Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don’t Be That Guy! Developer Security Awareness
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Markus Eisele
December 04, 2013
Technology
4.4k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Don’t Be That Guy! Developer Security Awareness
Markus Eisele
December 04, 2013
More Decks by Markus Eisele
See All by Markus Eisele
Code Is Cheap. Software Isn’t.
myfear
0
90
JCON Chasing the Main Thread - Adventures in AI Assisted Coding
myfear
0
110
One Microservice Is No Microservice: They Come in Systems [CON6471]
myfear
0
180
Stay Productive While Slicing Up the Monolith [CON6472]
myfear
0
140
NetBeans with WildFly and Openshift
myfear
1
190
50 new features of Java EE 7 @ GeeCon
myfear
4
180
50 Best Features of Java EE 7 @ Jokerconf
myfear
0
760
JavaScript in the Enterprise @Jokerconf
myfear
0
340
50 Best Features of Java EE 7 @ OpenSlava
myfear
0
1.4k
Other Decks in Technology
See All in Technology
AIに障害切り分けを全部やってもらった。 。 。 。
estie
0
270
週末にループ・エンジニアリングの理解を深めるためのスライド
nagatsu
0
640
元・セキュリティ学習経験0大学生による業務紹介 / An Introduction to the Job by a Former College Student with Zero Security Training Experience
nttcom
0
1k
スタートアップにおけるアジャイルの実践について #shibuyagile
murabayashi
1
160
PostgreSQL 19 新機能概要 OSC Hokkaido 2026
nori_shinoda
0
260
デジタル・デザイン:次の50年を描く「進化する青写真」
y150saya
0
150
4人目のSREはAgent
tanimuyk
0
290
AI時代のコスト管理を考えよう〜明日から使える実践AWSノウハウ~
yoshimi0227
0
970
FinOps X 2026 Recap from Engineer Side #JapanFinOps
chacco38
0
110
10年間のブログ発信を振り返って見えたWebアプリケーションエンジニアとしての軌跡
stefafafan
0
190
MySQL & MySQL HeatWave Report - June 2026
freshdaz
0
220
打造你的 AI 工作流:Agent Skill + MCP 實戰工作坊
appleboy
0
190
Featured
See All Featured
The Pragmatic Product Professional
lauravandoore
37
7.3k
How Software Deployment tools have changed in the past 20 years
geshan
0
34k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.4k
Ecommerce SEO: The Keys for Success Now & Beyond - #SERPConf2024
aleyda
1
2k
16th Malabo Montpellier Forum Presentation
akademiya2063
PRO
0
160
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
inesmontani
PRO
3
2.3k
Java REST API Framework Comparison - PWX 2021
mraible
34
9.4k
Organizational Design Perspectives: An Ontology of Organizational Design Elements
kimpetersen
PRO
1
750
A Modern Web Designer's Workflow
chriscoyier
698
190k
Mobile First: as difficult as doing things right
swwweet
225
10k
Abbi's Birthday
coloredviolet
3
8.3k
Leadership Guide Workshop - DevTernity 2021
reverentgeek
1
310
Transcript
Don’t Be That Guy! Developer Security Awareness
http://blog.eisele.net/ @myfear http://myfear.com/+
[email protected]
M.Eisele - @myfear - http://blog.eisele.net 2
© msg Applied Technology Research, December 2013
NOT HOW M.Eisele - @myfear - http://blog.eisele.net 3 © msg
Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 4
BUT WHY M.Eisele - @myfear - http://blog.eisele.net 5 © msg
Applied Technology Research, December 2013
Programming Motherf****r! http://programming-motherfucker.com/ M.Eisele - @myfear - http://blog.eisele.net 6 ©
msg Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 7 © msg Applied Technology
Research, December 2013
NOT EVERY PROGRAMMER IS A SECURITY ENGINEER. M.Eisele - @myfear
- http://blog.eisele.net 8 © msg Applied Technology Research, December 2013
http://datalossdb.org/statistics # of incidents worldwide >700% M.Eisele - @myfear -
http://blog.eisele.net 9 © msg Applied Technology Research, December 2013
AND EVEN WORSE M.Eisele - @myfear - http://blog.eisele.net 10 ©
msg Applied Technology Research, December 2013
SECURITY IS NOT ONLY ABOUT PROGRAMMING M.Eisele - @myfear -
http://blog.eisele.net 11 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 12 Approach Security attacks 1 2 3 http://www.flickr.com/photos/trois-tetes/417709804/sizes/o/
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 13 EXCERPT attacks … …
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 14 1 2 3 EXAMPLE
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 15 1 2 3 EXAMPLE 3 3
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 16 1 2 3 EXAMPLE
ENDLESS COMBINATIONS M.Eisele - @myfear - http://blog.eisele.net 17 © msg
Applied Technology Research, December 2013
THE LIMIT IS THE CREATIVITY OF THE BAD GUYS M.Eisele
- @myfear - http://blog.eisele.net 18 © msg Applied Technology Research, December 2013
WHERE To Start? M.Eisele - @myfear - http://blog.eisele.net 19 ©
msg Applied Technology Research, December 2013 www.defendparis.fr
WHAT Do WE HAVE? M.Eisele - @myfear - http://blog.eisele.net 20
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 21 ARCHITECTURE
