Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Shane Curran - Building Security Into The Begin...

Turing Fest
PRO
August 15, 2022
Technology
0
210

Shane Curran - Building Security Into The Beginning Of The Development Cycle (Turing Fest 2022)

When it comes to creating, releasing, and maintaining software, startups are usually well-oiled machines. But this is not the case when it comes to securing software. Startups need to move fast but many developers still perceive security as a hindrance and a tax on progress, despite the meaningful increase in cyber risk that is created by neglecting to build secure software. Cool new features are useless if they are vulnerable to malicious exploits.

Head to www.turingfest.com to learn more about Europe's best cross-functional tech conference.

Turing Fest
PRO

August 15, 2022
Tweet

More Decks by Turing Fest

See All by Turing Fest
Andy Budd: The Growth Equation: 7 Essential Steps to Finding Product Market Fit
turingfest
PRO
0
57
Andrey Vinitsky: Babe Are You OK? You've Barely Touched The Dashboard You Claimed Was Mission Critical
turingfest
PRO
0
56
Finbarr Taylor:From Scotland to Silicon Valley: Lessons Learned Raising $100m & Building a Global SaaS Business
turingfest
PRO
0
18
Megan Caywood: A Product Playbook to Building a Unicorn
turingfest
PRO
0
32
Jason Miller: Branding in the Age of AI
turingfest
PRO
0
22
Petra Wille: Lessons on Storytelling for Product Builders
turingfest
PRO
0
37
Meri Williams: Career Vectors: Navigating Modern Careers
turingfest
PRO
0
33
Todd Olson: How AI Supercharges Product-led Growth
turingfest
PRO
0
22
Rand Fishkin: Zero-Click Marketing
turingfest
PRO
0
61

Other Decks in Technology

See All in Technology
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
200
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
210
Taming you application's environments
salaboy
0
190
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
310
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
120
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
TypeScript、上達の瞬間
sadnessojisan
46
13k
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
Why does continuous profiling matter to developers? #appdevelopercon
salaboy
0
190

Featured

See All Featured
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Visualization
eitanlees
145
15k
Typedesign – Prime Four
hannesfritz
40
2.4k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Designing the Hi-DPI Web
ddemaree
280
34k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Bash Introduction
62gerente
608
210k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
GitHub's CSS Performance
jonrohan
1030
460k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
Thoughts on Productivity
jonyablonski
67
4.3k

Transcript

  1. Building security into the beginning of the development cycle Shane

    Curran @arcurn

  2. Data breaches happen all the time.

  3. Security is always a priority, but it’s never priority #1

    🔢

  4. “Improving our security is on the roadmap, we just need

    to ship some new features first”

  5. But another feature always ends up appearing…

  6. Everybody knows startups are great at shipping new features

  7. None
  8. None
  9. None

  10. Companies this early on are just focused on survival

  11. But survival suddenly turns to growth…

  12. Overnight, they go from selling to customers who are using

    their product because they got a free hoodie…
  13. None

  14. And they start selling to customers who ask you to

    fill out a security questionnaire before they even look at a demo
  15. None
  16. None

  17. Founders rush to get SOC 2 ISO 27001 PCI DSS

    GDPR ASDDFGJASDDSF compliant in a hurry
  18. None

  19. Those six-figure deals hang in the balance when security is

    an afterthought

  20. But then startups buy compliance automation software, find an auditor

    and get compliant quick… all is well, right?

  21. “We’re secure now, our SOC 2 auditor said so!”

  22. Compliance ≠ Security

  23. Some time passes, and then you meet a Head of

    Security who looks a little bit less like…
  24. None

  25. And a little more like…

  26. None

  27. Hackerman doesn’t care about your standard operating controls and compliance

    frameworks

  28. Hackerman just SSH’ed into your production database!

  29. Hackerman sees no compliance frameworks

  30. Hackerman just sees an open port or badly implemented authentication

  31. If you’re lucky, Hackerman will be a friendly Head of

    Security working for a potential customer

  32. But what if he’s not? What if he’s actively malicious

    and posts your data on the web?

  33. Now, not only is Hackerman unhappy with your product —

    compliance teams and lawyers are too! What a mess!

  34. Startups are designing security for compliance teams, not for the

    real enemy: hackers!

  35. Q: “Maybe we should hire a security team?”

  36. A: “Probably not just yet”

  37. Your product team is your security team, they just don’t

    know it yet ⚖

  38. Security in 2022: Build the wall

  39. Keeping on top of security tech all day is potentially

    a full time job 👨💼

  40. Modern security doesn’t focus on the root problem 🎯

  41. Stop building walls, and start protecting your crown jewels: sensitive

    data

  42. Normal databases: data everywhere

  43. Securing data itself 💿

  44. What is encryption? 🔐

  45. None

  46. Encryption lets you take a piece of data and “lock”

    it using a secret key 🔑

  47. Anybody who has the encrypted data without the key can’t

    access the data 🙅

  48. But… anybody who steals the key and encrypted data now

    has the original sensitive data 🥷

  49. The key is just as sensitive as the data 🤫

  50. Implementing encryption properly is hard You have to… 1. Pick

    which open source library to use 2. Store the keys yourself 3. Still handle data in plaintext before encrypting it 4. Decrypt the data every time you want to use it

  51. Encryption is almost always implemented wrong 🙅

  52. Data should always be encrypted ✅

  53. None

  54. Normal databases: data everywhere

  55. Encrypted databases: the future

  56. Why keys are so important… 🗝 (keys are everywhere)

  57. You keep your money at the bank, why not your

    keys? 🏦

  58. Encryption for developers

  59. Collect sensitive data from the client

  60. Process encrypted data securely

  61. Share encrypted data with third-parties

  62. Never touch sensitive data in plaintext.

  63. You never store keys. Evervault never stores your data.

  64. Use Case 1 PII

  65. Use Case 2 PCI DSS

  66. Use Case 3 Crypto

  67. Encryption is a super-tool

  68. Developers should be empowered to use it, and to own

    the security for their own software end-to-end

  69. They have the tools now… just about

  70. Now we need to wield them!

  71. So we can go from a world where…

  72. Data breaches happen all the time.

  73. What’s a data breach?

  74. Thank you! @arcurn [email protected]