Defensive team – who are security engineers and how they help teams to develop secure applications

Blue teams
security engineering
@vixentael

View Slide

@vixentael
Product Engineer
github.com/vixentael/
my-talks
cryptographic software,
security consulting,
developers training

View Slide

View Slide

Real risk
Compliance

demands
1999
@vixentael

View Slide

Business Risk
Compliance

demands
2018
@vixentael

View Slide

“Bad security” leads to
reputation risks (Equifax)
legal responsibility (GDPR, HIPAA, PCI DSS)
operations (Google, Facebook)
https://www.cossacklabs.com/blog/gdpr-for-engineers.html
competitors advantage
@vixentael

View Slide

ﬁnancial damage

@vixentael

View Slide

twitter.com/c_pellegrino/status/981409466242486272 @vixentael
@vixentael

View Slide

@vixentael
twitter.com/c_pellegrino/status/981409466242486272 @vixentael

View Slide

mln records
0
200
400
600
800
1,000
February March April May June July August September
https://www.itgovernance.co.uk/blog/category/cyber-security/
Million of records leaked per month
@vixentael

View Slide

ﬁnancial damage


@vixentael

View Slide

Blue team

View Slide

Proactive vs reactive
Secure Development

Secure Architecture

Secure Operations

Processes
Pentests / Audits

Compliance

Incident Response
@vixentael

View Slide

Blue team
The Security Stakeholder

(deﬁning the what and what not)
The Evangelist
(raising the bar)
The Security Expert
(helping with the how)
Security Automation
(continuous security)
Incident response,
investigations and
forensics
https://xebia.com/blog/being-an-agile-security-oﬃcer/
@vixentael

View Slide

View Slide

prevent business risks
against company assets
Blue team
@vixentael

View Slide

Assets we protect
1. Sensitive data

2. Encryption keys

3. Credentials

4. Technical credentials

5. ACL

6. Systems and nodes
@vixentael

View Slide

@vixentael
is any kind of data, that will break
business objectives or prosperity of
those who use data, if leaked.
Sensitive data –
@vixentael

View Slide

Conﬁdentiality
Integrity
Availability
CIA triad
@vixentael

View Slide

Processes we protect
Continuity

Capacity

Availability
} Component security

Technical assets security

SRE practices
@vixentael

View Slide

Business risk is the possibility a company
will have lower than anticipated proﬁts or
experience a loss rather than taking a proﬁt.
@vixentael

View Slide

Risks
- unauthorized access
- use
- disclosure
- disruption
- modiﬁcation
- inspection
- recording
- destruction
- Strategic risks
- Operational risks
- Reputational risks
- Compliance risks
@vixentael

View Slide

Risks
Can’t we just
ﬁx all the bugs?
- unauthorized access
- use
- disclosure
- disruption
- modiﬁcation
- inspection
- recording
- destruction
@vixentael

View Slide

Secret of pragmatic security
1. Focus on real risks
2. Prioritize:
- impact
- probability
@vixentael

View Slide

InfoSec processes
- Planning: Risk assessment
- Building:
- Secure Software Development
- Infrastructure security
- Doing:
- Compliance / certiﬁcation
- Security veriﬁcation (audit, pentests, appsec)
- Operations / processes
@vixentael

View Slide

Secure development,
secure architecture,
secure coding

View Slide

Secure software development
lifecycle methodology
MS SDL OWASP S-SDLC
www.microsoft.com/en-us/sdl www.owasp.org/index.php/
OWASP_Secure_Software_Development_
Lifecycle_Project
@vixentael

View Slide

SSDLC
-distills common sense from experience 
of building secure software.

-prescribes methodologies which covers  
most risks in most cases.

-is a good start.
@vixentael

View Slide

Risk evaluation
Risk assessment
Threat model
Security plan
Secure coding
Security veriﬁcation
Secure operations
SSDLC
Response
@vixentael

View Slide

Risk evaluation
Risk assessment
Threat model
Security plan
Secure coding
Security veriﬁcation
Secure operations
SSDLC
Response
Requirements
Design/architecture
Development
Testing
Operations
@vixentael

View Slide

Secure architecture
prevents the infosec-related business risks in a
consistent, pre-designed structure that corresponds
to the business goals.
@vixentael

View Slide

Addressing security risks at
architecture level
1. Designing systems that focus on preventing risks
instead of focusing on preventing vulnerabilities.

2. Implement security in cost-eﬃcient, maintainable
and veriﬁable way.
@vixentael

View Slide

Trust
1. System’s trust is equal to trust to the weakest link.

