Secure by design

Transcript

1. Secure by Design Building secure and useable systems in a

   connected world Laura Bell F O U N D E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o

2. the world is a terrible place

3. the internet is a festering pool of toxic waste

4. None

5. somebody probably wants to do bad things to your computer

6. the security situation is beyond hope

7. None

8. we can build amazing things

9. None
10. None
11. None

12. doing this securely is hard

13. developers and testers you can avoid common pitfalls. bring security

    to any dev/test environment

14. Security for everyone

15. None

16. Security needs a hero

17. security is a team sport

18. Security is a tester superpower

19. security starts with education

20. Tools and Techniques

21. 1. Requirements capture 2. Language 3. Design level security 4.

    Automation 5. Consistency

22. Requirements Capture

23. security starts with requirements

24. Forgotten Password Example Functional/Story requirements: User enters username on forgotten

    password page User receives link to reset password page Password is reset User can login to system

25. Forgotten Password Example Security requirements: Password reset link expires after

    24 hours Password reset link is unique to password reset request Password reset link is complex and pseudo random Password reset link can only be used once Error messages on password reset form do not allow username or email enumeration

26. Language

27. Language creates barriers and divides

28. Get the language right Critical High Medium Low Informational False

    Positive

29. Security vulnerabilities hide behind acronyms, jargon and assumptions.

30. Design level security

31. Vulnerabilities cluster between components

32. Our environments are complex

33. Bad things happen when low risk security issues cluster together…..

34. Automation

35. Human error threatens testing effectiveness

36. Test data creation and scrubbing Test case definition Load testing

    Regression testing Integration testing Security testing Test environment deployment

37. Automated security testing gives a continuous assessment of risk.

38. Consistency

39. Don’t leave security to chance

40. All testers All stories All the time

41. 1. Requirements capture 2. Language 3. Design level security 4.

    Automation 5. Consistency

42. Common Challenges

43. 1. Avoid security theatre 2. Stop ignoring legacy code 3.

    Maintain momentum 4. Face your fear

44. Avoid security theatre

45. Dealing with a legacy

46. Aim for continuous steady improvement

47. It’s OK to be afraid

48. 1. Avoid security theatre 2. Stop ignoring legacy code 3.

    Maintain momentum 4. Face your fear

49. developers and testers you can avoid common pitfalls. bring security

    to any dev/test environment

50. Questions? Laura Bell F O U N D E R

    & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o