Making Security Usable: Product Engineer Perspective

Making Security Usable: Product Engineer Perspective

This is a story of going through typical security challenges: how to build products that reliably deliver security guarantees, avoid typical pitfalls, and are usable in a predictable fashion by real users. It's a tale of balancing religious adherence to security practices with keeping customer's needs in mind at all time inside the development team; listening to the customers and observing actual behavior outside in the wild; and trying to make the best decisions to empower customers with easy tools for encrypting data in their apps securely and without pain.

We'll take a look at the process through the eyes of one of our customers, who made all the things wrong before doing things right, and through the eyes of product engineer, responsible for learning the lessons to make security products even more usable and reliable for non-security-focused engineers.

Key takeaways:

Attendees will go through several stages of inception and implementation of database encryption/intrusion detection tools. They will see the "behind the scenes" work inside a cryptographic engineering company, will see how customers are one of the most useful people to learn from, and how getting over "we tell you what to do" mentality makes security tools better.

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

June 29, 2018
Tweet

Transcript

  1. Making Security Usable: Tales of Product Engineering …in a Security

    Company @vixentael
  2. #data_security #cryptography #product_thinking #product_design

  3. @vixentael Product Engineer Feel free to reach me with security

    questions. I do check my inbox :)
  4. I. The story @vixentael

  5. A long time ago in a galaxy far, far away…

    @vixentael
  6. @vixentael

  7. @vixentael @vixentael

  8. @vixentael

  9. @vixentael

  10. @vixentael

  11. @vixentael

  12. @vixentael

  13. @vixentael Encrypt all the data!

  14. @vixentael

  15. @vixentael ceo@startup.com

  16. @vixentael

  17. @vixentael $encrypted= mcrypt_encrypt( MCRYPT_RIJNDAEL_128, ‘54ca04988748501e93a3061763b0b6a’, $data, MCRYPT_MODE_CBC, $iv );

  18. $encrypted= mcrypt_encrypt( MCRYPT_RIJNDAEL_128, ‘54ca04988748501e93a3061763b0b6a’, $data, MCRYPT_MODE_CBC, $iv ); @vixentael PHP.

    AES-CBC
  19. $encrypted= mcrypt_encrypt( MCRYPT_RIJNDAEL_128, ‘54ca04988748501e93a3061763b0b6a’, $data, MCRYPT_MODE_CBC, $iv ); @vixentael PHP.

    AES-CBC
  20. @vixentael Invite pen-testers!

  21. @vixentael

  22. @vixentael Use pre-built tools!

  23. @vixentael postgresql encryption options cybertec-postgresql.com/en/postgresql-instance-level-encryption/ export PGENCRYPTIONKEY=db-enc-key initdb -k -K

    pgcrypto /data/dbencrypt/
  24. @vixentael "

  25. @vixentael Hire someone?

  26. No data security expertise? – Find one. @vixentael

  27. II. The challenge @vixentael

  28. @vixentael ? ..but how it should work ..and will it

    really be secure now? we want one tool that solves all problems..
  29. @vixentael key lifecycle trusted code execution environment side channel resistance

    risk echelonization
  30. @vixentael ?

  31. @vixentael ?

  32. @vixentael

  33. database encryption proxy @vixentael

  34. @vixentael client app writer proxy database database encryption proxy

  35. @vixentael client app writer proxy server database keygen zones IDS

  36. @vixentael

  37. @vixentael Hard to build

  38. @vixentael Pain to manage

  39. @vixentael

  40. None
  41. None
  42. @vixentael accep- tance denial anger barga- ining depre- ssion

  43. Listen to customers. It improves everything... even security! @vixentael

  44. III. The adventure @vixentael

  45. @vixentael security model key/trust scheme encryption scheme cipher suits

  46. @vixentael security model key/trust scheme encryption scheme cipher suits

  47. @vixentael – real time analytics (user actions) – servers load

    – error logs – user testing / user research – open tickets / issues
  48. @vixentael – real time analytics (user actions) – user testing

    / user research – servers load – open tickets / issues – error logs
  49. @vixentael ?

  50. @vixentael ?

