Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Prioritizing Trust while Creating Applications

Jennifer Davis
September 26, 2019
Technology
0
98

Prioritizing Trust while Creating Applications

Managing risk needs to scale as your product grows in popularity and complexity. In traditional software development, often security was treated as a last gating factor at best and post-incident concern at worst. How do we shift our security processes left - in other words, earlier in the development lifecycle? The cost of applying security practices too late can be catastrophic to a company, leading to the loss of customer trust and affecting the bottom line.

In this session learn how to leverage security tools and recommended practices to enable everyone to play a part in securing your application from discovery to operation of your application.

Jennifer Davis

September 26, 2019
Tweet

More Decks by Jennifer Davis

See All by Jennifer Davis
Heroism in the time of COVID-19
iennae
0
25
Using Terraform with Porter
iennae
0
140
Open Source in the time of COVID-19
iennae
1
130
The Ops in the Serverless: GOTO Chicago 2020
iennae
0
86
The ultimate guide to complicated systems - December 2019 Talk
iennae
0
39
The ultimate guide to complicated systems - devopsdays Chattanooga 2019 Keynote
iennae
0
58
Prioritizing Trust while Creating Applications - devopsdays Chattanooga 2019
iennae
1
81
The ultimate guide to complicated systems - Velocity 2019 Keynote
iennae
0
54
Prioritizing Trust while Creating Applications
iennae
0
520

Other Decks in Technology

See All in Technology
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
49k
よくわからんサービスについての問い合わせが来たときの強い味方 Amazon Q について
kazzpapa3
0
220
日経電子版におけるリアルタイムレコメンドシステム開発の事例紹介/nikkei-realtime-recommender-system
yng87
1
490
急成長中のWINTICKETにおける品質と開発スピードと向き合ったQA戦略と今後の展望 / winticket-autify
cyberagentdevelopers
PRO
1
160
クライアントサイドでよく使われる Debounce処理 をサーバサイドで3回実装した話
yoshiori
1
150
VPC間の接続方法を整理してみた #自治体クラウド勉強会
non97
1
800
[JAWS-UG金沢支部×コンテナ支部合同企画]コンテナとは何か
furuton
3
230
Nix入門パラダイム編
asa1984
2
200
生成AIと知識グラフの相互利用に基づく文書解析
koujikozaki
1
140
使えそうで使われないCloudHSM
maikamibayashi
0
170
マネジメント視点でのre:Invent参加 ~もしCEOがre:Inventに行ったら~
kojiasai
0
450
Emacs x Nostr
hakkadaikon
1
150

Featured

See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
32
1.8k
The Invisible Side of Design
smashingmag
297
50k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Thoughts on Productivity
jonyablonski
67
4.3k
Unsuck your backbone
ammeep
668
57k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
37
1.8k
Six Lessons from altMBA
skipperchong
26
3.5k
How GitHub (no longer) Works
holman
311
140k
A Tale of Four Properties
chriscoyier
156
23k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Docker and Python
trallard
40
3.1k

Transcript

  1. Prioritizing Trust while Creating Applications Jennifer Davis, Cloud Advocate she/her

     @sigje 1/40

  2. 2/40

  3. Trust 3/40

  4. 4/40

  5. https://haveibeenpwned.com/ 5/40

  6. 6/40

  7. 7/40

  8. 8/40

  9. Agenda EstablishCommonContext BuildFoundations AdvancingPrinciples 9/40

  10. 10/40

  11. 11/40

  12. Bug versus Flaw 12/40

  13. Motivations FinancialGain Espionage/StrategicGain Fun/Ideology/Grudge 13/40

  14. Build Foundations 14/40

  15. Defense in Depth 15/40

  16. Snyk State of Open Source Security Report 2019 78%vulnerabilitiesinindirectdependencies 37%ofopensourcedevelopersnosecurity

    testinginCI 54%dockerimagenosecuritytesting Top10dockerimagescontain>30vulnerable systemlibraries Source:https://snyk.io/opensourcesecurity- 2019/ 16/40

  17. #WOCinTechChatAttribution2.0Generic(CCBY 2.0) 17/40

  18. Whatcanausersee?do? Whatinformationislogged? Approachforfailedlogins OWASP:ApplicationSecurityVerificationStandard Project 18/40

  19. Threat Modeling 19/40

  20. Architectural Trade-offs 20/40

  21. 21/40

  22. 22/40

  23. Testing Code 23/40

  24. Static Code Analysis 24/40

  25. Source: https://www.imperialviolet.org/2014/02/22/applebug.htm 25/40

  26. Coding Standards 26/40

  27. Secure Code Reviews 27/40

  28. Planning for Security Escalations Identify Assess Remediate 28/40

  29. Incident Response Resource BuildingaMinimumViableResponsePlan: jhand.co/CreateResponsePlan 29/40

  30. 30/40

  31. Leverage your platform's services Recognize your platform's limits 31/40

  32. 32/40

  33. 33/40

  34. Advancing Principles 34/40

  35. Bug Bounty Programs 35/40

  36. Capture the Flag (CTF) -CTFdistributedteamforNonbinary FolksandWomen CTFCircle 36/40

  37. Red Team Exercise  Fundamentally,ifsomebody wantstogetin,they’regetting in acceptthat.Whatwetell clientsis:Numberone,you’rein thefight,whetheryouthought

    youwereornot.Numbertwo,you almostcertainlyarepenetrated. -MichaelHayden,FormerDirectorofNSA&CIA 37/40

  38. What's Next? Identifyyoursecuritymaturity Assessvaluablepractices Encouragelearningsecurityskills Incorporatefeedback Updatethreatmodels 38/40

  39. 39/40

  40. Thank you Email: [email protected]  @sigje OpenSpaces CoffeeOpsSeptember27,8:30am Ongoing-AbbyBangser, :@a_bangser

    https://tinyurl.com/DODLON19OSF 40/40