Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don’t Be That Guy! Developer Security Awareness
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Markus Eisele
December 04, 2013
Technology
4.4k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Don’t Be That Guy! Developer Security Awareness
Markus Eisele
December 04, 2013
More Decks by Markus Eisele
See All by Markus Eisele
Code Is Cheap. Software Isn’t.
myfear
0
86
JCON Chasing the Main Thread - Adventures in AI Assisted Coding
myfear
0
100
One Microservice Is No Microservice: They Come in Systems [CON6471]
myfear
0
180
Stay Productive While Slicing Up the Monolith [CON6472]
myfear
0
140
NetBeans with WildFly and Openshift
myfear
1
190
50 new features of Java EE 7 @ GeeCon
myfear
4
180
50 Best Features of Java EE 7 @ Jokerconf
myfear
0
750
JavaScript in the Enterprise @Jokerconf
myfear
0
340
50 Best Features of Java EE 7 @ OpenSlava
myfear
0
1.4k
Other Decks in Technology
See All in Technology
コードレビューを制するチームがソフトウェアデリバリーのフローを制す / Beyond Code Review: Distributing Its Responsibilities Across the SDLC
mtx2s
4
1.1k
AI Adaptable なテストを整える工夫 / Ways to Make Your Tests AI-Adaptable
bitkey
PRO
3
210
サプライチェーンセキュリティの空白地帯 - 信頼できる”依存性”の未来を考える
rung
PRO
2
700
OCI Oracle AI Database Services新機能アップデート(2026/03-2026/05)
oracle4engineer
PRO
0
220
電子辞書Brainをネットに繋げてみた(自力編)
raspython3
0
480
製造業のクラウド活用最適解〜AI,DXを加速するデータ基盤の作り方〜
hamadakoji
0
370
React、まだ楽しくて草
uhyo
7
4.1k
Dario Amodi『Policy on the AI Exponential』を理解する
nagatsu
0
190
Platform engineering for developers, architects & the rest of us (AI agents)
danielbryantuk
0
180
BigQuery の Cross-cloud Lakehouse への歩み
phaya72
2
550
Agentic ERPをどう設計するか ー 受発注エージェントを動かす、現場の知見と設計思想ー
recerqainc
1
1.5k
個人最適 から 全体最適 へ AI情報共有会・AIギルド・AI-DLC で進める カンリーの組織展開
rfdnxbro
0
1.5k
Featured
See All Featured
We Are The Robots
honzajavorek
0
240
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Building a Scalable Design System with Sketch
lauravandoore
463
34k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
250
1.3M
SEOcharity - Dark patterns in SEO and UX: How to avoid them and build a more ethical web
sarafernandez
0
200
Google's AI Overviews - The New Search
badams
0
1k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.7k
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
160
Abbi's Birthday
coloredviolet
2
7.9k
Thoughts on Productivity
jonyablonski
76
5.2k
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.3k
Navigating Team Friction
lara
192
16k
Transcript
Don’t Be That Guy! Developer Security Awareness
http://blog.eisele.net/ @myfear http://myfear.com/+
[email protected]
M.Eisele - @myfear - http://blog.eisele.net 2
© msg Applied Technology Research, December 2013
NOT HOW M.Eisele - @myfear - http://blog.eisele.net 3 © msg
Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 4
BUT WHY M.Eisele - @myfear - http://blog.eisele.net 5 © msg
Applied Technology Research, December 2013
Programming Motherf****r! http://programming-motherfucker.com/ M.Eisele - @myfear - http://blog.eisele.net 6 ©
msg Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 7 © msg Applied Technology
Research, December 2013
NOT EVERY PROGRAMMER IS A SECURITY ENGINEER. M.Eisele - @myfear
- http://blog.eisele.net 8 © msg Applied Technology Research, December 2013
http://datalossdb.org/statistics # of incidents worldwide >700% M.Eisele - @myfear -
http://blog.eisele.net 9 © msg Applied Technology Research, December 2013
AND EVEN WORSE M.Eisele - @myfear - http://blog.eisele.net 10 ©
msg Applied Technology Research, December 2013
SECURITY IS NOT ONLY ABOUT PROGRAMMING M.Eisele - @myfear -
http://blog.eisele.net 11 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 12 Approach Security attacks 1 2 3 http://www.flickr.com/photos/trois-tetes/417709804/sizes/o/
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 13 EXCERPT attacks … …
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 14 1 2 3 EXAMPLE
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 15 1 2 3 EXAMPLE 3 3
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 16 1 2 3 EXAMPLE
ENDLESS COMBINATIONS M.Eisele - @myfear - http://blog.eisele.net 17 © msg
Applied Technology Research, December 2013
THE LIMIT IS THE CREATIVITY OF THE BAD GUYS M.Eisele
- @myfear - http://blog.eisele.net 18 © msg Applied Technology Research, December 2013
WHERE To Start? M.Eisele - @myfear - http://blog.eisele.net 19 ©
msg Applied Technology Research, December 2013 www.defendparis.fr
WHAT Do WE HAVE? M.Eisele - @myfear - http://blog.eisele.net 20
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 21 ARCHITECTURE
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 22 ARCHITECTURE 1 2 3 Design Theory Standards Documents Processes Frameworks Examples Software Standards processes
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 23 http://www.flickr.com/photos/zokuga/6838590065/sizes/l/