2. Good architecture allocates trust appropriate to
practical constraints.
@vixentael

View Slide

perimeter ﬁrewall access control
internal

network
Trust
authentication
internal access
control
access/key
management
conﬁguration
management
code encryption node security
@vixentael

View Slide

Threats
Threats are technical opportunities to materialize
business risk in chosen architectures.

Combined with actual trust and position of weak
components they create attack vectors.
@vixentael

View Slide

Attack surface
– the combination of nodes, processes and
applications that need to be compromised for
damage to be done.
Attack surface is created by components that open
potential opportunity to inﬂict damage and materialize
business risk, along with their risk level.
@vixentael

View Slide

Managing attack surface
Goal of security architecture is appropriate management
of attack surface:
observability
minimization
control
attack surface @vixentael

View Slide

data
Defense in depth
encryption
authorization
authentication /
access control
@vixentael

View Slide

Bottom-up vs top-down
maintain
analyze risks,

security plan
SSDLC
iterate
ﬁnd weakest part
ﬁx
@vixentael

View Slide

@vixentael
Secure Development –
a process of choosing and
implementing security controls
appropriate to business risks.
@vixentael

View Slide

Security controls
Proactive:  
- prevent risk
Reactive:  
- detect incident 
- correct / limit damage
Physical
Procedural
Technical
Legal
@vixentael

View Slide

Proactive + Reactive
Data security
Application security
Infrastructure security
Monitoring
Intrusion detection
Vulnerability management
@vixentael

View Slide

Proactive controls
Data security encryption
Access security authentication, ﬁrewalls, OS
Node security
ﬁrewalls, compartmentalization,
OS
@vixentael

View Slide

Data security
integrity checks,
authenticated crypto
Access security honeypots, access logging
Node security IDS, monitoring
Reactive controls: detect
@vixentael

View Slide

Data security key management, backups
Access security credential management, jailbans
Node security infrastructural management
Reactive controls: limit damage
@vixentael

View Slide

1. Identify sensitive data, understand sensitive data
lifecycle, classify data.
2. Identify risks to data.
3. Build trust model, understand risk impact.
4. Prioritize risk vectors.
5. Select and implement proper security controls for
exploitable high risk vectors (to prevent risks and to
identify leaks).
Data protection 101
@vixentael

View Slide

Encryption libraries should
★ use strong & audited crypto

★ work everywhere

★ hide cryptographic details

★ be hard to mis-use

★ have integration with key storage
@vixentael

View Slide

ciphers
abstraction
level
complexity
libraries
suites
@vixentael
Encryption libraries

View Slide

libsodium
themis
tink
@vixentael
3DES AES-256-GCM
Salsa20 ChaCha
ZeroKit
Hermes
Vault
Ciphers
libraries
Suites
Acra

View Slide

@vixentael

View Slide

@vixentael
Core principles
Principle of least privilege.

“Secure by default”.

Compartmentalization.

Access separation.

Echelonization.

Defense in depth, security measures escalate with sensitivity/risk.

Independent defences.

No single point of security failure.
@vixentael

View Slide

@vixentael
Core principles
Balance security with usability.
Break usability too much - security control will be overridden or broken.

Log everything.

Or be like ¯\_(ツ)_/¯ when things go bad.

Have a contingency plan.
Nobody is perfect. Have incident reaction plan from day 0.
@vixentael

View Slide

Ensuring security
Monitoring
Automated

security testing
Automated

security veriﬁcation
Security-conscious SLOs and metrics

IDS

SIEM
Security-centric tests

SAST / DAST

Dependency monitoring
Automated vulnerability
scanning

Automated OSINT
@vixentael

View Slide

Problems with implementing
security practices
control override, angry users

performance penalty

additional operations

lost access
Usability vs security:

Performance vs security:

Maintainability vs security:

Reliability vs security:
@vixentael

View Slide

#owaspkyiv @vixentael

View Slide

Home reading
https://github.com/forter/security-101-for-saas-startups/blob/english/security.md
Organization security for startups
https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27
Security as a Product
https://www.cossacklabs.com/blog/hiring-external-security-team.html
Hiring External Security Team: What You Need To Know
https://www.cossacklabs.com/blog/what-we-need-to-encrypt-cheatsheet.html
What Do We Really Need To Encrypt. Cheatsheet

View Slide

Community
https://github.com/sapran/Ukraine-infosec-conferences
Ukrainian security events
BSides, OWASP, UISGCon, NoNameCon, WIA, WWCode Kyiv
– search in Facebook

View Slide

@vixentael
Product Engineer
github.com/vixentael/
my-talks
cryptographic software,
security consulting,
developers training

View Slide

Defensive team – who are security engineers and how they help teams to develop secure applications

Defensive team – who are security engineers and how they help teams to develop secure applications

vixentael

More Decks by vixentael

Other Decks in Technology

Featured

Transcript