Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Art of Secure Architecture

The Art of Secure Architecture

Dee939e8aa52d13793b2f0c5e463777b?s=128

Julia Potapenko

June 02, 2021
Tweet

Transcript

  1. The Art of Secure Architecture Julia Potapenko

  2. Security Software Engineer @julepka We help companies to protect their

    sensitive and valuable data.
  3. Secure architecture

  4. Secure architecture for small startup companies

  5. Secure architecture for small startup companies Fast-pacing development Prioritized feature

    delivery Smaller team No security team & decision making Tight deadlines & budget
  6. … security decreases usability … and performance … … security

    feature is in conflict with another feature … We want it secure but…
  7. We want it secure but…

  8. We want it secure but… Why do we postpone security

    features?
  9. Security is invisible - No direct business value. - You

    can’t see if it’s working, you can see when it fails.
  10. Secure architecture –

  11. Secure architecture – is a combination of structural security decisions…

  12. Secure architecture – is a combination of structural security decisions

    that efficiently addresses risks…
  13. Secure architecture – is a combination of structural security decisions

    that efficiently addresses risks considering business goals.
  14. People make poor decisions under pressure. Secure architecture is about

    decision making. People mess up the processes under the pressure. Secure architecture is about following the process.
  15. SSDLC Requirements Design Develop Test Deploy

  16. Requirements Design Develop Test Deploy Security review, security features Design

    review, threat model Secure coding, static analisys Security code review, pentesting Security monitoring, security assessment SSDLC
  17. Requirements Design Develop Test Deploy Security review, security features Design

    review, threat model Secure coding, static analisys Security code review, pentesting Security monitoring, security assessment SSDLC
  18. Building Secure Architecture See also: TOGAF BUSINESS GOALS BUILD THE

    ARCH ARCH DECISIONS & DESIGN RISKS & TRADEOFFS
  19. Building Secure Architecture BUSINESS GOALS BUILD THE ARCH ARCH DECISIONS

    & DESIGN RISKS & TRADEOFFS Document risks!
  20. … you assess risks every and do security decisions every

    day…
  21. Imagine you are an artist. You want to gift your

    friend a painting: a portrait. You know your friend is somewhat picky.
  22. Watercolor Pros: trendy, not expensive Cons: mistakes not allowed Imagine

    you are an artist. You want to gift your friend a painting: a portrait. You know your friend is somewhat picky.
  23. Watercolor Pros: trendy, not expensive Cons: mistakes not allowed Oil

    paint Pros: mistakes allowed Cons: expensive, not trendy Imagine you are an artist. You want to gift your friend a painting: a portrait. You know your friend is somewhat picky.
  24. Watercolor Pros: trendy, not expensive Cons: mistakes not allowed Oil

    paint Pros: mistakes allowed Cons: expensive, not trendy Gouache water-based as watercolor but not that opaque, not expensive, allows minor mistakes Imagine you are an artist. You want to gift your friend a painting: a portrait. You know your friend is somewhat picky.
  25. What could go wrong? Lack of time Not assessing risks

    and tradeoffs Picking tools before sticking to the core idea Lack of awareness
  26. Risk assessment for beginners

  27. What is important for your business? What I don’t want

    to share or loose as a user? What sensitive data or PII can be there? Do I need to be compliant to any regulations? Why may the company loose a lot of many? How much do I care about reputation damage? Risk assessment for beginners
  28. What is important for your business? - Profit What I

    don’t want to share or loose as a user? - Credit card What sensitive data or PII can be there? - Name, address, phone Do I need to be compliant to any regulations? - GDPR, CCPA Why may the company loose a lot of many? - Availability issues How much do I care about reputation damage? - I care a lot Food delivery service example
  29. What is a possible damage from this or that attack?

