Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Making Security Usable: Product Engineer Perspective

vixentael
June 29, 2018
Programming
2
670

Making Security Usable: Product Engineer Perspective

This is a story of going through typical security challenges: how to build products that reliably deliver security guarantees, avoid typical pitfalls, and are usable in a predictable fashion by real users. It's a tale of balancing religious adherence to security practices with keeping customer's needs in mind at all time inside the development team; listening to the customers and observing actual behavior outside in the wild; and trying to make the best decisions to empower customers with easy tools for encrypting data in their apps securely and without pain.

We'll take a look at the process through the eyes of one of our customers, who made all the things wrong before doing things right, and through the eyes of product engineer, responsible for learning the lessons to make security products even more usable and reliable for non-security-focused engineers.

Key takeaways:

Attendees will go through several stages of inception and implementation of database encryption/intrusion detection tools. They will see the "behind the scenes" work inside a cryptographic engineering company, will see how customers are one of the most useful people to learn from, and how getting over "we tell you what to do" mentality makes security tools better.

vixentael

June 29, 2018
Tweet

More Decks by vixentael

See All by vixentael
Using YubiKey and FIDO U2F for secure authentication
vixentael
0
1.1k
Data is a new security boundary
vixentael
0
4.1k
Cryptographic protection of ML models
vixentael
0
2.5k
e2ee != security != privacy
vixentael
0
2.1k
Maintaining cryptographic library for 12 languages
vixentael
1
3.4k
10 lines of encryption, 1500 lines of key management
vixentael
2
1.5k
Security, privacy and cryptography at WWDC19
vixentael
1
620
Data encryption: CyberKids edition
vixentael
0
550
"Defense in depth": trench warfare principles for building secure distributed applications
vixentael
3
840

Other Decks in Programming

See All in Programming
Code Reviews
bkuhlmann
4
880
二郎系ラーメンのコールで学ぶ AST 解析
memory1994
PRO
7
1.7k
HUIT新歓2024「競技プログラミング、やってみませんか?」
slephy2784
1
250
try!Swift Tokyo 2024 参加報告 LT
akidon0000
1
190
スクラムチームと認知負荷 - ニフティのスクラムトーク Vol2. / NIFTY Tech Talk #18
niftycorp
PRO
1
120
puregoの活用例
aethiopicuschan
0
220
SpringBoot+MyBatisで例外が出たときどこを見るか
syukai
0
110
Semantic search with Django and pgvector
pauloxnet
0
240
Netty Chicago Java User Group 2024-04-17
sullis
0
140
Site Reliability Engineering for GMO
pyama86
6
970
코틀린으로 멀티플랫폼 만들기
pangmoo
0
120
Ruby Pattern Matching
bkuhlmann
0
920

Featured

See All Featured
What the flash - Photography Introduction
edds
64
11k
What’s in a name? Adding method to the madness
productmarketing
PRO
15
2.6k
Into the Great Unknown - MozCon
thekraken
10
980
Embracing the Ebb and Flow
colly
79
4.1k
The Pragmatic Product Professional
lauravandoore
24
5.8k
Large-scale JavaScript Application Architecture
addyosmani
503
110k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
243
20k
Optimizing for Happiness
mojombo
370
69k
It's Worth the Effort
3n
180
27k
The MySQL Ecosystem @ GitHub 2015
samlambert
242
12k
Building Flexible Design Systems
yeseniaperezcruz
318
37k
Git: the NoSQL Database
bkeepers
PRO
422
63k

Transcript

  1. Making Security Usable: Tales of Product Engineering …in a Security

    Company @vixentael

  2. #data_security #cryptography #product_thinking #product_design

  3. @vixentael Product Engineer Feel free to reach me with security

    questions. I do check my inbox :)

  4. I. The story @vixentael

  5. A long time ago in a galaxy far, far away…

    @vixentael

  6. @vixentael

  7. @vixentael @vixentael

  8. @vixentael

  9. @vixentael

  10. @vixentael

  11. @vixentael

  12. @vixentael

  13. @vixentael Encrypt all the data!

