Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don’t Be That Guy! Developer Security Awareness
Search
Markus Eisele
December 04, 2013
Technology
4.4k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Don’t Be That Guy! Developer Security Awareness
Markus Eisele
December 04, 2013
More Decks by Markus Eisele
See All by Markus Eisele
Code Is Cheap. Software Isn’t.
myfear
0
90
JCON Chasing the Main Thread - Adventures in AI Assisted Coding
myfear
0
110
One Microservice Is No Microservice: They Come in Systems [CON6471]
myfear
0
180
Stay Productive While Slicing Up the Monolith [CON6472]
myfear
0
140
NetBeans with WildFly and Openshift
myfear
1
190
50 new features of Java EE 7 @ GeeCon
myfear
4
180
50 Best Features of Java EE 7 @ Jokerconf
myfear
0
760
JavaScript in the Enterprise @Jokerconf
myfear
0
340
50 Best Features of Java EE 7 @ OpenSlava
myfear
0
1.4k
Other Decks in Technology
See All in Technology
When Platform Engineering Meets GenAI
sucitw
0
200
時期が悪い!それでもRaspberry Piを買って遊んで活用するには / 20260627-osc26do-rpi-jikigawarui
akkiesoft
1
920
なぜ人は自分のプロジェクトを 「なんちゃってアジャイル」と 自嘲するのか
kozotaira
0
170
クラウドファンディング版StackChan 3体(4体)をインタラクティブな体験型作品にして展示もした話 / スタックチャンお誕生日会2026
you
PRO
0
250
#エンジニアBooks 30分でわかる 「技術記事を書く技術」 / engineer-books 2026-06-30
jnchito
1
140
GitHub Copilot運用のリアル ~AI Credit時代にどう向き合うか~
takafumisu2uk1
0
520
AIをフル活用してオンコール機能のプロトタイプを2日で作った話 / Building an AI-Powered On-Call Prototype in Just Two Days
nari_ex
0
150
PostgreSQL 19 新機能概要 OSC Hokkaido 2026
nori_shinoda
0
260
AI 不只幫你寫 Code: 當專案從 300 暴增到 1500, 我們如何撐住 DevOps
appleboy
0
290
サイバーエージェントにおけるAI推進戦略と変革への取り組み
shotatsuge
0
620
徹底討論!ECS vs EKS!
daitak
3
1.8k
きのこカンファレンス2026_肩書きを外したとき私は誰か
yamasatimi
1
100
Featured
See All Featured
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
28
3.5k
A Modern Web Designer's Workflow
chriscoyier
698
190k
DevOps and Value Stream Thinking: Enabling flow, efficiency and business value
helenjbeal
1
250
Discover your Explorer Soul
emna__ayadi
2
1.1k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Facilitating Awesome Meetings
lara
57
7k
How to Think Like a Performance Engineer
csswizardry
28
2.7k
How to build an LLM SEO readiness audit: a practical framework
nmsamuel
1
790
Applied NLP in the Age of Generative AI
inesmontani
PRO
4
2.3k
The Cult of Friendly URLs
andyhume
79
6.9k
End of SEO as We Know It (SMX Advanced Version)
ipullrank
3
4.2k
The Illustrated Children's Guide to Kubernetes
chrisshort
51
52k
Transcript
Don’t Be That Guy! Developer Security Awareness
http://blog.eisele.net/ @myfear http://myfear.com/+
[email protected]
M.Eisele - @myfear - http://blog.eisele.net 2
© msg Applied Technology Research, December 2013
NOT HOW M.Eisele - @myfear - http://blog.eisele.net 3 © msg
Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 4
BUT WHY M.Eisele - @myfear - http://blog.eisele.net 5 © msg
Applied Technology Research, December 2013
Programming Motherf****r! http://programming-motherfucker.com/ M.Eisele - @myfear - http://blog.eisele.net 6 ©
msg Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 7 © msg Applied Technology
Research, December 2013
NOT EVERY PROGRAMMER IS A SECURITY ENGINEER. M.Eisele - @myfear
- http://blog.eisele.net 8 © msg Applied Technology Research, December 2013
http://datalossdb.org/statistics # of incidents worldwide >700% M.Eisele - @myfear -
http://blog.eisele.net 9 © msg Applied Technology Research, December 2013
AND EVEN WORSE M.Eisele - @myfear - http://blog.eisele.net 10 ©
msg Applied Technology Research, December 2013
SECURITY IS NOT ONLY ABOUT PROGRAMMING M.Eisele - @myfear -
http://blog.eisele.net 11 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 12 Approach Security attacks 1 2 3 http://www.flickr.com/photos/trois-tetes/417709804/sizes/o/
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 13 EXCERPT attacks … …
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 14 1 2 3 EXAMPLE
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 15 1 2 3 EXAMPLE 3 3
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 16 1 2 3 EXAMPLE
ENDLESS COMBINATIONS M.Eisele - @myfear - http://blog.eisele.net 17 © msg
Applied Technology Research, December 2013
THE LIMIT IS THE CREATIVITY OF THE BAD GUYS M.Eisele
- @myfear - http://blog.eisele.net 18 © msg Applied Technology Research, December 2013
WHERE To Start? M.Eisele - @myfear - http://blog.eisele.net 19 ©
msg Applied Technology Research, December 2013 www.defendparis.fr
WHAT Do WE HAVE? M.Eisele - @myfear - http://blog.eisele.net 20
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 21 ARCHITECTURE
