Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Prioritizing Trust while Creating Applications

Jennifer Davis
September 26, 2019
Technology
0
98

Prioritizing Trust while Creating Applications

Managing risk needs to scale as your product grows in popularity and complexity. In traditional software development, often security was treated as a last gating factor at best and post-incident concern at worst. How do we shift our security processes left - in other words, earlier in the development lifecycle? The cost of applying security practices too late can be catastrophic to a company, leading to the loss of customer trust and affecting the bottom line.

In this session learn how to leverage security tools and recommended practices to enable everyone to play a part in securing your application from discovery to operation of your application.

Jennifer Davis

September 26, 2019
Tweet

More Decks by Jennifer Davis

See All by Jennifer Davis
Heroism in the time of COVID-19
iennae
0
25
Using Terraform with Porter
iennae
0
140
Open Source in the time of COVID-19
iennae
1
130
The Ops in the Serverless: GOTO Chicago 2020
iennae
0
87
The ultimate guide to complicated systems - December 2019 Talk
iennae
0
39
The ultimate guide to complicated systems - devopsdays Chattanooga 2019 Keynote
iennae
0
58
Prioritizing Trust while Creating Applications - devopsdays Chattanooga 2019
iennae
1
81
The ultimate guide to complicated systems - Velocity 2019 Keynote
iennae
0
54
Prioritizing Trust while Creating Applications
iennae
0
520

Other Decks in Technology

See All in Technology
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
380
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
170
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
120
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
2
520
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
6
620
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
1
210
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
310
強いチームと開発生産性
onk
PRO
34
11k
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210
Application Development WG Intro at AppDeveloperCon
salaboy
0
190

Featured

See All Featured
Code Review Best Practice
trishagee
64
17k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
For a Future-Friendly Web
brad_frost
175
9.4k
Thoughts on Productivity
jonyablonski
67
4.3k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
BBQ
matthewcrist
85
9.3k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
The Cost Of JavaScript in 2023
addyosmani
45
6.7k
Done Done
chrislema
181
16k
Raft: Consensus for Rubyists
vanstee
136
6.6k

Transcript

  1. Prioritizing Trust while Creating Applications Jennifer Davis, Cloud Advocate she/her

     @sigje 1/40

  2. 2/40

  3. Trust 3/40

  4. 4/40

  5. https://haveibeenpwned.com/ 5/40

  6. 6/40

  7. 7/40

  8. 8/40

  9. Agenda EstablishCommonContext BuildFoundations AdvancingPrinciples 9/40

  10. 10/40

  11. 11/40

  12. Bug versus Flaw 12/40

  13. Motivations FinancialGain Espionage/StrategicGain Fun/Ideology/Grudge 13/40

  14. Build Foundations 14/40

  15. Defense in Depth 15/40

  16. Snyk State of Open Source Security Report 2019 78%vulnerabilitiesinindirectdependencies 37%ofopensourcedevelopersnosecurity

    testinginCI 54%dockerimagenosecuritytesting Top10dockerimagescontain>30vulnerable systemlibraries Source:https://snyk.io/opensourcesecurity- 2019/ 16/40

  17. #WOCinTechChatAttribution2.0Generic(CCBY 2.0) 17/40

  18. Whatcanausersee?do? Whatinformationislogged? Approachforfailedlogins OWASP:ApplicationSecurityVerificationStandard Project 18/40

  19. Threat Modeling 19/40

  20. Architectural Trade-offs 20/40

  21. 21/40

  22. 22/40

  23. Testing Code 23/40

  24. Static Code Analysis 24/40

  25. Source: https://www.imperialviolet.org/2014/02/22/applebug.htm 25/40

  26. Coding Standards 26/40

  27. Secure Code Reviews 27/40

  28. Planning for Security Escalations Identify Assess Remediate 28/40

  29. Incident Response Resource BuildingaMinimumViableResponsePlan: jhand.co/CreateResponsePlan 29/40

  30. 30/40

  31. Leverage your platform's services Recognize your platform's limits 31/40

  32. 32/40

  33. 33/40

  34. Advancing Principles 34/40

  35. Bug Bounty Programs 35/40

  36. Capture the Flag (CTF) -CTFdistributedteamforNonbinary FolksandWomen CTFCircle 36/40

  37. Red Team Exercise  Fundamentally,ifsomebody wantstogetin,they’regetting in acceptthat.Whatwetell clientsis:Numberone,you’rein thefight,whetheryouthought

    youwereornot.Numbertwo,you almostcertainlyarepenetrated. -MichaelHayden,FormerDirectorofNSA&CIA 37/40

  38. What's Next? Identifyyoursecuritymaturity Assessvaluablepractices Encouragelearningsecurityskills Incorporatefeedback Updatethreatmodels 38/40

  39. 39/40

  40. Thank you Email: [email protected]  @sigje OpenSpaces CoffeeOpsSeptember27,8:30am Ongoing-AbbyBangser, :@a_bangser

    https://tinyurl.com/DODLON19OSF 40/40