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 22 ARCHITECTURE 1 2 3 Design Theory Standards Documents Processes Frameworks Examples Software Standards processes
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 23 http://www.flickr.com/photos/zokuga/6838590065/sizes/l/
WAIT M.Eisele - @myfear - http://blog.eisele.net 24 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 25 application 1 2 3 Specification CODE Design Software
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 26
WAIT M.Eisele - @myfear - http://blog.eisele.net 27 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 28
Burns Down TO THREE AREAS M.Eisele - @myfear - http://blog.eisele.net
29 © msg Applied Technology Research, December 2013
PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 30 ©
msg Applied Technology Research, December 2013
“If you think technology can solve your security problems, then
you don't understand the problems and you don't understand the technology. ” — Bruce Schneier M.Eisele - @myfear - http://blog.eisele.net 31 © msg Applied Technology Research, December 2013
A chain is only as strong as its weakest link
M.Eisele - @myfear - http://blog.eisele.net 32 © msg Applied Technology Research, December 2013
PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 33 ©
msg Applied Technology Research, December 2013
How to secure PEOPLE? M.Eisele - @myfear - http://blog.eisele.net 34
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 35 Stakeholder
DEVELOPERS build awareness. Might offer trainings. M.Eisele - @myfear -
http://blog.eisele.net 36 © msg Applied Technology Research, December 2013
How to secure Processes? M.Eisele - @myfear - http://blog.eisele.net 37
© msg Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 38 © msg Applied Technology
Research, December 2013 Methodologies
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 39 Standards
DEVELOPERS Need time For security. Processes give it. M.Eisele -
@myfear - http://blog.eisele.net 40 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 41 Example www.microsoft.com/security/sdl/
HOW to Secure Software? M.Eisele - @myfear - http://blog.eisele.net 42
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 43 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Crosscutting … in other words:
Million ways to Do it wrong on any Level. M.Eisele
- @myfear - http://blog.eisele.net 44 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 45 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Right FOCUS Developers Requirements Use Security Features Secure Implementation
Examples M.Eisele - @myfear - http://blog.eisele.net 46 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 47 infrastructure
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 48 Software
And there is a lot More! M.Eisele - @myfear -
http://blog.eisele.net 49 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 50
• Secure Coding Guidelines for the Java Programming Language, Version
4.0 http://www.oracle.com/technetwork/java/seccodeguide-139067.html • The CERT Oracle Secure Coding Standard for Java https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Ja va • Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs http://www.informit.com/store/java-coding-guidelines-75-recommendations-for-reliable-9780133439519 • OWASP Developer Guide 2013 https://www.owasp.org/index.php/Category:OWASP_Guide_Project M.Eisele - @myfear - http://blog.eisele.net 51 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 52 • OWASP Appsec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series • Apache Shiro http://www.infoq.com/articles/apache-shiro • Java Cryptography Architecture (JCA) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html • Java Authentication and Authorization Service (JAAS) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASRefGuide.html • Java EE 6 Security in Practice with GlassFish http://www.slideshare.net/myfear/security-in-practice-with-java-ee-6-and-glassfish
SECURITY IS ABOUT Knowledge. M.Eisele - @myfear - http://blog.eisele.net 53
© msg Applied Technology Research, December 2013
“it ain’t what you don’t know that gets you into
trouble. it’s what you know for sure that just ain’t so.” — Mark Twain http://www.nativeintelligence.com/ni-free/itsec-quips-03.asp M.Eisele - @myfear - http://blog.eisele.net 54 © msg Applied Technology Research, December 2013
SECURITY Motherf****r! M.Eisele - @myfear - http://blog.eisele.net 55 © msg
Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 56 @myfear blog.eisele.net © msg
Applied Technology Research, December 2013