WAIT M.Eisele - @myfear - http://blog.eisele.net 24 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 25 application 1 2 3 Specification CODE Design Software
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 26
WAIT M.Eisele - @myfear - http://blog.eisele.net 27 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 28
Burns Down TO THREE AREAS M.Eisele - @myfear - http://blog.eisele.net
29 © msg Applied Technology Research, December 2013
PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 30 ©
msg Applied Technology Research, December 2013
“If you think technology can solve your security problems, then
you don't understand the problems and you don't understand the technology. ” — Bruce Schneier M.Eisele - @myfear - http://blog.eisele.net 31 © msg Applied Technology Research, December 2013
A chain is only as strong as its weakest link
M.Eisele - @myfear - http://blog.eisele.net 32 © msg Applied Technology Research, December 2013
PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 33 ©
msg Applied Technology Research, December 2013
How to secure PEOPLE? M.Eisele - @myfear - http://blog.eisele.net 34
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 35 Stakeholder
DEVELOPERS build awareness. Might offer trainings. M.Eisele - @myfear -
http://blog.eisele.net 36 © msg Applied Technology Research, December 2013
How to secure Processes? M.Eisele - @myfear - http://blog.eisele.net 37
© msg Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 38 © msg Applied Technology
Research, December 2013 Methodologies
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 39 Standards
DEVELOPERS Need time For security. Processes give it. M.Eisele -
@myfear - http://blog.eisele.net 40 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 41 Example www.microsoft.com/security/sdl/
HOW to Secure Software? M.Eisele - @myfear - http://blog.eisele.net 42
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 43 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Crosscutting … in other words:
Million ways to Do it wrong on any Level. M.Eisele
- @myfear - http://blog.eisele.net 44 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 45 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Right FOCUS Developers Requirements Use Security Features Secure Implementation
Examples M.Eisele - @myfear - http://blog.eisele.net 46 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 47 infrastructure
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 48 Software
And there is a lot More! M.Eisele - @myfear -
http://blog.eisele.net 49 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 50
• Secure Coding Guidelines for the Java Programming Language, Version
4.0 http://www.oracle.com/technetwork/java/seccodeguide-139067.html • The CERT Oracle Secure Coding Standard for Java https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Ja va • Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs http://www.informit.com/store/java-coding-guidelines-75-recommendations-for-reliable-9780133439519 • OWASP Developer Guide 2013 https://www.owasp.org/index.php/Category:OWASP_Guide_Project M.Eisele - @myfear - http://blog.eisele.net 51 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 52 • OWASP Appsec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series • Apache Shiro http://www.infoq.com/articles/apache-shiro • Java Cryptography Architecture (JCA) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html • Java Authentication and Authorization Service (JAAS) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASRefGuide.html • Java EE 6 Security in Practice with GlassFish http://www.slideshare.net/myfear/security-in-practice-with-java-ee-6-and-glassfish
SECURITY IS ABOUT Knowledge. M.Eisele - @myfear - http://blog.eisele.net 53
© msg Applied Technology Research, December 2013
“it ain’t what you don’t know that gets you into
trouble. it’s what you know for sure that just ain’t so.” — Mark Twain http://www.nativeintelligence.com/ni-free/itsec-quips-03.asp M.Eisele - @myfear - http://blog.eisele.net 54 © msg Applied Technology Research, December 2013
SECURITY Motherf****r! M.Eisele - @myfear - http://blog.eisele.net 55 © msg
Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 56 @myfear blog.eisele.net © msg
Applied Technology Research, December 2013
myfear
mtx2s
bitkey
rung
oracle4engineer
raspython3
hamadakoji
uhyo
nagatsu
danielbryantuk
phaya72
recerqainc
rfdnxbro
honzajavorek
marcelosomers
lauravandoore
sugarenia
sarafernandez
badams
philnash
techseoconnect
coloredviolet
jonyablonski
charlesmeaden
lara
![http://blog.eisele.net/ @myfear http://myfear.com/+ [email protected] M.Eisele - @myfear - http://blog.eisele.net 2](https://files.speakerdeck.com/presentations/4190ab103f1a01311c487eb71451ca90/slide_1.jpg){kind=link}
