Prioritizing Trust while Creating Applications

Slide 1

Slide 1 text

Prioritizing Trust while Creating Applications Jennifer Davis, Cloud Advocate she/her  @sigje 1/40

Slide 2

Slide 2 text

2/40

Slide 3

Slide 3 text

Trust 3/40

Slide 4

Slide 4 text

4/40

Slide 5

Slide 5 text

https://haveibeenpwned.com/ 5/40

Slide 6

Slide 6 text

6/40

Slide 7

Slide 7 text

7/40

Slide 8

Slide 8 text

8/40

Slide 9

Slide 9 text

Agenda EstablishCommonContext BuildFoundations AdvancingPrinciples 9/40

Slide 10

Slide 10 text

10/40

Slide 11

Slide 11 text

11/40

Slide 12

Slide 12 text

Bug versus Flaw 12/40

Slide 13

Slide 13 text

Motivations FinancialGain Espionage/StrategicGain Fun/Ideology/Grudge 13/40

Slide 14

Slide 14 text

Build Foundations 14/40

Slide 15

Slide 15 text

Defense in Depth 15/40

Slide 16

Slide 16 text

Snyk State of Open Source Security Report 2019 78%vulnerabilitiesinindirectdependencies 37%ofopensourcedevelopersnosecurity testinginCI 54%dockerimagenosecuritytesting Top10dockerimagescontain>30vulnerable systemlibraries Source:https://snyk.io/opensourcesecurity- 2019/ 16/40

Slide 17

Slide 17 text

#WOCinTechChatAttribution2.0Generic(CCBY 2.0) 17/40

Slide 18

Slide 18 text

Whatcanausersee?do? Whatinformationislogged? Approachforfailedlogins OWASP:ApplicationSecurityVerificationStandard Project 18/40

Slide 19

Slide 19 text

Threat Modeling 19/40

Slide 20

Slide 20 text

Architectural Trade-offs 20/40

Slide 21

Slide 21 text

21/40

Slide 22

Slide 22 text

22/40

Slide 23

Slide 23 text

Testing Code 23/40

Slide 24

Slide 24 text

Static Code Analysis 24/40

Slide 25

Slide 25 text

Source: https://www.imperialviolet.org/2014/02/22/applebug.htm 25/40

Slide 26

Slide 26 text

Coding Standards 26/40

Slide 27

Slide 27 text

Secure Code Reviews 27/40

Slide 28

Slide 28 text

Planning for Security Escalations Identify Assess Remediate 28/40

Slide 29

Slide 29 text

Incident Response Resource BuildingaMinimumViableResponsePlan: jhand.co/CreateResponsePlan 29/40

Slide 30

Slide 30 text

30/40

Slide 31

Slide 31 text

Leverage your platform's services Recognize your platform's limits 31/40

Slide 32

Slide 32 text

32/40

Slide 33

Slide 33 text

33/40

Slide 34

Slide 34 text

Advancing Principles 34/40

Slide 35

Slide 35 text

Bug Bounty Programs 35/40

Slide 36

Slide 36 text

Capture the Flag (CTF) -CTFdistributedteamforNonbinary FolksandWomen CTFCircle 36/40

Slide 37

Slide 37 text

Red Team Exercise  Fundamentally,ifsomebody wantstogetin,they’regetting in acceptthat.Whatwetell clientsis:Numberone,you’rein thefight,whetheryouthought youwereornot.Numbertwo,you almostcertainlyarepenetrated. -MichaelHayden,FormerDirectorofNSA&CIA 37/40

Slide 38

Slide 38 text

What's Next? Identifyyoursecuritymaturity Assessvaluablepractices Encouragelearningsecurityskills Incorporatefeedback Updatethreatmodels 38/40

Slide 39

Slide 39 text

39/40

Slide 40

Slide 40 text

Thank you Email: [email protected]  @sigje OpenSpaces CoffeeOpsSeptember27,8:30am Ongoing-AbbyBangser, :@a_bangser https://tinyurl.com/DODLON19OSF 40/40