The Art of Secure Architecture

The Art of Secure Architecture
Julia Potapenko

View Slide

Security Software Engineer
@julepka
We help companies to protect their
sensitive and valuable data.

View Slide

Secure architecture

View Slide

Secure architecture
for small startup companies

View Slide

Secure architecture
for small startup companies
Fast-pacing development
Prioritized feature delivery
Smaller team
No security team
& decision making
Tight deadlines & budget

View Slide

… security decreases usability … and performance …
… security feature is in conﬂict with another feature …
We want it secure but…

View Slide


View Slide

Why do we postpone security features?

View Slide

Security is invisible
- No direct business value.
- You can’t see if it’s working, you can see when it fails.

View Slide

Secure architecture –

View Slide

Secure architecture – is a combination of structural
security decisions…

View Slide

security decisions that efﬁciently addresses risks…

View Slide

security decisions that efﬁciently addresses risks
considering business goals.

View Slide

People make poor decisions under pressure.
Secure architecture is about decision making.
People mess up the processes under the pressure.
Secure architecture is about following the process.

View Slide

SSDLC
Requirements Design Develop Test Deploy

View Slide

Security
review,
security
features
Design
review,
threat
model
Secure
coding,
static
analisys
Security
code
review,
pentesting
Security
monitoring,
security
assessment
SSDLC

View Slide

Building Secure Architecture
See also: TOGAF
BUSINESS
GOALS
BUILD
THE ARCH
ARCH
DECISIONS
& DESIGN
RISKS &
TRADEOFFS

View Slide

BUSINESS
GOALS
BUILD
THE ARCH
ARCH
DECISIONS
& DESIGN
RISKS &
TRADEOFFS
Document risks!

View Slide

… you assess risks every and do
security decisions every day…

View Slide

Imagine you are an artist.
You want to gift your friend a painting: a portrait.
You know your friend is somewhat picky.

View Slide

Watercolor
Pros: trendy, not expensive
Cons: mistakes not allowed

View Slide

Watercolor
Oil paint
Pros: mistakes allowed
Cons: expensive, not trendy

View Slide

Watercolor
Oil paint
Pros: mistakes allowed
Cons: expensive, not trendy
Gouache
water-based as watercolor
but not that opaque, not
expensive, allows minor
mistakes

View Slide

What could go wrong?
Lack of time
Not assessing risks and tradeoffs
Picking tools before sticking to the core idea
Lack of awareness

View Slide

Risk assessment for beginners

View Slide

What is important for your business?
What I don’t want to share or loose as a user?
What sensitive data or PII can be there?
Do I need to be compliant to any regulations?
Why may the company loose a lot of many?
How much do I care about reputation damage?
Risk assessment for beginners

View Slide

What is important for your business? - Proﬁt
What I don’t want to share or loose as a user? - Credit card
What sensitive data or PII can be there? - Name, address, phone
Do I need to be compliant to any regulations? - GDPR, CCPA
Why may the company loose a lot of many? - Availability issues
How much do I care about reputation damage? - I care a lot
Food delivery service example

View Slide

What is a possible damage from this or that attack?
What is our attack surface?
How often this or that attack may appear?
How probable it is?
How interesting (proﬁtable) it may be for an attacker?
What skill level is required for it?
Do we have (plan) other security controls covering it?
What is the cost of implementing the security control?
What is the cost of attack mitigation?
See also: FAIR, NIST RMF
Measure and prioritize

View Slide

BUSINESS
GOALS
BUILD
THE ARCH
ARCH
DECISIONS
& DESIGN
RISKS &
TRADEOFFS
Document risks!

View Slide

Be creative!
BUSINESS
GOALS
BUILD
THE ARCH
ARCH
DECISIONS
& DESIGN
RISKS &
TRADEOFFS
Document risks!

View Slide

Be creative!
Pick tools here!
BUSINESS
GOALS
BUILD
THE ARCH
ARCH
DECISIONS
& DESIGN
RISKS &
TRADEOFFS
Document risks!

View Slide

Creativity

View Slide

Creativity Industry Guidelines
Technology expertise
Tools

View Slide

Creativity
- the ability to create
- the use of imagination or original ideas to
create something; inventiveness
Synonyms:
imagination, vision, inventiveness
Industry Guidelines
Technology expertise
Tools

View Slide

Be creative!
Pick tools here!
BUSINESS
GOALS
BUILD
THE ARCH
ARCH
DECISIONS
& DESIGN
RISKS &
TRADEOFFS
Document risks!

View Slide

BUSINESS
GOALS
BUILD
THE ARCH
ARCH
DECISIONS
& DESIGN
RISKS &
TRADEOFFS
Document risks!
Be creative!
Communicate!
Pick tools here!

View Slide

Communicate!
Business owner view
Architect’s view
Designer’s view
Software engineer’s view
Manager’s view
See also: SABSA

View Slide

Communicate!
Business owner view
Architect’s view
Designer’s view
Software engineer’s view
Manager’s view
QC engineer’s view
Marketing view
Infrastructure engineer’s view
People management view
Graphical designer’s view
Legal view
Support team view
See also: COBIT 5

View Slide

Why engineers can’t make it secure?