  51. Bad Usability → Bad Security @vixentael

  52. @vixentael

  53. Data Security Assistance Program @vixentael business model / regulations risks

    to data threat model / attack vectors data security scheme
  54. @vixentael Analyze use-cases

  55. Analyze use-cases @vixentael Hard to deploy Hard to support Easy

    to misuse Hard to verify
  56. @vixentael

  57. @vixentael Deployment

  58. @vixentael Deployment code Multiple channels of distribution

  59. @vixentael Deployment code Multiple channels of distribution

  60. @vixentael Deployment code built packages (.pkg) Multiple channels of distribution

  61. @vixentael Deployment Multiple channels of distribution code built packages (.pkg)

    docker images VM images chef configuration docker compose
  62. @vixentael Deployment

  63. @vixentael Deployment 1. Download, build, install every component 2. Generate

    keys / tokens for each component 3. Put keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys)
  64. 2. Generate keys / tokens for each component @vixentael Deployment

    1. Download, build, install every component 3. Put keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys) script
  65. @vixentael Deployment 1. Download, build, install every component 3. Put

    keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys) 2. Generate keys / tokens for each component script
  66. @vixentael Deployment 1. Download, build, install every component 3. Put

    keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys) defaults 2. Generate keys / tokens for each component script
  67. @vixentael Deployment 1. Download, build, install every component 3. Put

    keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys) one command! 2. Generate keys / tokens for each component
  68. @vixentael Deployment Pre-baked configurations docker-compose -f <compose_file>.yml up

  69. @vixentael Deployment Pre-baked configurations mysql-ssl-server-ssl.yml MySQL <-SSL-> AServer <-SSL-> client

  70. @vixentael Deployment Pre-baked configurations mysql-ssl-server-ssl.yml MySQL <-SSL-> AServer <-SSL-> client

    pgsql-nossl-server-ssession-connector.yml PostgreSQL <-> AServer <-SecureSession-> AConnector <---> client ‘-> AWebconfig
  71. @vixentael Deployment Pre-baked configurations

  72. @vixentael Deployment Integration tests everywhere – run on 12 OSs

    – run on empty environments – provide testing scripts for users
  73. @vixentael Integration – logging formats (plaintext, json, CEF) – infrastructure

    as a code (configs everywhere) – event formats (unique event codes) Good products do not exist in a vacuum
  74. @vixentael

  75. @vixentael Secure by default

  76. @vixentael default strict parameters pre-defined configuration files make accidental changes

    unlikely Secure by default
  77. API design

  78. API design from pythemis.scell import SCellSeal scell = SCellSeal(key) encrypted_message

    = scell.encrypt(message, context) message = scell.decrypt(encrypted_message, context) github.com/cossacklabs @vixentael
  79. easy to use @vixentael API design unambiguous to use 2017.hack.lu/archive/2017/hacklu-crypto-api.pdf

    &&
  80. @vixentael Naming

  81. @vixentael Naming writer proxy server database

  82. db proxy client app @vixentael Naming writer proxy server database

  83. db proxy client app @vixentael Naming writer connector server database

  84. @vixentael Naming https://circleci.com/blog/why-did-builds-become-jobs-in-the-ui/

  85. @vixentael Client side client app writer Nodejs Go Python Ruby

    PHP
  86. @vixentael

  87. @vixentael Docs no docs tons of docs

  88. @vixentael Docs for developers integration scenarios security recommendations simple explanations

    benchmarks security model threat vectors schemes & formulas for security ppl
  89. @vixentael Playgrounds who reads docs if you can play with

    simulator?
  90. @vixentael Interactive simulator check your encryption works

  91. Examples-examples- examples @vixentael

  92. Dogfooding @vixentael use update feedback share

  93. There is no absolute security @vixentael develop test deploy repeat

  94. Short feedback cycle is a key @vixentael

  95. IV. Where it got us? @vixentael

  96. @vixentael Secure defaults Unambiguous APIs Easy deployment Shipped scripts /

    libs Playgrounds
  97. @vixentael Secure defaults Unambiguous APIs Easy deployment Shipped scripts /

    libs Playgrounds
  98. @vixentael adopt faster become less frustrated make less mistakes

  99. @vixentael make user-facing decisions iterate faster plan better become less

    frustrated
  100. usable ≠ over-simplified @vixentael

  101. @vixentael

  102. Home reading? https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27 Security as a Product https://github.com/forter/security-101-for-saas-startups/blob/english/security.md Organization security

    for startups https://2017.hack.lu/archive/2017/hacklu-crypto-api.pdf API design for cryptography https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Boring crypto, Daniel J. Bernstein
  103. My other security slides github.com/vixentael/ my-talks

  104. @vixentael Product Engineer Feel free to reach me with security

    questions. I do check my inbox :)
  105. Image credits www.flaticon.com freepik, linector, switficons, pixelperfect, smashicons, icon pond,

    dinosoftlabs Authors: