Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don’t Be That Guy! Developer Security Awareness
Search
Markus Eisele
December 04, 2013
Technology
4.4k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Don’t Be That Guy! Developer Security Awareness
Markus Eisele
December 04, 2013
More Decks by Markus Eisele
See All by Markus Eisele
Code Is Cheap. Software Isn’t.
myfear
0
86
JCON Chasing the Main Thread - Adventures in AI Assisted Coding
myfear
0
100
One Microservice Is No Microservice: They Come in Systems [CON6471]
myfear
0
180
Stay Productive While Slicing Up the Monolith [CON6472]
myfear
0
140
NetBeans with WildFly and Openshift
myfear
1
190
50 new features of Java EE 7 @ GeeCon
myfear
4
180
50 Best Features of Java EE 7 @ Jokerconf
myfear
0
750
JavaScript in the Enterprise @Jokerconf
myfear
0
340
50 Best Features of Java EE 7 @ OpenSlava
myfear
0
1.4k
Other Decks in Technology
See All in Technology
AI Testing Talks: Challenges of Applying AI in Software Testing: From Hype to Practical Use
exactpro
PRO
1
130
AI フレンドリーなエラー監視を TypeScript で実現する
shinyaigeek
2
260
「嘘をつくテスト」の失敗例から学ぶ 良いテストコード #frontend_phpcon_do
asumikam
0
470
Agentic ERPをどう設計するか ー 受発注エージェントを動かす、現場の知見と設計思想ー
recerqainc
1
1.5k
Building applications in the Gemini API family.
line_developers_tw
PRO
0
1.5k
GoとSIMDとWasmの今。
askua
3
510
「コーディング」しない人のための Claude Code 入門 ChatGPT の次の一歩 — 業務に組み込む 育成・共有・自動化
rfdnxbro
2
1.2k
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
50k
関西に縁あるMicrosoft MVPsが語るCopilotの未来
kasada
0
1.2k
React、まだ楽しくて草
uhyo
7
4.1k
「気づいたら仕事が終わっている」バクラクAIエージェント本番運用の裏側 / layerx-bakuraku-aie2026
yuya4
18
10k
ITエンジニアを取り巻く環境とキャリアパス / A career path for Japanese IT engineers
takatama
4
1.8k
Featured
See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.4k
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
State of Search Keynote: SEO is Dead Long Live SEO
ryanjones
0
200
Build your cross-platform service in a week with App Engine
jlugia
234
18k
The AI Search Optimization Roadmap by Aleyda Solis
aleyda
1
5.9k
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
akihiro_kokubo
PRO
71
40k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
10k
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
Build The Right Thing And Hit Your Dates
maggiecrowley
39
3.2k
Stop Working from a Prison Cell
hatefulcrawdad
274
21k
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
2
210
A Tale of Four Properties
chriscoyier
163
24k
Transcript
Don’t Be That Guy! Developer Security Awareness
http://blog.eisele.net/ @myfear http://myfear.com/+
[email protected]
M.Eisele - @myfear - http://blog.eisele.net 2
© msg Applied Technology Research, December 2013
NOT HOW M.Eisele - @myfear - http://blog.eisele.net 3 © msg
Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 4
BUT WHY M.Eisele - @myfear - http://blog.eisele.net 5 © msg
Applied Technology Research, December 2013
Programming Motherf****r! http://programming-motherfucker.com/ M.Eisele - @myfear - http://blog.eisele.net 6 ©
msg Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 7 © msg Applied Technology
Research, December 2013
NOT EVERY PROGRAMMER IS A SECURITY ENGINEER. M.Eisele - @myfear
- http://blog.eisele.net 8 © msg Applied Technology Research, December 2013
http://datalossdb.org/statistics # of incidents worldwide >700% M.Eisele - @myfear -
http://blog.eisele.net 9 © msg Applied Technology Research, December 2013
AND EVEN WORSE M.Eisele - @myfear - http://blog.eisele.net 10 ©
msg Applied Technology Research, December 2013
SECURITY IS NOT ONLY ABOUT PROGRAMMING M.Eisele - @myfear -
http://blog.eisele.net 11 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 12 Approach Security attacks 1 2 3 http://www.flickr.com/photos/trois-tetes/417709804/sizes/o/
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 13 EXCERPT attacks … …
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 14 1 2 3 EXAMPLE
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 15 1 2 3 EXAMPLE 3 3
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 16 1 2 3 EXAMPLE
ENDLESS COMBINATIONS M.Eisele - @myfear - http://blog.eisele.net 17 © msg
Applied Technology Research, December 2013
THE LIMIT IS THE CREATIVITY OF THE BAD GUYS M.Eisele
- @myfear - http://blog.eisele.net 18 © msg Applied Technology Research, December 2013
WHERE To Start? M.Eisele - @myfear - http://blog.eisele.net 19 ©
msg Applied Technology Research, December 2013 www.defendparis.fr
WHAT Do WE HAVE? M.Eisele - @myfear - http://blog.eisele.net 20
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 21 ARCHITECTURE
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 22 ARCHITECTURE 1 2 3 Design Theory Standards Documents Processes Frameworks Examples Software Standards processes
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 23 http://www.flickr.com/photos/zokuga/6838590065/sizes/l/
WAIT M.Eisele - @myfear - http://blog.eisele.net 24 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 25 application 1 2 3 Specification CODE Design Software
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 26
WAIT M.Eisele - @myfear - http://blog.eisele.net 27 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 28
Burns Down TO THREE AREAS M.Eisele - @myfear - http://blog.eisele.net
29 © msg Applied Technology Research, December 2013
PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 30 ©
msg Applied Technology Research, December 2013
“If you think technology can solve your security problems, then
you don't understand the problems and you don't understand the technology. ” — Bruce Schneier M.Eisele - @myfear - http://blog.eisele.net 31 © msg Applied Technology Research, December 2013
A chain is only as strong as its weakest link
M.Eisele - @myfear - http://blog.eisele.net 32 © msg Applied Technology Research, December 2013
PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 33 ©
msg Applied Technology Research, December 2013
How to secure PEOPLE? M.Eisele - @myfear - http://blog.eisele.net 34
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 35 Stakeholder
DEVELOPERS build awareness. Might offer trainings. M.Eisele - @myfear -
http://blog.eisele.net 36 © msg Applied Technology Research, December 2013
How to secure Processes? M.Eisele - @myfear - http://blog.eisele.net 37
© msg Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 38 © msg Applied Technology
Research, December 2013 Methodologies
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 39 Standards
DEVELOPERS Need time For security. Processes give it. M.Eisele -
@myfear - http://blog.eisele.net 40 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 41 Example www.microsoft.com/security/sdl/
HOW to Secure Software? M.Eisele - @myfear - http://blog.eisele.net 42
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 43 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Crosscutting … in other words:
Million ways to Do it wrong on any Level. M.Eisele
- @myfear - http://blog.eisele.net 44 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 45 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Right FOCUS Developers Requirements Use Security Features Secure Implementation
Examples M.Eisele - @myfear - http://blog.eisele.net 46 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 47 infrastructure
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 48 Software
And there is a lot More! M.Eisele - @myfear -
http://blog.eisele.net 49 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 50
• Secure Coding Guidelines for the Java Programming Language, Version
4.0 http://www.oracle.com/technetwork/java/seccodeguide-139067.html • The CERT Oracle Secure Coding Standard for Java https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Ja va • Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs http://www.informit.com/store/java-coding-guidelines-75-recommendations-for-reliable-9780133439519 • OWASP Developer Guide 2013 https://www.owasp.org/index.php/Category:OWASP_Guide_Project M.Eisele - @myfear - http://blog.eisele.net 51 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 52 • OWASP Appsec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series • Apache Shiro http://www.infoq.com/articles/apache-shiro • Java Cryptography Architecture (JCA) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html • Java Authentication and Authorization Service (JAAS) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASRefGuide.html • Java EE 6 Security in Practice with GlassFish http://www.slideshare.net/myfear/security-in-practice-with-java-ee-6-and-glassfish
SECURITY IS ABOUT Knowledge. M.Eisele - @myfear - http://blog.eisele.net 53
© msg Applied Technology Research, December 2013
“it ain’t what you don’t know that gets you into
trouble. it’s what you know for sure that just ain’t so.” — Mark Twain http://www.nativeintelligence.com/ni-free/itsec-quips-03.asp M.Eisele - @myfear - http://blog.eisele.net 54 © msg Applied Technology Research, December 2013
SECURITY Motherf****r! M.Eisele - @myfear - http://blog.eisele.net 55 © msg
Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 56 @myfear blog.eisele.net © msg
Applied Technology Research, December 2013
myfear
exactpro
shinyaigeek
asumikam
recerqainc
line_developers_tw
askua
rfdnxbro
safie_recruit
kasada
uhyo
yuya4
takatama
tammyeverts
denniskardys
ryanjones
jlugia
aleyda
akihiro_kokubo
mongodb
axbom
maggiecrowley
hatefulcrawdad
stephenakadiri
chriscoyier
![http://blog.eisele.net/ @myfear http://myfear.com/+ [email protected] M.Eisele - @myfear - http://blog.eisele.net 2](https://files.speakerdeck.com/presentations/4190ab103f1a01311c487eb71451ca90/slide_1.jpg){kind=link}
