Slide 1
Slide 1 text
Making Security Usable:
Tales of Product Engineering
…in a Security Company
@vixentael
Slide 2
Slide 2 text
#data_security
#cryptography
#product_thinking
#product_design
Slide 3
Slide 3 text
@vixentael Product Engineer
Feel free to reach me with
security questions.
I do check my inbox :)
Slide 4
Slide 4 text
I. The story
@vixentael
Slide 5
Slide 5 text
A long time ago in a galaxy far,
far away…
@vixentael
Slide 6
Slide 6 text
@vixentael
Slide 7
Slide 7 text
@vixentael
@vixentael
Slide 8
Slide 8 text
@vixentael
Slide 9
Slide 9 text
@vixentael
Slide 10
Slide 10 text
@vixentael
Slide 11
Slide 11 text
@vixentael
Slide 12
Slide 12 text
@vixentael
Slide 13
Slide 13 text
@vixentael
Encrypt
all the data!
Slide 14
Slide 14 text
@vixentael
Slide 16
Slide 16 text
@vixentael
Slide 17
Slide 17 text
@vixentael
$encrypted= mcrypt_encrypt(
MCRYPT_RIJNDAEL_128,
‘54ca04988748501e93a3061763b0b6a’,
$data,
MCRYPT_MODE_CBC,
$iv
);
Slide 18
Slide 18 text
$encrypted= mcrypt_encrypt(
MCRYPT_RIJNDAEL_128,
‘54ca04988748501e93a3061763b0b6a’,
$data,
MCRYPT_MODE_CBC,
$iv
);
@vixentael
PHP. AES-CBC
Slide 19
Slide 19 text
$encrypted= mcrypt_encrypt(
MCRYPT_RIJNDAEL_128,
‘54ca04988748501e93a3061763b0b6a’,
$data,
MCRYPT_MODE_CBC,
$iv
);
@vixentael
PHP. AES-CBC
Slide 20
Slide 20 text
@vixentael
Invite
pen-testers!
Slide 21
Slide 21 text
@vixentael
Slide 22
Slide 22 text
@vixentael
Use pre-built
tools!
Slide 23
Slide 23 text
@vixentael
postgresql encryption options
cybertec-postgresql.com/en/postgresql-instance-level-encryption/
export PGENCRYPTIONKEY=db-enc-key
initdb -k -K pgcrypto /data/dbencrypt/
Slide 24
Slide 24 text
@vixentael
"
Slide 25
Slide 25 text
@vixentael
Hire
someone?
Slide 26
Slide 26 text
No data security expertise?
– Find one.
@vixentael
Slide 27
Slide 27 text
II. The challenge
@vixentael
Slide 28
Slide 28 text
@vixentael
?
..but how it should work
..and will it really be
secure now?
we want one tool that
solves all problems..
Slide 29
Slide 29 text
@vixentael
key lifecycle
trusted code execution
environment
side channel resistance
risk echelonization
Slide 30
Slide 30 text
@vixentael
?
Slide 31
Slide 31 text
@vixentael
?
Slide 32
Slide 32 text
@vixentael
Slide 33
Slide 33 text
database encryption proxy
@vixentael
Slide 34
Slide 34 text
@vixentael
client app
writer proxy
database
database encryption proxy
Slide 35
Slide 35 text
@vixentael
client app
writer proxy server
database
keygen
zones
IDS
Slide 36
Slide 36 text
@vixentael
Slide 37
Slide 37 text
@vixentael
Hard to build
Slide 38
Slide 38 text
@vixentael
Pain to manage
Slide 39
Slide 39 text
@vixentael
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
No content
Slide 42
Slide 42 text
@vixentael
accep-
tance
denial
anger
barga-
ining
depre-
ssion
Slide 43
Slide 43 text
Listen to customers.
It improves everything...
even security!
