Defence in Depth
A big firewall1By Tukulti65 (Own work) [CC BY-SA 4.0], via Wikimedia Commons11
Everything is connected11
Defense in depth12
Database Access13
Adding encryption14
Zonal analysis
United Airlines Flight 2321By Steve Fitzgerald [GFDL 1.2], via Wikimedia Commons15
What can we learn from this?15
Zonal analysis for security• Administrator passwords16
Zonal analysis for security• Administrator passwords• Shared systems16
Zonal analysis for security• Administrator passwords• Shared systems• Operating system vulnerabilities16
Assume everything is open to the internet.16
Zonal analysis for data• Look for data hotspots17
Zonal analysis for data• Look for data hotspots• Focus on hotspots17
Zonal analysis for data• Look for data hotspots• Focus on hotspots• Reduce data in hotspots17
Failing safe
Chernobyl accident1By Jason Minshull [Public domain], via Wikimedia Commons18
Passive safety1By Picoterawatt derivative work: OrbiterSpacethingy translation: Cryptex[CC0], via Wikimedia Commons19
Failing secure19
What happens when something goes wrong?19
Conclusion
Identify undesirable outcomes19
Layer your defences19
Look out for single points of failure19
Handle failures securely19
Thanks• @giveupalready• https://github.com/carnage• https://carnage.github.io• https://joind.in/talk/9230820