    What is our attack surface? How often this or that attack may appear? How probable it is? How interesting (profitable) it may be for an attacker? What skill level is required for it? Do we have (plan) other security controls covering it? What is the cost of implementing the security control? What is the cost of attack mitigation? See also: FAIR, NIST RMF Measure and prioritize
  30. Building Secure Architecture BUSINESS GOALS BUILD THE ARCH ARCH DECISIONS

    & DESIGN RISKS & TRADEOFFS Document risks!
  31. Be creative! Building Secure Architecture BUSINESS GOALS BUILD THE ARCH

    ARCH DECISIONS & DESIGN RISKS & TRADEOFFS Document risks!
  32. Be creative! Pick tools here! Building Secure Architecture BUSINESS GOALS

    BUILD THE ARCH ARCH DECISIONS & DESIGN RISKS & TRADEOFFS Document risks!
  33. Creativity

  34. Creativity Industry Guidelines Technology expertise Tools

  35. Creativity - the ability to create - the use of

    imagination or original ideas to create something; inventiveness Synonyms: imagination, vision, inventiveness Industry Guidelines Technology expertise Tools
  36. Be creative! Pick tools here! Building Secure Architecture BUSINESS GOALS

    BUILD THE ARCH ARCH DECISIONS & DESIGN RISKS & TRADEOFFS Document risks!
  37. BUSINESS GOALS BUILD THE ARCH ARCH DECISIONS & DESIGN RISKS

    & TRADEOFFS Document risks! Be creative! Communicate! Pick tools here! Building Secure Architecture
  38. Communicate! Business owner view Architect’s view Designer’s view Software engineer’s

    view Manager’s view See also: SABSA Building Secure Architecture
  39. Communicate! Business owner view Architect’s view Designer’s view Software engineer’s

    view Manager’s view QC engineer’s view Marketing view Infrastructure engineer’s view People management view Graphical designer’s view Legal view Support team view See also: COBIT 5 Building Secure Architecture
  40. Why engineers can’t make it secure?

  41. Secure Architecture - is about decision making process - is

    based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-specific Why engineers can’t make it secure?
  42. You operate risks and business goals, abstracting from the tools

    You operate tools, you don’t make business decisions Secure Architecture - is about decision making process - is based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-specific Why engineers can’t make it secure?
  43. You operate risks and business goals, abstracting from the tools

    You operate tools, you don’t make business decisions Creating structure Adding details Secure Architecture - is about decision making process - is based on risks and business goals - is an abstraction Secure Coding - is about writing code - is based on industry guidelines - is platform-specific Why engineers can’t make it secure?
  44. “We’ve created a mobile app for our store! Now, you

    can pay with the app! No need to interact with people!” Why engineers can’t make it secure?
  45. “We’ve created a mobile app for our store! Now, you

    can pay with the app! No need to interact with people!” “The fraud level is way too high. Let’s ask engineers to investigate and fix the issue” Why engineers can’t make it secure?
  46. “We’ve created a mobile app for our store! Now, you

    can pay with the app! No need to interact with people!” “The fraud level is way too high. Let’s ask engineers to investigate and fix the issue” After a couple of month engineering team arrived with nothing. One of them asked: “What is the actual percentage of fraudulent transactions?” Why engineers can’t make it secure?
  47. “We’ve created a mobile app for our store! Now, you

    can pay with the app! No need to interact with people!” “The fraud level is way too high. Let’s ask engineers to investigate and fix the issue” After a couple of month engineering team arrived with nothing. One of them asked: “What is the actual percentage of fraudulent transactions?” The actual percentage was actually better the industry statistics. Why engineers can’t make it secure?
  48. Requirements Design Develop Test Deploy Security review, security features Design

    review, threat model Secure coding, static analisys Security code review, pentesting Security monitoring, security assessment SSDLC
  49. Requirements Design Develop Test Deploy Security review, security features Design

    review, threat model Secure coding, static analisys Security code review, pentesting Security monitoring, security assessment Architectural decisions SSDLC
  50. Requirements Design Develop Test Deploy Security review, security features Design

    review, threat model Secure coding, static analisys Security code review, pentesting Security monitoring, security assessment Architectural decisions Software developers SSDLC
  51. Force upgrade feature Essential for desktop and mobile apps (but

    not for backend, web) But its logic includes both app and backend side. Why engineers can’t make it secure?
  52. Force upgrade feature Essential for desktop and mobile apps (but