@vixentael
Slide 44
Slide 44 text
III. The adventure
@vixentael
Slide 45
Slide 45 text
@vixentael
security
model
key/trust
scheme
encryption
scheme
cipher
suits
Slide 46
Slide 46 text
@vixentael
security
model
key/trust
scheme
encryption
scheme
cipher
suits
Slide 47
Slide 47 text
@vixentael
– real time analytics (user actions)
– servers load
– error logs
– user testing / user research
– open tickets / issues
Slide 48
Slide 48 text
@vixentael
– real time analytics (user actions)
– user testing / user research
– servers load
– open tickets / issues
– error logs
Slide 49
Slide 49 text
@vixentael
?
Slide 50
Slide 50 text
@vixentael
?
Slide 51
Slide 51 text
Bad Usability
→
Bad Security
@vixentael
Slide 52
Slide 52 text
@vixentael
Slide 53
Slide 53 text
Data Security
Assistance Program
@vixentael
business
model /
regulations
risks
to data
threat
model / attack
vectors
data
security
scheme
Slide 54
Slide 54 text
@vixentael
Analyze use-cases
Slide 55
Slide 55 text
Analyze use-cases
@vixentael
Hard to deploy Hard to support
Easy to misuse
Hard to verify
Slide 56
Slide 56 text
@vixentael
Slide 57
Slide 57 text
@vixentael
Deployment
Slide 58
Slide 58 text
@vixentael
Deployment
code
Multiple channels of distribution
Slide 59
Slide 59 text
@vixentael
Deployment
code
Multiple channels of distribution
Slide 60
Slide 60 text
@vixentael
Deployment
code
built packages (.pkg)
Multiple channels of distribution
Slide 61
Slide 61 text
@vixentael
Deployment
Multiple channels of distribution
code
built packages (.pkg) docker images
VM images
chef configuration
docker compose
Slide 62
Slide 62 text
@vixentael
Deployment
Slide 63
Slide 63 text
@vixentael
Deployment
1. Download, build, install every component
2. Generate keys / tokens for each component
3. Put keys into right folders (PK exchange)
5. Run components using correct config
4. Configure each component (port, keys)
Slide 64
Slide 64 text
2. Generate keys / tokens for each component
@vixentael
Deployment
1. Download, build, install every component
3. Put keys into right folders (PK exchange)
5. Run components using correct config
4. Configure each component (port, keys)
script
Slide 65
Slide 65 text
@vixentael
Deployment
1. Download, build, install every component
3. Put keys into right folders (PK exchange)
5. Run components using correct config
4. Configure each component (port, keys)
2. Generate keys / tokens for each component
script
Slide 66
Slide 66 text
@vixentael
Deployment
1. Download, build, install every component
3. Put keys into right folders (PK exchange)
5. Run components using correct config
4. Configure each component (port, keys) defaults
2. Generate keys / tokens for each component
script
Slide 67
Slide 67 text
@vixentael
Deployment
1. Download, build, install every component
3. Put keys into right folders (PK exchange)
5. Run components using correct config
4. Configure each component (port, keys)
one command!
