$30 off During Our Annual Pro Sale. View Details »

Making Security Usable: Product Engineer Perspective

Making Security Usable: Product Engineer Perspective

This is a story of going through typical security challenges: how to build products that reliably deliver security guarantees, avoid typical pitfalls, and are usable in a predictable fashion by real users. It's a tale of balancing religious adherence to security practices with keeping customer's needs in mind at all time inside the development team; listening to the customers and observing actual behavior outside in the wild; and trying to make the best decisions to empower customers with easy tools for encrypting data in their apps securely and without pain.

We'll take a look at the process through the eyes of one of our customers, who made all the things wrong before doing things right, and through the eyes of product engineer, responsible for learning the lessons to make security products even more usable and reliable for non-security-focused engineers.

Key takeaways:

Attendees will go through several stages of inception and implementation of database encryption/intrusion detection tools. They will see the "behind the scenes" work inside a cryptographic engineering company, will see how customers are one of the most useful people to learn from, and how getting over "we tell you what to do" mentality makes security tools better.

vixentael

June 29, 2018
Tweet

More Decks by vixentael

Other Decks in Programming

Transcript

  1. Making Security Usable:
    Tales of Product Engineering
    …in a Security Company
    @vixentael

    View Slide

  2. #data_security
    #cryptography
    #product_thinking
    #product_design

    View Slide

  3. @vixentael Product Engineer
    Feel free to reach me with
    security questions.
    I do check my inbox :)

    View Slide

  4. I. The story
    @vixentael

    View Slide

  5. A long time ago in a galaxy far,
    far away…
    @vixentael

    View Slide

  6. @vixentael

    View Slide

  7. @vixentael
    @vixentael

    View Slide

  8. @vixentael

    View Slide

  9. @vixentael

    View Slide

  10. @vixentael

    View Slide

  11. @vixentael

    View Slide

  12. @vixentael

    View Slide

  13. @vixentael
    Encrypt
    all the data!

    View Slide

  14. @vixentael

    View Slide

  15. @vixentael
    [email protected]

    View Slide

  16. @vixentael

    View Slide

  17. @vixentael
    $encrypted= mcrypt_encrypt(
    MCRYPT_RIJNDAEL_128,
    ‘54ca04988748501e93a3061763b0b6a’,
    $data,
    MCRYPT_MODE_CBC,
    $iv
    );

    View Slide

  18. $encrypted= mcrypt_encrypt(
    MCRYPT_RIJNDAEL_128,
    ‘54ca04988748501e93a3061763b0b6a’,
    $data,
    MCRYPT_MODE_CBC,
    $iv
    );
    @vixentael
    PHP. AES-CBC

    View Slide

  19. $encrypted= mcrypt_encrypt(
    MCRYPT_RIJNDAEL_128,
    ‘54ca04988748501e93a3061763b0b6a’,
    $data,
    MCRYPT_MODE_CBC,
    $iv
    );
    @vixentael
    PHP. AES-CBC

    View Slide

  20. @vixentael
    Invite
    pen-testers!

    View Slide

  21. @vixentael

    View Slide

  22. @vixentael
    Use pre-built
    tools!

    View Slide

  23. @vixentael
    postgresql encryption options
    cybertec-postgresql.com/en/postgresql-instance-level-encryption/
    export PGENCRYPTIONKEY=db-enc-key
    initdb -k -K pgcrypto /data/dbencrypt/

    View Slide

  24. @vixentael
    "

    View Slide

  25. @vixentael
    Hire
    someone?

    View Slide

  26. No data security expertise?
    – Find one.
    @vixentael

    View Slide

  27. II. The challenge
    @vixentael

    View Slide

  28. @vixentael
    ?
    ..but how it should work
    ..and will it really be
    secure now?
    we want one tool that
    solves all problems..

    View Slide

  29. @vixentael
    key lifecycle
    trusted code execution
    environment
    side channel resistance
    risk echelonization

    View Slide

  30. @vixentael
    ?

    View Slide

  31. @vixentael
    ?

