Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Prioritizing Trust while Creating Applications

Jennifer Davis
September 26, 2019
Technology
0
95

Prioritizing Trust while Creating Applications

Managing risk needs to scale as your product grows in popularity and complexity. In traditional software development, often security was treated as a last gating factor at best and post-incident concern at worst. How do we shift our security processes left - in other words, earlier in the development lifecycle? The cost of applying security practices too late can be catastrophic to a company, leading to the loss of customer trust and affecting the bottom line.

In this session learn how to leverage security tools and recommended practices to enable everyone to play a part in securing your application from discovery to operation of your application.

Jennifer Davis

September 26, 2019
Tweet

More Decks by Jennifer Davis

See All by Jennifer Davis
Heroism in the time of COVID-19
iennae
0
23
Using Terraform with Porter
iennae
0
120
Open Source in the time of COVID-19
iennae
1
120
The Ops in the Serverless: GOTO Chicago 2020
iennae
0
75
The ultimate guide to complicated systems - December 2019 Talk
iennae
0
36
The ultimate guide to complicated systems - devopsdays Chattanooga 2019 Keynote
iennae
0
55
Prioritizing Trust while Creating Applications - devopsdays Chattanooga 2019
iennae
1
77
The ultimate guide to complicated systems - Velocity 2019 Keynote
iennae
0
49
Prioritizing Trust while Creating Applications
iennae
0
400

Other Decks in Technology

See All in Technology
長期運用プロジェクトでのMySQLからTiDB移行の検証
colopl
2
810
コンテナセキュリティの基本と脅威への対策
kyohmizu
3
740
[PlatformCon 24] Platform Orchestrators: The Missing Middle of Internal Developer Platforms?
danielbryantuk
1
820
プラットフォームってつくることより計測することが重要なんじゃないかという話 / Platform Engineering Meetup #8
taishin
0
320
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
470
プロデザ! BY リクルート vol.18_リクルートのリサーチ実践組織「リサーチブーストコミュニティ」
recruitengineers
PRO
3
260
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.3k
ServiceNow Knowledge Learning Rise up
manarobot
0
190
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
270
VS CodeでAWSを操作しよう
smt7174
7
1.6k
MySQL の SQL クエリチューニングの要所を掴む勉強会
andpad
2
5.5k
データベース02: データベースの概念
trycycle
0
130

Featured

See All Featured
Into the Great Unknown - MozCon
thekraken
10
990
Bash Introduction
62gerente
604
210k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
Ruby is Unlike a Banana
tanoku
96
10k
Building Better People: How to give real-time feedback that sticks.
wjessup
354
18k
A better future with KSS
kneath
231
16k
The Language of Interfaces
destraynor
151
23k
StorybookのUI Testing Handbookを読んだ
zakiyama
12
4.6k
Documentation Writing (for coders)
carmenintech
59
3.9k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
Happy Clients
brianwarren
91
6.4k
Infographics Made Easy
chrislema
238
18k

Transcript

  1. Prioritizing Trust while Creating Applications Jennifer Davis, Cloud Advocate she/her

     @sigje 1/40

  2. 2/40

  3. Trust 3/40

  4. 4/40

  5. https://haveibeenpwned.com/ 5/40

  6. 6/40

  7. 7/40

  8. 8/40

  9. Agenda EstablishCommonContext BuildFoundations AdvancingPrinciples 9/40

  10. 10/40

  11. 11/40

  12. Bug versus Flaw 12/40

  13. Motivations FinancialGain Espionage/StrategicGain Fun/Ideology/Grudge 13/40

  14. Build Foundations 14/40

  15. Defense in Depth 15/40

  16. Snyk State of Open Source Security Report 2019 78%vulnerabilitiesinindirectdependencies 37%ofopensourcedevelopersnosecurity

    testinginCI 54%dockerimagenosecuritytesting Top10dockerimagescontain>30vulnerable systemlibraries Source:https://snyk.io/opensourcesecurity- 2019/ 16/40

  17. #WOCinTechChatAttribution2.0Generic(CCBY 2.0) 17/40

  18. Whatcanausersee?do? Whatinformationislogged? Approachforfailedlogins OWASP:ApplicationSecurityVerificationStandard Project 18/40

  19. Threat Modeling 19/40

  20. Architectural Trade-offs 20/40

  21. 21/40

  22. 22/40

  23. Testing Code 23/40

  24. Static Code Analysis 24/40

  25. Source: https://www.imperialviolet.org/2014/02/22/applebug.htm 25/40

  26. Coding Standards 26/40

  27. Secure Code Reviews 27/40

  28. Planning for Security Escalations Identify Assess Remediate 28/40

  29. Incident Response Resource BuildingaMinimumViableResponsePlan: jhand.co/CreateResponsePlan 29/40

  30. 30/40

  31. Leverage your platform's services Recognize your platform's limits 31/40

  32. 32/40

  33. 33/40

  34. Advancing Principles 34/40

  35. Bug Bounty Programs 35/40

  36. Capture the Flag (CTF) -CTFdistributedteamforNonbinary FolksandWomen CTFCircle 36/40

  37. Red Team Exercise  Fundamentally,ifsomebody wantstogetin,they’regetting in acceptthat.Whatwetell clientsis:Numberone,you’rein thefight,whetheryouthought

    youwereornot.Numbertwo,you almostcertainlyarepenetrated. -MichaelHayden,FormerDirectorofNSA&CIA 37/40

  38. What's Next? Identifyyoursecuritymaturity Assessvaluablepractices Encouragelearningsecurityskills Incorporatefeedback Updatethreatmodels 38/40

  39. 39/40

  40. Thank you Email: [email protected]  @sigje OpenSpaces CoffeeOpsSeptember27,8:30am Ongoing-AbbyBangser, :@a_bangser

    https://tinyurl.com/DODLON19OSF 40/40