Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Software Security a Modern Overview

Software Security a Modern Overview

This talk walks you through the process of understanding software security from different roles and why it's important to address this concern.

Also, includes several starting points in this security journey.

Andres Pedes Morales

December 22, 2020
Tweet

More Decks by Andres Pedes Morales

Other Decks in Programming

Transcript

  1. Software Security
    A MODERN OVERVIEW
    Andres Cespedes Morales
    @pedes
    @ andrespedes12

    View Slide

  2. Do you deal with
    security-related concerns in
    your daily life or job?

    View Slide

  3. I bet, you do!
    Documents
    Store them in a safe
    box
    Home
    Keys and locks
    Car
    Set alarms
    ATM
    Remember your pins
    Web
    Keep passwords
    Phone
    You set lock patterns

    View Slide

  4. Security in Software Engineering
    Best Practices
    Coding Standards Architecture
    Design
    Policies
    Network
    Tools &
    Processes

    View Slide

  5. 4,100,000,000
    Records breached in 2019 (RiskBased Security Report)

    View Slide

  6. Security is a
    concern, not a
    feature

    View Slide

  7. Senior Instructor @ MuleSoft (a
    Salesforce company)
    Andres
    Cespedes
    Morales
    @pedes
    @ andrespedes12

    View Slide

  8. WHAT & WHY
    SECURITY
    01
    An overview of
    software security,
    and its importance
    PITFALLS AND
    ITS IMPACT
    02
    Which problems
    could you run into?
    BEST PRACTICES,
    TOOLS & METHODS
    03
    Improve your
    awareness and your
    defense toolbelt
    WHAT’S NEXT?
    04
    Tap into the
    superpowers of
    security
    AGENDA

    View Slide

  9. 01
    WHAT & WHY SECURITY

    View Slide

  10. WHAT IS SOFTWARE SECURITY?
    AWARENESS
    What was in risk, what
    is in risk and what will
    it be.
    TRAINING
    Don’t forget the
    human factor
    TECHNOLOGY
    You need tools to
    ease the goal
    achievement
    ASSESSMENT
    Measure. Rinse and
    repeat

    View Slide

  11. Confidentiality Integrity
    Equivalent to privacy
    Equivalent to
    consistency
    SECURITY AIMS TO CIA
    Availability
    Ready!

    View Slide

  12. BUT, AGAIN…. WHY?

    View Slide

  13. THE WINNER IS ….
    HUMANS

    View Slide

  14. HUMANS CAN SLIP UP
    MALICE
    Humans are evil
    ERROR
    Unconscious mistake
    CHANCE
    Yes! Bad luck still
    matters I’m just a filler

    View Slide

  15. 02
    PITFALLS AND ITS IMPACT

    View Slide

  16. THREATS & ATTACKS
    (Threat) Bad things could happen to your
    assets, based on a type of action (attack)

    View Slide

  17. ASSETS
    Whatever that could be in risk

    View Slide

  18. A STORY ABOUT
    COMPUTER SECURITY
    The Turing Machine
    responsible for cracking the
    Nazi encryption system
    known as Enigma.

    View Slide

  19. Damage related to cybercrime is
    projected to hit $6 trillion
    annually by 2021
    FINANCIAL
    POLITICAL
    A data breach could be used to
    influence the elections
    IMPACT

    View Slide

  20. You already can see this with
    marketing and media
    campaigns
    SOCIAL
    ENVIRONMENTAL
    Misuse of equipment, or data can
    also influence
    environmental-critical decisions.
    IMPACT

    View Slide

  21. —SOMEONE FAMOUS
    “A chain is only as strong as
    its weakest link.”

    View Slide

  22. 03
    BEST PRACTICES, TOOLS &
    METHODS

    View Slide

  23. HOW TO PREVENT THIS
    TURMOIL?

    View Slide

  24. Let’s take a look from different
    perspectives, as software
    developer, as architect, as user,
    as manager, etc.
    SOLUTION

    View Slide

  25. Start with the Best Practices.
    The project OWASP is the place
    to start.
    DEVELOPER

    View Slide

  26. TOP 10 THREATS STANDARDS
    Top 10 web security risks
    Also, Top 10 for APIs
    OWASP Secure Coding
    Practices-Quick
    Reference Guide
    OWASP

    View Slide

  27. NIST - Guide to Secure Web
    Services
    DEVELOPER

    View Slide

  28. CERT Coding Standard.
    Association with Carnegie
    Mellon University
    DEVELOPER

    View Slide

  29. • Read
    • Read
    • Read
    • And …. R... Code!
    ARCHITECT

    View Slide

  30. Evaluate tools and make
    everyone else’s life easier
    ARCHITECT

    View Slide

  31. Includes sysadmin or Ops
    roles. (a.k.a devsecops)
    Automate it!
    DEVOPS

    View Slide

  32. NIST Cybersecurity
    Framework &
    Security Considerations in
    the System Development
    Life Cycle
    MANAGER

    View Slide

  33. SOFTWARE
    PROFESSIONAL

    View Slide

  34. Check if your credentials have
    been compromised
    https://haveibeenpwned.com/
    AS HUMAN

    View Slide

  35. Wait… There’s more!

    View Slide

  36. Hacking mindset, Bug bounty
    programs, Certifications.
    STEP FURTHER

    View Slide

  37. Bug Bounty Hacking
    Hunt for issues and get
    Money!
    Think like your enemy
    OFFENSIVE MODE

    View Slide

  38. 04
    IT’S A WRAP!

    View Slide

  39. 82%
    of employers report a shortage of cybersecurity skills
    0%
    cybersecurity unemployment rate for 2021

    View Slide

  40. WORLD WITHOUT SECURITY BREACHES

    View Slide

  41. SUMMARY
    WE
    Own security at
    our working place
    and daily life
    START
    By taking a simple
    step
    PROTECTING
    Your assets, data
    and resources
    OFFENSIVE
    is the ultimate
    defense technique

    View Slide

  42. CREDITS: This presentation template was
    created by Slidesgo, including icons by
    Flaticon, infographics & images by Freepik
    and illustrations by Stories
    THANKS! Java2Days
    Do you have any questions?
    Thanks Dave Gandy & Freepik for the icons
    @pedes
    andrespedes12

    View Slide