    not for backend, web) But its logic includes both app and backend side. If the app is already released, it take more time to implement it (existing error handling logic created limitations). Why engineers can’t make it secure?
  53. When security was postponed: 1. Error handling implemented 2. App

    devs discover the risk 3. App devs communicate with architect and manager 4. App devs communicate with backend 5. Updating error handling 6. Adding force upgrade Why engineers can’t make it secure?
  54. When security was postponed: 1. Error handling implemented 2. App

    devs discover the risk 3. App devs communicate with architect and manager 4. App devs communicate with backend 5. Updating error handling 6. Adding force upgrade Security right from the start: 1. Architect communicates with devs 2. Architect discovers the risk 3. Error handling implemented 4. Adding force upgrade Why engineers can’t make it secure?
  55. Requirements Design Develop Test Deploy Security review, security features Design

    review, threat model Secure coding, static analisys Security code review, pentesting Security monitoring, security assessment SSDLC
  56. Requirements Design Develop Test Deploy Security review, security features Design

    review, threat model Secure coding, static analisys Security code review, pentesting Security monitoring, security assessment … tips for small startups… SSDLC
  57. Requirements Design Develop Test Deploy document risks and sensitive assets

    design and discuss with security in mind Secure coding, static analisys Security code review, pentesting Security monitoring, security assessment … tips for small startups… See also: OWASP RAF SSDLC
  58. Requirements Design Develop Test Deploy document risks and sensitive assets

    design and discuss with security in mind secure coding knowledge sharing, static analysis Security code review, pentesting Security monitoring, security assessment … tips for small startups… SSDLC
  59. Requirements Design Develop Test Deploy document risks and sensitive assets

    design and discuss with security in mind secure coding knowledge sharing, static analysis security checklists, dependency checkers, SAST, DAST. Security monitoring, security assessment … tips for small startups… SSDLC
  60. Requirements Design Develop Test Deploy document risks and sensitive assets

    design and discuss with security in mind secure coding knowledge sharing, static analysis security checklists, dependency checkers, SAST, DAST. security events in analytics, responsible disclosure … tips for small startups… SSDLC
  61. Requirements Design Develop Test Deploy document risks and sensitive assets

    design and discuss with security in mind secure coding knowledge sharing, static analysis security checklists, dependency checkers, SAST, DAST. security events in analytics, responsible disclosure … tips for small startups… SSDLC
  62. Have you ever caught your development team in the situation

    when the very first app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy
  63. Have you ever caught your development team in the situation

    when the very first app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy What are the most critical events that may happen to your business? Prioritise!
  64. Have you ever caught your development team in the situation

    when the very first app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy What are the most critical events that may happen to your business? Prioritise! Communicate. Assess what you already have. Book time.
  65. Have you ever caught your development team in the situation

    when the very first app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy Build step by step. Make sure basic security functionality is working. Then, improve. What are the most critical events that may happen to your business? Prioritise! Communicate. Assess what you already have. Book time.
  66. Have you ever caught your development team in the situation

    when the very first app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy Build step by step. Make sure basic security functionality is working. Then, improve. Create a checklist with all the security controls. What are the most critical events that may happen to your business? Prioritise! Communicate. Assess what you already have. Book time.
  67. Have you ever caught your development team in the situation

    when the very first app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy Build step by step. Make sure basic security functionality is working. Then, improve. Create a checklist with all the security controls. Set up alerting What are the most critical events that may happen to your business? Prioritise! Communicate. Assess what you already have. Book time.
  68. Have you ever caught your development team in the situation

    when the very first app release is coming, but it lacks security completely? Requirements Design Develop Test Deploy Build step by step. Make sure basic security functionality is working. Then, improve. Create a checklist with all the security controls. Set up alerting Prepare Plan B What are the most critical events that may happen to your business? Prioritise! Communicate. Assess what you already have. Book time.
  69. Summary - Book time for security in advance - Stick

    to SSDLC as early as possible - Secure architecture is not a single person responsibility
  70. Thank you! @julepka Photo by Lukas Blazek https://unsplash.com/@goumbik