2. Generate keys / tokens for each component
Slide 68
Slide 68 text
@vixentael
Deployment
Pre-baked configurations
docker-compose -f .yml up
Slide 69
Slide 69 text
@vixentael
Deployment
Pre-baked configurations
mysql-ssl-server-ssl.yml
MySQL <-SSL-> AServer <-SSL-> client
Slide 70
Slide 70 text
@vixentael
Deployment
Pre-baked configurations
mysql-ssl-server-ssl.yml
MySQL <-SSL-> AServer <-SSL-> client
pgsql-nossl-server-ssession-connector.yml
PostgreSQL <-> AServer <-SecureSession-> AConnector <---> client
‘-> AWebconfig
Slide 71
Slide 71 text
@vixentael
Deployment
Pre-baked configurations
Slide 72
Slide 72 text
@vixentael
Deployment
Integration tests everywhere
– run on 12 OSs
– run on empty environments
– provide testing scripts for users
Slide 73
Slide 73 text
@vixentael
Integration
– logging formats (plaintext, json, CEF)
– infrastructure as a code (configs everywhere)
– event formats (unique event codes)
Good products do not exist in a vacuum
Slide 74
Slide 74 text
@vixentael
Slide 75
Slide 75 text
@vixentael
Secure by default
Slide 76
Slide 76 text
@vixentael
default strict parameters
pre-defined configuration files
make accidental changes unlikely
Secure by default
Slide 77
Slide 77 text
API design
Slide 78
Slide 78 text
API design
from pythemis.scell import SCellSeal
scell = SCellSeal(key)
encrypted_message = scell.encrypt(message, context)
message = scell.decrypt(encrypted_message, context)
github.com/cossacklabs @vixentael
Slide 79
Slide 79 text
easy to use
@vixentael
API design
unambiguous to use
2017.hack.lu/archive/2017/hacklu-crypto-api.pdf
&&
Slide 80
Slide 80 text
@vixentael
Naming
Slide 81
Slide 81 text
@vixentael
Naming
writer proxy server
database
Slide 82
Slide 82 text
db proxy
client app
@vixentael
Naming
writer proxy server
database
Slide 83
Slide 83 text
db proxy
client app
@vixentael
Naming
writer connector server
database
Slide 84
Slide 84 text
@vixentael
Naming
https://circleci.com/blog/why-did-builds-become-jobs-in-the-ui/
Slide 85
Slide 85 text
@vixentael
Client side
client app
writer
Nodejs
Go
Python
Ruby
PHP
Slide 86
Slide 86 text
@vixentael
Slide 87
Slide 87 text
@vixentael
Docs
no docs tons of docs
Slide 88
Slide 88 text
@vixentael
Docs
for developers
integration scenarios
security recommendations
simple explanations
benchmarks
security model
threat vectors
schemes & formulas
for security ppl
Slide 89
Slide 89 text
@vixentael
Playgrounds
who reads docs if you
can play with simulator?
Slide 90
Slide 90 text
@vixentael
Interactive simulator
check your
encryption works
Slide 91
Slide 91 text
Examples-examples-
examples
@vixentael
Slide 92
Slide 92 text
Dogfooding
@vixentael
use
update
feedback
share
Slide 93
Slide 93 text
There is no absolute
security
@vixentael
develop test deploy repeat
Slide 94
Slide 94 text
Short feedback cycle
is a key
@vixentael
Slide 95
Slide 95 text
IV. Where it got us?
@vixentael
Slide 96
Slide 96 text
@vixentael
Secure defaults
Unambiguous APIs
Easy deployment
Shipped scripts / libs
Playgrounds
Slide 97
Slide 97 text
@vixentael
Secure defaults
Unambiguous APIs
Easy deployment
Shipped scripts / libs
Playgrounds
Slide 98
Slide 98 text
@vixentael
adopt faster
become less frustrated
make less mistakes
Slide 99
Slide 99 text
@vixentael
make user-facing decisions
iterate faster
plan better
become less frustrated
Slide 100
Slide 100 text
usable ≠ over-simplified
@vixentael
Slide 101
Slide 101 text
@vixentael
Slide 102
Slide 102 text
Home reading?
https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27
Security as a Product
https://github.com/forter/security-101-for-saas-startups/blob/english/security.md
Organization security for startups
https://2017.hack.lu/archive/2017/hacklu-crypto-api.pdf
API design for cryptography
https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf
Boring crypto, Daniel J. Bernstein
Slide 103
Slide 103 text
My other security slides
github.com/vixentael/
my-talks
Slide 104
Slide 104 text
@vixentael Product Engineer
Feel free to reach me with
security questions.
I do check my inbox :)
Slide 105
Slide 105 text
Image credits
www.flaticon.com
freepik, linector, switficons, pixelperfect, smashicons, icon pond,
dinosoftlabs
Authors: