Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Nuclear powered software securty
Search
carnage
July 01, 2017
Technology
0
390
Nuclear powered software securty
carnage
July 01, 2017
Tweet
Share
More Decks by carnage
See All by carnage
Object re-orientation
carnage
2
470
Event Driven Development
carnage
0
520
More Secrets of Cryptography
carnage
0
370
Microservices vs The distributed monolith
carnage
1
2.2k
Passwords and how to handle them
carnage
0
340
A storm is brewing
carnage
0
89
The secrets of cryptography
carnage
0
140
The secrets of cryptography
carnage
0
140
You attended talk: An introduction to event sourcing (short)
carnage
0
600
Other Decks in Technology
See All in Technology
Godot Engineについて調べてみた
unsoluble_sugar
0
180
Copilotの力を実感! 3ヶ月間の生成AI研修の試行錯誤&成功事例をご紹介。果たして得たものとは・・?
ktc_shiori
0
280
完全自律型AIエージェントとAgentic Workflow〜ワークフロー構築という現実解
pharma_x_tech
0
240
Zero Data Loss Autonomous Recovery Service サービス概要
oracle4engineer
PRO
1
5k
信頼されるためにやったこと、 やらなかったこと。/What we did to be trusted, What we did not do.
bitkey
PRO
0
1.9k
東京Ruby会議12 Ruby と Rust と私 / Tokyo RubyKaigi 12 Ruby, Rust and me
eagletmt
1
270
rootful・rootless・privilegedコンテナの違い/rootful_rootless_privileged_container_difference
moz_sec_
0
130
FODにおけるホーム画面編成のレコメンド
watarukudo
PRO
2
100
Oracle Exadata Database Service(Dedicated Infrastructure):サービス概要のご紹介
oracle4engineer
PRO
0
12k
シフトライトなテスト活動を適切に行うことで、無理な開発をせず、過剰にテストせず、顧客をビックリさせないプロダクトを作り上げているお話 #RSGT2025 / Shift Right
nihonbuson
3
1.9k
効率的な技術組織が作れる!書籍『チームトポロジー』要点まとめ
iwamot
2
200
20240522 - 躍遷創作理念 @ PicCollage Workshop
dpys
0
310
Featured
See All Featured
Product Roadmaps are Hard
iamctodd
PRO
50
11k
Code Review Best Practice
trishagee
65
17k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
Keith and Marios Guide to Fast Websites
keithpitt
410
22k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Building an army of robots
kneath
302
44k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
Why Our Code Smells
bkeepers
PRO
335
57k
Learning to Love Humans: Emotional Interface Design
aarron
274
40k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
860
A better future with KSS
kneath
238
17k
Transcript
Nuclear Powered Software Security Chris Riley Dutch PHP Conference 2017
1
Introduction
Beware of lists 1
Nuclear safety 1By Avda (Own work) [CC BY-SA 3.0], via
Wikimedia Commons 2
Nuclear bomb 1By United States Department of Energy [Public domain],
via Wikimedia Commons 3
Nuclear power plant 1Emoscopes [GFDL, CC-BY-SA-3.0 or CC BY 2.5],
via Wikimedia Commons 4
Fault Tree Analysis
Loss of cooling 5
Loss of power 6
Inhibit gate 7
E-Commerce 8
E-Commerce 9
How to use your diagram • Consider risk from each
item 10
How to use your diagram • Consider risk from each
item • Consider mitigations 10
How to use your diagram • Consider risk from each
item • Consider mitigations • Not all mitigations will be technical 10
Defence in Depth
A big firewall 1By Tukulti65 (Own work) [CC BY-SA 4.0],
via Wikimedia Commons 11
Everything is connected 11
Defense in depth 12
Database Access 13
Adding encryption 14
Zonal analysis
United Airlines Flight 232 1By Steve Fitzgerald [GFDL 1.2], via
Wikimedia Commons 15
What can we learn from this? 15
Zonal analysis for security • Administrator passwords 16
Zonal analysis for security • Administrator passwords • Shared systems
16
Zonal analysis for security • Administrator passwords • Shared systems
• Operating system vulnerabilities 16
Assume everything is open to the internet. 16
Zonal analysis for data • Look for data hotspots 17
Zonal analysis for data • Look for data hotspots •
Focus on hotspots 17
Zonal analysis for data • Look for data hotspots •
Focus on hotspots • Reduce data in hotspots 17
Failing safe
Chernobyl accident 1By Jason Minshull [Public domain], via Wikimedia Commons
18
Passive safety 1By Picoterawatt derivative work: OrbiterSpacethingy translation: Cryptex [CC0],
via Wikimedia Commons 19
Failing secure 19
What happens when something goes wrong? 19
Conclusion
Identify undesirable outcomes 19
Layer your defences 19
Look out for single points of failure 19
Handle failures securely 19
Thanks • @giveupalready • https://github.com/carnage • https://carnage.github.io • https://joind.in/talk/92308 20
carnage
unsoluble_sugar
ktc_shiori
.png){kind=icon}
pharma_x_tech
oracle4engineer
bitkey
eagletmt
moz_sec_
watarukudo
nihonbuson
iwamot
dpys
iamctodd
trishagee
jlugia
lemiorhan
keithpitt
sugarenia
kneath
sstephenson
bkeepers
aarron
honnibal
![Nuclear safety 1By Avda (Own work) [CC BY-SA 3.0], via](https://files.speakerdeck.com/presentations/bf9101e4b37944b39e035a1b306f8261/slide_3.jpg){kind=link}
![Nuclear bomb 1By United States Department of Energy [Public domain],](https://files.speakerdeck.com/presentations/bf9101e4b37944b39e035a1b306f8261/slide_4.jpg){kind=link}
![Nuclear power plant 1Emoscopes [GFDL, CC-BY-SA-3.0 or CC BY 2.5],](https://files.speakerdeck.com/presentations/bf9101e4b37944b39e035a1b306f8261/slide_5.jpg){kind=link}
![A big firewall 1By Tukulti65 (Own work) [CC BY-SA 4.0],](https://files.speakerdeck.com/presentations/bf9101e4b37944b39e035a1b306f8261/slide_16.jpg){kind=link}
![United Airlines Flight 232 1By Steve Fitzgerald [GFDL 1.2], via](https://files.speakerdeck.com/presentations/bf9101e4b37944b39e035a1b306f8261/slide_22.jpg){kind=link}
![Chernobyl accident 1By Jason Minshull [Public domain], via Wikimedia Commons](https://files.speakerdeck.com/presentations/bf9101e4b37944b39e035a1b306f8261/slide_32.jpg){kind=link}
![Passive safety 1By Picoterawatt derivative work: OrbiterSpacethingy translation: Cryptex [CC0],](https://files.speakerdeck.com/presentations/bf9101e4b37944b39e035a1b306f8261/slide_33.jpg){kind=link}
