Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure by design
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Laura Bell
May 20, 2015
Technology
100
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Secure by design
Presented by Laura Bell (SafeStack) at ANZTB annual conference, Auckland (New Zealand)
Laura Bell
May 20, 2015
More Decks by Laura Bell
See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
300
Hackcon 11 - Protecting our people
ladynerd
0
250
Security in a container based world
ladynerd
0
170
Securing Microservice Architectures
ladynerd
2
370
Better Connected
ladynerd
0
84
Continuous Security
ladynerd
3
1.2k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.7k
Blindsided by security
ladynerd
0
150
Practical tools for privacy audit
ladynerd
0
230
Other Decks in Technology
See All in Technology
Android の公式 Skill / Android skills
yanzm
0
140
白金鉱業Meetup_Vol.24_「AIエージェントは分けるほど良い」は本当か? / Is it true that “the more you divide AI agents, the better”?
brainpadpr
1
350
機械学習を「社会実装」するということ 2026年夏版 / Social Implementation of Machine Learning June 2026 Version
moepy_stats
5
1.8k
ACE-Step-1.5で見る 音楽生成AIのしくみと“破綻だけ直す”Retake機能の開発【zennfes spring 2026 登壇資料】
personabb
1
220
自律型AIエージェントは何を破壊するのか
kojira
0
160
連合学習と機密コンピューティング
lycorptech_jp
PRO
0
110
スキルと MCP ツール、責務をどう分けるか? AI が迷わないインターフェース設計の戦略
cdataj
1
1k
Snowflakeと仲良くなる第一歩
coco_se
4
440
SONiC Scale-Up Working Group から探る Scale-UpやUltraEthernet機能の実装方法
ebiken
PRO
2
220
なぜ Platform Engineering の土台に Kubernetes を選ぶのか
r4ynode
2
620
SIer20年! 培ったスキルがスタートアップで輝く時
shucho0103
0
850
AIネイティブな開発のサプライチェーンリスク対策 〜激動の開発現場でリスクに立ち向かう〜【ZennFes】
cscengineer
PRO
2
110
Featured
See All Featured
The SEO identity crisis: Don't let AI make you average
varn
0
490
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
signer
PRO
0
3.6k
Reflections from 52 weeks, 52 projects
jeffersonlam
356
21k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
210
Why Our Code Smells
bkeepers
PRO
340
58k
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
310
Understanding Cognitive Biases in Performance Measurement
bluesmoon
32
2.9k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.7k
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
ryanjones
0
160
HDC tutorial
michielstock
2
710
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
1
540
Transcript
Secure by Design Building secure and useable systems in a
connected world Laura Bell F O U N D E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
the world is a terrible place
the internet is a festering pool of toxic waste
None
somebody probably wants to do bad things to your computer
the security situation is beyond hope
None
we can build amazing things
None
None
None
doing this securely is hard
developers and testers you can avoid common pitfalls. bring security
to any dev/test environment
Security for everyone
None
Security needs a hero
security is a team sport
Security is a tester superpower
security starts with education
Tools and Techniques
1. Requirements capture 2. Language 3. Design level security 4.
Automation 5. Consistency
Requirements Capture
security starts with requirements
Forgotten Password Example Functional/Story requirements: User enters username on forgotten
password page User receives link to reset password page Password is reset User can login to system
Forgotten Password Example Security requirements: Password reset link expires after
24 hours Password reset link is unique to password reset request Password reset link is complex and pseudo random Password reset link can only be used once Error messages on password reset form do not allow username or email enumeration
Language
Language creates barriers and divides
Get the language right Critical High Medium Low Informational False
Positive
Security vulnerabilities hide behind acronyms, jargon and assumptions.
Design level security
Vulnerabilities cluster between components
Our environments are complex
Bad things happen when low risk security issues cluster together…..
Automation
Human error threatens testing effectiveness
Test data creation and scrubbing Test case definition Load testing
Regression testing Integration testing Security testing Test environment deployment
Automated security testing gives a continuous assessment of risk.
Consistency
Don’t leave security to chance
All testers All stories All the time
1. Requirements capture 2. Language 3. Design level security 4.
Automation 5. Consistency
Common Challenges
1. Avoid security theatre 2. Stop ignoring legacy code 3.
Maintain momentum 4. Face your fear
Avoid security theatre
Dealing with a legacy
Aim for continuous steady improvement
It’s OK to be afraid
1. Avoid security theatre 2. Stop ignoring legacy code 3.
Maintain momentum 4. Face your fear
developers and testers you can avoid common pitfalls. bring security
to any dev/test environment
Questions? Laura Bell F O U N D E R
& L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
ladynerd
yanzm
brainpadpr
moepy_stats
personabb
kojira
lycorptech_jp
cdataj
coco_se
ebiken
r4ynode
shucho0103
cscengineer
varn
signer
jeffersonlam
.png){kind=avatar}
helenjbeal
bkeepers
tamaranovitovic
bluesmoon
smashingmag
tammyeverts
ryanjones
michielstock
honzajavorek