View Slide

Secure Architecture
- is about decision making process
- is based on risks and business goals
- is an abstraction
Secure Coding
- is about writing code
- is based on industry guidelines
- is platform-speciﬁc

View Slide

You operate risks and business goals,
abstracting from the tools
You operate tools,
you don’t make business decisions
Secure Architecture
- is an abstraction
Secure Coding

View Slide

You operate risks and business goals,
abstracting from the tools
You operate tools,
you don’t make business decisions
Creating structure
Adding details
Secure Architecture
- is an abstraction
Secure Coding

View Slide

“We’ve created a mobile app for our store! Now, you can pay with
the app! No need to interact with people!”

View Slide

“The fraud level is way too high. Let’s ask engineers to investigate
and ﬁx the issue”

View Slide

After a couple of month engineering team arrived with nothing.
One of them asked:
“What is the actual percentage of fraudulent transactions?”

View Slide

After a couple of month engineering team arrived with nothing.
One of them asked:
“What is the actual percentage of fraudulent transactions?”
The actual percentage was actually better the industry statistics.

View Slide

Security
review,
security
features
Design
review,
threat
model
Secure
coding,
static
analisys
Security
code
review,
pentesting
Security
monitoring,
security
assessment
SSDLC

View Slide

Security
review,
security
features
Design
review,
threat
model
Secure
coding,
static
analisys
Security
code
review,
pentesting
Security
monitoring,
security
assessment
Architectural
decisions
SSDLC

View Slide

Security
review,
security
features
Design
review,
threat
model
Secure
coding,
static
analisys
Security
code
review,
pentesting
Security
monitoring,
security
assessment
Architectural
decisions
Software
developers
SSDLC

View Slide

Force upgrade feature
Essential for desktop and mobile apps (but not for backend, web)
But its logic includes both app and backend side.

View Slide

Force upgrade feature
Essential for desktop and mobile apps (but not for backend, web)
But its logic includes both app and backend side.
If the app is already released, it take more time to implement it
(existing error handling logic created limitations).

View Slide

When security was postponed:
1. Error handling implemented
2. App devs discover the risk
3. App devs communicate with
architect and manager
backend
5. Updating error handling
6. Adding force upgrade

View Slide

When security was postponed:
2. App devs discover the risk
architect and manager
backend
5. Updating error handling
Security right from the start:
1. Architect communicates with devs
2. Architect discovers the risk

View Slide

Security
review,
security
features
Design
review,
threat
model
Secure
coding,
static
analisys
Security
code
review,
pentesting
Security
monitoring,
security
assessment
SSDLC

View Slide

Security
review,
security
features
Design
review,
threat
model
Secure
coding,
static
analisys
Security
code
review,
pentesting
Security
monitoring,
security
assessment
… tips for small startups…
SSDLC

View Slide

document
risks and
sensitive
assets
design and
discuss with
security in
mind
Secure
coding,
static
analisys
Security
code
review,
pentesting
Security
monitoring,
security
assessment
See also: OWASP RAF
SSDLC

View Slide

document
risks and
sensitive
assets
design and
discuss with
security in
mind
secure coding
knowledge
sharing, static
analysis
Security
code
review,
pentesting
Security
monitoring,
security
assessment
SSDLC

View Slide

document
risks and
sensitive
assets
design and
discuss with
security in
mind
secure coding
knowledge
sharing, static
analysis
security
checklists,
dependency
checkers,
SAST, DAST.
Security
monitoring,
security
assessment
SSDLC

View Slide

document
risks and
sensitive
assets
design and
discuss with
security in
mind
secure coding
knowledge
sharing, static
analysis
security
checklists,
dependency
checkers,
SAST, DAST.
security
events in
analytics,
responsible
disclosure
SSDLC

View Slide

Have you ever caught your development team
in the situation when the very ﬁrst app release is
coming, but it lacks security completely?

View Slide

What are the
most critical
events that may
happen to your
business?
Prioritise!

View Slide

What are the
most critical
events that may
happen to your
business?
Prioritise!
Communicate.
Assess what you
already have.
Book time.

View Slide

Build step by
step. Make sure
basic security
functionality is
working. Then,
improve.
What are the
most critical
events that may
happen to your
business?
Prioritise!
Communicate.
Assess what you
already have.
Book time.

View Slide

Build step by
step. Make sure
basic security
functionality is
working. Then,
improve.
Create a checklist
with all the
security controls.
What are the
most critical
events that may
happen to your
business?
Prioritise!
Communicate.
Assess what you
already have.
Book time.

View Slide

Build step by
step. Make sure
basic security
functionality is
working. Then,
improve.
Create a checklist
with all the
security controls.
Set up alerting
What are the
most critical
events that may
happen to your
business?
Prioritise!
Communicate.
Assess what you
already have.
Book time.

View Slide

Build step by
step. Make sure
basic security
functionality is
working. Then,
improve.
Create a checklist
with all the
security controls.
Set up alerting
Prepare Plan B
What are the
most critical
events that may
happen to your
business?
Prioritise!
Communicate.
Assess what you
already have.
Book time.

View Slide

Summary
- Book time for security in advance
- Stick to SSDLC as early as possible
- Secure architecture is not a single person responsibility

View Slide

Thank you!
@julepka
Photo by Lukas Blazek
https://unsplash.com/@goumbik

View Slide

The Art of Secure Architecture

The Art of Secure Architecture

Julia Potapenko

More Decks by Julia Potapenko

Other Decks in Programming

Featured

Transcript