    View Slide

  32. @vixentael

    View Slide

  33. database encryption proxy
    @vixentael

    View Slide

  34. @vixentael
    client app
    writer proxy
    database
    database encryption proxy

    View Slide

  35. @vixentael
    client app
    writer proxy server
    database
    keygen
    zones
    IDS

    View Slide

  36. @vixentael

    View Slide

  37. @vixentael
    Hard to build

    View Slide

  38. @vixentael
    Pain to manage

    View Slide

  39. @vixentael

    View Slide

  40. View Slide

  41. View Slide

  42. @vixentael
    accep-
    tance
    denial
    anger
    barga-
    ining
    depre-
    ssion

    View Slide

  43. Listen to customers.
    It improves everything...
    even security!
    @vixentael

    View Slide

  44. III. The adventure
    @vixentael

    View Slide

  45. @vixentael
    security
    model
    key/trust
    scheme
    encryption
    scheme
    cipher
    suits

    View Slide

  46. @vixentael
    security
    model
    key/trust
    scheme
    encryption
    scheme
    cipher
    suits

    View Slide

  47. @vixentael
    – real time analytics (user actions)
    – servers load
    – error logs
    – user testing / user research
    – open tickets / issues

    View Slide

  48. @vixentael
    – real time analytics (user actions)
    – user testing / user research
    – servers load
    – open tickets / issues
    – error logs

    View Slide

  49. @vixentael
    ?

    View Slide

  50. @vixentael
    ?

    View Slide

  51. Bad Usability

    Bad Security
    @vixentael

    View Slide

  52. @vixentael

    View Slide

  53. Data Security
    Assistance Program
    @vixentael
    business
    model /
    regulations
    risks
    to data
    threat
    model / attack
    vectors
    data
    security
    scheme

    View Slide

  54. @vixentael
    Analyze use-cases

    View Slide

  55. Analyze use-cases
    @vixentael
    Hard to deploy Hard to support
    Easy to misuse
    Hard to verify

    View Slide

  56. @vixentael

    View Slide

  57. @vixentael
    Deployment

    View Slide

  58. @vixentael
    Deployment
    code
    Multiple channels of distribution

    View Slide

  59. @vixentael
    Deployment
    code
    Multiple channels of distribution

    View Slide

  60. @vixentael
    Deployment
    code
    built packages (.pkg)
    Multiple channels of distribution

    View Slide

  61. @vixentael
    Deployment
    Multiple channels of distribution
    code
    built packages (.pkg) docker images
    VM images
    chef configuration
    docker compose

    View Slide

  62. @vixentael
    Deployment

    View Slide

  63. @vixentael
    Deployment
    1. Download, build, install every component
    2. Generate keys / tokens for each component
    3. Put keys into right folders (PK exchange)
    5. Run components using correct config
    4. Configure each component (port, keys)

    View Slide

  64. 2. Generate keys / tokens for each component
    @vixentael
    Deployment
    1. Download, build, install every component
    3. Put keys into right folders (PK exchange)
    5. Run components using correct config
    4. Configure each component (port, keys)
    script

    View Slide

  65. @vixentael
    Deployment
    1. Download, build, install every component
    3. Put keys into right folders (PK exchange)
    5. Run components using correct config
    4. Configure each component (port, keys)
    2. Generate keys / tokens for each component
    script

    View Slide

  66. @vixentael
    Deployment
    1. Download, build, install every component
    3. Put keys into right folders (PK exchange)
    5. Run components using correct config
    4. Configure each component (port, keys) defaults
    2. Generate keys / tokens for each component
    script

    View Slide

  67. @vixentael
    Deployment
    1. Download, build, install every component
    3. Put keys into right folders (PK exchange)
    5. Run components using correct config
    4. Configure each component (port, keys)
    one command!
    2. Generate keys / tokens for each component

    View Slide

  68. @vixentael
    Deployment
    Pre-baked configurations
    docker-compose -f .yml up

    View Slide

  69. @vixentael
    Deployment
    Pre-baked configurations
    mysql-ssl-server-ssl.yml
    MySQL <-SSL-> AServer <-SSL-> client

    View Slide

  70. @vixentael
    Deployment
    Pre-baked configurations
    mysql-ssl-server-ssl.yml
    MySQL <-SSL-> AServer <-SSL-> client
    pgsql-nossl-server-ssession-connector.yml
    PostgreSQL <-> AServer <-SecureSession-> AConnector <---> client
    ‘-> AWebconfig

