Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Secure by design

Avatar for Laura Bell Laura Bell
May 20, 2015
Technology
1
90

Secure by design

Presented by Laura Bell (SafeStack) at ANZTB annual conference, Auckland (New Zealand)

Avatar for Laura Bell

Laura Bell

May 20, 2015
Tweet

More Decks by Laura Bell

See All by Laura Bell
DIY security for the amateur superhero
Avatar for Laura Bell ladynerd
0
270
Hackcon 11 - Protecting our people
Avatar for Laura Bell ladynerd
0
240
Security in a container based world
Avatar for Laura Bell ladynerd
0
150
Securing Microservice Architectures
Avatar for Laura Bell ladynerd
2
360
Better Connected
Avatar for Laura Bell ladynerd
0
73
Continuous Security
Avatar for Laura Bell ladynerd
3
1.2k
Automated Human Vulnerability Scanning with AVA
Avatar for Laura Bell ladynerd
3
2.7k
Blindsided by security
Avatar for Laura Bell ladynerd
0
120
Practical tools for privacy audit
Avatar for Laura Bell ladynerd
0
210

Other Decks in Technology

See All in Technology
2025年のデザインシステムとAI 活用を振り返る
Avatar for Tech Leverages leveragestech
0
280
AI駆動開発ライフサイクル(AI-DLC)の始め方
Avatar for ryansbcho79 ryansbcho79
0
190
AWSの新機能をフル活用した「re:Inventエージェント」開発秘話
Avatar for みのるん minorun365
2
460
テストセンター受験、オンライン受験、どっちなんだい?
Avatar for Yuuki Yamashita yama3133
0
170
[Data & AI Summit '25 Fall] AIでデータ活用を進化させる!Google Cloudで作るデータ活用の未来
Avatar for kirimaru kirimaru
0
3.9k
100以上の新規コネクタ提供を可能にしたアーキテクチャ
Avatar for yu-kioo ooyukioo
0
260
[Neurogica] 採用ポジション/ Recruitment Position
Avatar for Neurogica neurogica
1
130
Identity Management for Agentic AI 解説
Avatar for Naohiro Fujie fujie
0
470
ソフトウェアエンジニアとAIエンジニアの役割分担についてのある事例
Avatar for KNOWLEDGE WORK / 株式会社ナレッジワーク kworkdev
PRO
0
270
"人"が頑張るAI駆動開発
Avatar for yoko yokomachi
1
590
Claude Codeを使った情報整理術
Avatar for 西岡 賢一郎 (Kenichiro Nishioka) knishioka
11
6.5k
AIBuildersDay_track_A_iidaxs
Avatar for iidaxs iidaxs
4
1.4k

Featured

See All Featured
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
34
2.6k
ラッコキーワード サービス紹介資料
Avatar for ラッコ株式会社 rakko
0
1.8M
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
273
27k
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
7k
From Legacy to Launchpad: Building Startup-Ready Communities
Avatar for Dug Song dugsong
0
110
From π to Pie charts
Avatar for Rasagy Sharma rasagy
0
91
Jess Joyce - The Pitfalls of Following Frameworks
Avatar for Tech SEO Connect techseoconnect
PRO
1
31
Skip the Path - Find Your Career Trail
Avatar for Mark Kilby mkilby
0
27
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
355
21k
Evolving SEO for Evolving Search Engines
Avatar for Ryan Jones ryanjones
0
76
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
249
1.3M
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
Avatar for Sophie Logan marketingsoph
0
45

Transcript

  1. Secure by Design Building secure and useable systems in a

    connected world Laura Bell F O U N D E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o

  2. the world is a terrible place

  3. the internet is a festering pool of toxic waste

  4. None

  5. somebody probably wants to do bad things to your computer

  6. the security situation is beyond hope

  7. None

  8. we can build amazing things

  9. None
  10. None
  11. None

  12. doing this securely is hard

  13. developers and testers you can avoid common pitfalls. bring security

    to any dev/test environment

  14. Security for everyone

  15. None

  16. Security needs a hero

  17. security is a team sport

  18. Security is a tester superpower

  19. security starts with education

  20. Tools and Techniques

  21. 1. Requirements capture 2. Language 3. Design level security 4.

    Automation 5. Consistency

  22. Requirements Capture

  23. security starts with requirements

  24. Forgotten Password Example Functional/Story requirements: User enters username on forgotten

    password page User receives link to reset password page Password is reset User can login to system

  25. Forgotten Password Example Security requirements: Password reset link expires after

    24 hours Password reset link is unique to password reset request Password reset link is complex and pseudo random Password reset link can only be used once Error messages on password reset form do not allow username or email enumeration

  26. Language

  27. Language creates barriers and divides

  28. Get the language right Critical High Medium Low Informational False

    Positive

  29. Security vulnerabilities hide behind acronyms, jargon and assumptions.

  30. Design level security

  31. Vulnerabilities cluster between components

  32. Our environments are complex

  33. Bad things happen when low risk security issues cluster together…..

  34. Automation

  35. Human error threatens testing effectiveness

  36. Test data creation and scrubbing Test case definition Load testing

    Regression testing Integration testing Security testing Test environment deployment

  37. Automated security testing gives a continuous assessment of risk.

  38. Consistency

  39. Don’t leave security to chance

  40. All testers All stories All the time

  41. 1. Requirements capture 2. Language 3. Design level security 4.

    Automation 5. Consistency

  42. Common Challenges

  43. 1. Avoid security theatre 2. Stop ignoring legacy code 3.

    Maintain momentum 4. Face your fear

  44. Avoid security theatre

  45. Dealing with a legacy

  46. Aim for continuous steady improvement

  47. It’s OK to be afraid

  48. 1. Avoid security theatre 2. Stop ignoring legacy code 3.

    Maintain momentum 4. Face your fear

  49. developers and testers you can avoid common pitfalls. bring security

    to any dev/test environment

  50. Questions? Laura Bell F O U N D E R

    & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o