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 22 ARCHITECTURE 1 2 3 Design Theory Standards Documents Processes Frameworks Examples Software Standards processes
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 23 http://www.flickr.com/photos/zokuga/6838590065/sizes/l/
WAIT M.Eisele - @myfear - http://blog.eisele.net 24 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 25 application 1 2 3 Specification CODE Design Software
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 26
WAIT M.Eisele - @myfear - http://blog.eisele.net 27 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 28
Burns Down TO THREE AREAS M.Eisele - @myfear - http://blog.eisele.net
29 © msg Applied Technology Research, December 2013
PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 30 ©
msg Applied Technology Research, December 2013
“If you think technology can solve your security problems, then
you don't understand the problems and you don't understand the technology. ” — Bruce Schneier M.Eisele - @myfear - http://blog.eisele.net 31 © msg Applied Technology Research, December 2013
A chain is only as strong as its weakest link
M.Eisele - @myfear - http://blog.eisele.net 32 © msg Applied Technology Research, December 2013
PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 33 ©
msg Applied Technology Research, December 2013
How to secure PEOPLE? M.Eisele - @myfear - http://blog.eisele.net 34
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 35 Stakeholder
DEVELOPERS build awareness. Might offer trainings. M.Eisele - @myfear -
http://blog.eisele.net 36 © msg Applied Technology Research, December 2013
How to secure Processes? M.Eisele - @myfear - http://blog.eisele.net 37
© msg Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 38 © msg Applied Technology
Research, December 2013 Methodologies
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 39 Standards
DEVELOPERS Need time For security. Processes give it. M.Eisele -
@myfear - http://blog.eisele.net 40 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 41 Example www.microsoft.com/security/sdl/
HOW to Secure Software? M.Eisele - @myfear - http://blog.eisele.net 42
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 43 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Crosscutting … in other words:
Million ways to Do it wrong on any Level. M.Eisele
- @myfear - http://blog.eisele.net 44 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 45 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Right FOCUS Developers Requirements Use Security Features Secure Implementation
Examples M.Eisele - @myfear - http://blog.eisele.net 46 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 47 infrastructure
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 48 Software
And there is a lot More! M.Eisele - @myfear -
http://blog.eisele.net 49 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 50
• Secure Coding Guidelines for the Java Programming Language, Version
4.0 http://www.oracle.com/technetwork/java/seccodeguide-139067.html • The CERT Oracle Secure Coding Standard for Java https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Ja va • Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs http://www.informit.com/store/java-coding-guidelines-75-recommendations-for-reliable-9780133439519 • OWASP Developer Guide 2013 https://www.owasp.org/index.php/Category:OWASP_Guide_Project M.Eisele - @myfear - http://blog.eisele.net 51 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 52 • OWASP Appsec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series • Apache Shiro http://www.infoq.com/articles/apache-shiro • Java Cryptography Architecture (JCA) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html • Java Authentication and Authorization Service (JAAS) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASRefGuide.html • Java EE 6 Security in Practice with GlassFish http://www.slideshare.net/myfear/security-in-practice-with-java-ee-6-and-glassfish
SECURITY IS ABOUT Knowledge. M.Eisele - @myfear - http://blog.eisele.net 53
© msg Applied Technology Research, December 2013
“it ain’t what you don’t know that gets you into
trouble. it’s what you know for sure that just ain’t so.” — Mark Twain http://www.nativeintelligence.com/ni-free/itsec-quips-03.asp M.Eisele - @myfear - http://blog.eisele.net 54 © msg Applied Technology Research, December 2013
SECURITY Motherf****r! M.Eisele - @myfear - http://blog.eisele.net 55 © msg
Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 56 @myfear blog.eisele.net © msg
Applied Technology Research, December 2013