    View Slide

  71. @vixentael
    Deployment
    Pre-baked configurations

    View Slide

  72. @vixentael
    Deployment
    Integration tests everywhere
    – run on 12 OSs
    – run on empty environments
    – provide testing scripts for users

    View Slide

  73. @vixentael
    Integration
    – logging formats (plaintext, json, CEF)
    – infrastructure as a code (configs everywhere)
    – event formats (unique event codes)
    Good products do not exist in a vacuum

    View Slide

  74. @vixentael

    View Slide

  75. @vixentael
    Secure by default

    View Slide

  76. @vixentael
    default strict parameters
    pre-defined configuration files
    make accidental changes unlikely
    Secure by default

    View Slide

  77. API design

    View Slide

  78. API design
    from pythemis.scell import SCellSeal
    scell = SCellSeal(key)
    encrypted_message = scell.encrypt(message, context)
    message = scell.decrypt(encrypted_message, context)
    github.com/cossacklabs @vixentael

    View Slide

  79. easy to use
    @vixentael
    API design
    unambiguous to use
    2017.hack.lu/archive/2017/hacklu-crypto-api.pdf
    &&

    View Slide

  80. @vixentael
    Naming

    View Slide

  81. @vixentael
    Naming
    writer proxy server
    database

    View Slide

  82. db proxy
    client app
    @vixentael
    Naming
    writer proxy server
    database

    View Slide

  83. db proxy
    client app
    @vixentael
    Naming
    writer connector server
    database

    View Slide

  84. @vixentael
    Naming
    https://circleci.com/blog/why-did-builds-become-jobs-in-the-ui/

    View Slide

  85. @vixentael
    Client side
    client app
    writer
    Nodejs
    Go
    Python
    Ruby
    PHP

    View Slide

  86. @vixentael

    View Slide

  87. @vixentael
    Docs
    no docs tons of docs

    View Slide

  88. @vixentael
    Docs
    for developers
    integration scenarios
    security recommendations
    simple explanations
    benchmarks
    security model
    threat vectors
    schemes & formulas
    for security ppl

    View Slide

  89. @vixentael
    Playgrounds
    who reads docs if you
    can play with simulator?

    View Slide

  90. @vixentael
    Interactive simulator
    check your
    encryption works

    View Slide

  91. Examples-examples-
    examples
    @vixentael

    View Slide

  92. Dogfooding
    @vixentael
    use
    update
    feedback
    share

    View Slide

  93. There is no absolute
    security
    @vixentael
    develop test deploy repeat

    View Slide

  94. Short feedback cycle
    is a key
    @vixentael

    View Slide

  95. IV. Where it got us?
    @vixentael

    View Slide

  96. @vixentael
    Secure defaults
    Unambiguous APIs
    Easy deployment
    Shipped scripts / libs
    Playgrounds

    View Slide

  97. @vixentael
    Secure defaults
    Unambiguous APIs
    Easy deployment
    Shipped scripts / libs
    Playgrounds

    View Slide

  98. @vixentael
    adopt faster
    become less frustrated
    make less mistakes

    View Slide

  99. @vixentael
    make user-facing decisions
    iterate faster
    plan better
    become less frustrated

    View Slide

  100. usable ≠ over-simplified
    @vixentael

    View Slide

  101. @vixentael

    View Slide

  102. Home reading?
    https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27
    Security as a Product
    https://github.com/forter/security-101-for-saas-startups/blob/english/security.md
    Organization security for startups
    https://2017.hack.lu/archive/2017/hacklu-crypto-api.pdf
    API design for cryptography
    https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf
    Boring crypto, Daniel J. Bernstein

    View Slide

  103. My other security slides
    github.com/vixentael/
    my-talks

    View Slide

  104. @vixentael Product Engineer
    Feel free to reach me with
    security questions.
    I do check my inbox :)

    View Slide

  105. Image credits
    www.flaticon.com
    freepik, linector, switficons, pixelperfect, smashicons, icon pond,
    dinosoftlabs
    Authors:

    View Slide