Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Applications, by Design Preroll Quotes

Secure Applications, by Design Preroll Quotes

Interesting quotes shown before the start of my CodeMash 2018 talk, "Secure Applications, by Design"

56e5c49368a2e0ab999848a8d9e3c116?s=128

Craig Stuntz

January 11, 2018
Tweet

More Decks by Craig Stuntz

Other Decks in Programming

Transcript

  1. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – J e s s i c a P a y n e “Bugs and exploits are not the main issue in most breeches, operational issues and technical debt are.” "Your attacker thinks like my attacker: A common threat model to create better defense"
  2. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – A d a m S h o s t a k “If you don’t have a clear answer to the question, ‘What’s your threat model?’ it can lead to inconsistency and wasted effort.” Threat Modeling, Designing for Security
  3. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – G e o r g e B o x “Essentially, all models are wrong, but some are useful.” “Robustness in the strategy of scientific model building”
  4. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – L e s l e y C a r h a r t “Regularly rethink your threat model. Know your threat model and that of your family before making any security decision.” https://twitter.com/hacks4pancakes/status/917952052667604993
  5. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – M a t t h e w G r e e n “The hard step in f inding a catastrophic random number generator flaw is learning that something has its own RNG.” https://twitter.com/matthew_d_green/status/919559836194496512
  6. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – M a t t B l a z e “Like almost all password rules, some twit made it up because it seemed like a good idea.” https://twitter.com/mattblaze/status/919920915181383681
  7. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – Q u i n n N o r t o n “Putting a sticker on your webcam doesn’t protect you if your keystrokes are being captured, mail plundered, pwd locker taken, etc. etc.… It's an internet rabbit’s foot and doesn't belong in an actual security narrative.” https://twitter.com/quinnnorton/status/921861070288969728
  8. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 https://twitter.com/jturner_ibrs/status/922236395627757570
  9. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – A l l i s o n M i l l e r “I don't think humans are the problem, the problem is that humans are the target. We can rely on tech to protect the tech, but a lot of the attacks that we see are really bad human behavior that's attacking other human behavior…. So looking for more human solutions to those problems is the way to go.” https://www.scmagazineuk.com/news-feature-google-security-interview-human-solutions--the-way-to-go/ article/701976/
  10. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 https://twitter.com/bigu/status/921915900038610944
  11. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – A l l i s o n M i l l e r “…anywhere that humans are using your system or have choices to make impacts the security of the system. How can you design those choices, experiences, in a way that makes it really easy for them to be successful? And more diff icult for them to make honest human mistakes?” https://www.scmagazineuk.com/news-feature-google-security-interview-human-solutions--the-way-to-go/ article/701976/
  12. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 https://twitter.com/scannell/status/923006563643572225
  13. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – K a t i e M o u s s o u r i s “Bug bounties can be effective if applied thoughtfully in a mature organization. The majority of organizations lack basic security hygiene & can't keep up, though.” https://twitter.com/k8em0/status/925587516991959040
  14. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 https://twitter.com/MrAlanCooper/status/926123133399994369
  15. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – To n y A r c i e r i “Programming in C means you are using an unsafe memory model 100% of the time. It is the programming equivalent of trying to walk a tightrope over a lake full of alligators while trying to avoid getting electrocuted by dangling power lines. The slightest mistake in your arithmetic at any one place in the code can be the difference between a perfectly safe program and remote code execution.” https://tonyarcieri.com/it-s-time-for-a-memory-safety-intervention
  16. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – J o h n n y A p p l e s e e d “Type a quote here.” https://twitter.com/chrisrohlf/status/925846092184477698
  17. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – Z e y n e p T u f e k c i “We’re building a dystopia just to make people click on ads.” https://www.ted.com/talks/zeynep_tufekci_we_re_building_a_dystopia_just_to_make_people_click_on_ads
  18. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 https://twitter.com/mlowdi/status/930676113524785158
  19. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 – D o n a l d M a c K e n z i e “Over 90 percent of these [1100] deaths were caused by faulty human-computer interaction (often the result of poorly designed user interfaces or of organizational failings as much as of mistakes by individuals). …software ‘bugs’ caused no more than 3 percent, or thirty, deaths…” Mechanizing Proof: Computing, Risk, and Trust (2003), p. 300
  20. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 http://www.commitstrip.com/en/2017/11/27/security-vs-business/?
  21. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 “It has been estimated that 70 to 90% of the safety- related decisions in an engineering project are made during the early concept development stage. When hazard analyses are not performed, are done only after the fact…, or are performed but the information is never integrated into the system design environment, they can have no effect on these decisions and the safety effort reduces to a cosmetic and perfunctory role.” – N a n c y G . L e v e s o n The Role of Software in Spacecraft Accidents
  22. S E C U R E A P P L

    I C A T I O N S , B Y D E S I G N will start at 1:00 https://twitter.com/joelrubin/status/938574971852304384