Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Shane Curran - Building Security Into The Beginning Of The Development Cycle (Turing Fest 2022)

Turing Fest
PRO
August 15, 2022
Technology
0
180

Shane Curran - Building Security Into The Beginning Of The Development Cycle (Turing Fest 2022)

When it comes to creating, releasing, and maintaining software, startups are usually well-oiled machines. But this is not the case when it comes to securing software. Startups need to move fast but many developers still perceive security as a hindrance and a tax on progress, despite the meaningful increase in cyber risk that is created by neglecting to build secure software. Cool new features are useless if they are vulnerable to malicious exploits.

Head to www.turingfest.com to learn more about Europe's best cross-functional tech conference.

Turing Fest
PRO

August 15, 2022
Tweet

More Decks by Turing Fest

See All by Turing Fest
Anika Zubair - Customer Success for Revenue Growth: People, Process, Tools, and Repeatability
turingfest
PRO
0
59
Anna Shipman - Analysing, Deciding, Doing
turingfest
PRO
0
76
Annjana Ramesh - Inclusion as a Product
turingfest
PRO
0
74
April Dunford - Using Strategic Positioning to Unlock Growth in Noisy Markets
turingfest
PRO
0
230
Bastian Grimm - The Rise of AI
turingfest
PRO
0
180
Bob Moesta - Should I Stay or Should I Go?
turingfest
PRO
0
140
Chris Savage - Buying Out Your Own Company
turingfest
PRO
0
69
Christine Itwaru - Embracing Product Operations
turingfest
PRO
0
110
Emily Grossman - How to Grow
turingfest
PRO
0
190

Other Decks in Technology

See All in Technology
2024春 注目のWeb系 OSS & SaaS 3選
makies
0
180
Babylon.js JAPAN活動紹介 (2024/4)
limes2018
1
120
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
510
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
400
.NET Profiler in 2024.
kkamegawa
2
1.5k
本当のAWS基礎
toru_kubota
1
640
今さら聞けないDocker入門 〜 Dockerfileのベストプラクティス編
devops_vtj
7
1k
モーダル間の変換後の一致性とジャンル表を用いた解釈可能性の考察 ~Text-to-MusicとText-To-ImageかつImage-to-Musicを例に~
otanet
0
310
web-application-security
matsuihidetoshi
1
190
MixIT 2024 - Pulumi : Gérer son infra avec son langage de programmation préféré
ju_hnny5
1
120
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
270
Microsoft for Startups Founders Hub_20240429 update
daikikanemitsu
1
2.4k

Featured

See All Featured
Bash Introduction
62gerente
605
210k
The Mythical Team-Month
searls
216
42k
Facilitating Awesome Meetings
lara
43
5.6k
The Art of Programming - Codeland 2020
erikaheidi
43
12k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Build The Right Thing And Hit Your Dates
maggiecrowley
25
2k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
21
6.4k
Building a Scalable Design System with Sketch
lauravandoore
457
32k
For a Future-Friendly Web
brad_frost
172
9k
How GitHub (no longer) Works
holman
305
140k
Practical Orchestrator
shlominoach
183
9.7k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k

Transcript

  1. Building security into the beginning of the development cycle Shane

    Curran @arcurn

  2. Data breaches happen all the time.

  3. Security is always a priority, but it’s never priority #1

    🔢

  4. “Improving our security is on the roadmap, we just need

    to ship some new features first”

  5. But another feature always ends up appearing…

  6. Everybody knows startups are great at shipping new features

  7. None
  8. None
  9. None

  10. Companies this early on are just focused on survival

  11. But survival suddenly turns to growth…

  12. Overnight, they go from selling to customers who are using

    their product because they got a free hoodie…
  13. None

  14. And they start selling to customers who ask you to

    fill out a security questionnaire before they even look at a demo
  15. None
  16. None

  17. Founders rush to get SOC 2 ISO 27001 PCI DSS

    GDPR ASDDFGJASDDSF compliant in a hurry
  18. None

  19. Those six-figure deals hang in the balance when security is

    an afterthought

  20. But then startups buy compliance automation software, find an auditor

    and get compliant quick… all is well, right?

  21. “We’re secure now, our SOC 2 auditor said so!”

  22. Compliance ≠ Security

  23. Some time passes, and then you meet a Head of

    Security who looks a little bit less like…
  24. None

  25. And a little more like…

  26. None

  27. Hackerman doesn’t care about your standard operating controls and compliance

    frameworks

  28. Hackerman just SSH’ed into your production database!

  29. Hackerman sees no compliance frameworks

  30. Hackerman just sees an open port or badly implemented authentication

  31. If you’re lucky, Hackerman will be a friendly Head of

    Security working for a potential customer

  32. But what if he’s not? What if he’s actively malicious

    and posts your data on the web?

  33. Now, not only is Hackerman unhappy with your product —

    compliance teams and lawyers are too! What a mess!

  34. Startups are designing security for compliance teams, not for the

    real enemy: hackers!

  35. Q: “Maybe we should hire a security team?”

  36. A: “Probably not just yet”

  37. Your product team is your security team, they just don’t

    know it yet ⚖

  38. Security in 2022: Build the wall

  39. Keeping on top of security tech all day is potentially

    a full time job 👨💼

  40. Modern security doesn’t focus on the root problem 🎯

  41. Stop building walls, and start protecting your crown jewels: sensitive

    data

  42. Normal databases: data everywhere

  43. Securing data itself 💿

  44. What is encryption? 🔐

  45. None

  46. Encryption lets you take a piece of data and “lock”

    it using a secret key 🔑

  47. Anybody who has the encrypted data without the key can’t

    access the data 🙅

  48. But… anybody who steals the key and encrypted data now

    has the original sensitive data 🥷

  49. The key is just as sensitive as the data 🤫

  50. Implementing encryption properly is hard You have to… 1. Pick

    which open source library to use 2. Store the keys yourself 3. Still handle data in plaintext before encrypting it 4. Decrypt the data every time you want to use it

  51. Encryption is almost always implemented wrong 🙅

  52. Data should always be encrypted ✅

  53. None

  54. Normal databases: data everywhere

  55. Encrypted databases: the future

  56. Why keys are so important… 🗝 (keys are everywhere)

  57. You keep your money at the bank, why not your

    keys? 🏦

  58. Encryption for developers

  59. Collect sensitive data from the client

  60. Process encrypted data securely

  61. Share encrypted data with third-parties

  62. Never touch sensitive data in plaintext.

  63. You never store keys. Evervault never stores your data.

  64. Use Case 1 PII

  65. Use Case 2 PCI DSS

  66. Use Case 3 Crypto

  67. Encryption is a super-tool

  68. Developers should be empowered to use it, and to own

    the security for their own software end-to-end

  69. They have the tools now… just about

  70. Now we need to wield them!

  71. So we can go from a world where…

  72. Data breaches happen all the time.

  73. What’s a data breach?

  74. Thank you! @arcurn [email protected]