Nuclear powered software securty

Nuclear Powered Software Security Chris Riley Dutch PHP Conference 2017
1

Introduction

Beware of lists 1

Nuclear safety 1By Avda (Own work) [CC BY-SA 3.0], via
Wikimedia Commons 2

Nuclear bomb 1By United States Department of Energy [Public domain],
via Wikimedia Commons 3

Nuclear power plant 1Emoscopes [GFDL, CC-BY-SA-3.0 or CC BY 2.5],

Fault Tree Analysis

Loss of cooling 5

Loss of power 6

Inhibit gate 7

E-Commerce 8

E-Commerce 9

How to use your diagram • Consider risk from each
item 10

item • Consider mitigations 10

item • Consider mitigations • Not all mitigations will be technical 10

Defence in Depth

A big firewall 1By Tukulti65 (Own work) [CC BY-SA 4.0],

Everything is connected 11

Defense in depth 12

Database Access 13

Adding encryption 14

Zonal analysis

United Airlines Flight 232 1By Steve Fitzgerald [GFDL 1.2], via
Wikimedia Commons 15

What can we learn from this? 15

Zonal analysis for security • Administrator passwords 16

Zonal analysis for security • Administrator passwords • Shared systems
16

Zonal analysis for security • Administrator passwords • Shared systems
• Operating system vulnerabilities 16

Assume everything is open to the internet. 16

Zonal analysis for data • Look for data hotspots 17

Zonal analysis for data • Look for data hotspots •
Focus on hotspots 17

Zonal analysis for data • Look for data hotspots •
Focus on hotspots • Reduce data in hotspots 17

Failing safe

Chernobyl accident 1By Jason Minshull [Public domain], via Wikimedia Commons
18

Passive safety 1By Picoterawatt derivative work: OrbiterSpacethingy translation: Cryptex [CC0],

Failing secure 19

What happens when something goes wrong? 19

Conclusion

Identify undesirable outcomes 19

Layer your defences 19

Look out for single points of failure 19

Handle failures securely 19

Thanks • @giveupalready • https://github.com/carnage • https://carnage.github.io • https://joind.in/talk/92308 20

More Decks by carnage