  14. @vixentael

  15. @vixentael [email protected]

  16. @vixentael

  17. @vixentael $encrypted= mcrypt_encrypt( MCRYPT_RIJNDAEL_128, ‘54ca04988748501e93a3061763b0b6a’, $data, MCRYPT_MODE_CBC, $iv );

  18. $encrypted= mcrypt_encrypt( MCRYPT_RIJNDAEL_128, ‘54ca04988748501e93a3061763b0b6a’, $data, MCRYPT_MODE_CBC, $iv ); @vixentael PHP.

    AES-CBC

  19. $encrypted= mcrypt_encrypt( MCRYPT_RIJNDAEL_128, ‘54ca04988748501e93a3061763b0b6a’, $data, MCRYPT_MODE_CBC, $iv ); @vixentael PHP.

    AES-CBC

  20. @vixentael Invite pen-testers!

  21. @vixentael

  22. @vixentael Use pre-built tools!

  23. @vixentael postgresql encryption options cybertec-postgresql.com/en/postgresql-instance-level-encryption/ export PGENCRYPTIONKEY=db-enc-key initdb -k -K

    pgcrypto /data/dbencrypt/

  24. @vixentael "

  25. @vixentael Hire someone?

  26. No data security expertise? – Find one. @vixentael

  27. II. The challenge @vixentael

  28. @vixentael ? ..but how it should work ..and will it

    really be secure now? we want one tool that solves all problems..

  29. @vixentael key lifecycle trusted code execution environment side channel resistance

    risk echelonization

  30. @vixentael ?

  31. @vixentael ?

  32. @vixentael

  33. database encryption proxy @vixentael

  34. @vixentael client app writer proxy database database encryption proxy

  35. @vixentael client app writer proxy server database keygen zones IDS

  36. @vixentael

  37. @vixentael Hard to build

  38. @vixentael Pain to manage

  39. @vixentael

  40. None
  41. None

  42. @vixentael accep- tance denial anger barga- ining depre- ssion

  43. Listen to customers. It improves everything... even security! @vixentael

  44. III. The adventure @vixentael

  45. @vixentael security model key/trust scheme encryption scheme cipher suits

  46. @vixentael security model key/trust scheme encryption scheme cipher suits

  47. @vixentael – real time analytics (user actions) – servers load

    – error logs – user testing / user research – open tickets / issues

  48. @vixentael – real time analytics (user actions) – user testing

    / user research – servers load – open tickets / issues – error logs

  49. @vixentael ?

  50. @vixentael ?

  51. Bad Usability → Bad Security @vixentael

  52. @vixentael

  53. Data Security Assistance Program @vixentael business model / regulations risks

    to data threat model / attack vectors data security scheme

  54. @vixentael Analyze use-cases

  55. Analyze use-cases @vixentael Hard to deploy Hard to support Easy

    to misuse Hard to verify

  56. @vixentael

  57. @vixentael Deployment

  58. @vixentael Deployment code Multiple channels of distribution

  59. @vixentael Deployment code Multiple channels of distribution

  60. @vixentael Deployment code built packages (.pkg) Multiple channels of distribution

  61. @vixentael Deployment Multiple channels of distribution code built packages (.pkg)

    docker images VM images chef configuration docker compose

  62. @vixentael Deployment

  63. @vixentael Deployment 1. Download, build, install every component 2. Generate

    keys / tokens for each component 3. Put keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys)

  64. 2. Generate keys / tokens for each component @vixentael Deployment

    1. Download, build, install every component 3. Put keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys) script

  65. @vixentael Deployment 1. Download, build, install every component 3. Put

    keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys) 2. Generate keys / tokens for each component script

  66. @vixentael Deployment 1. Download, build, install every component 3. Put

    keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys) defaults 2. Generate keys / tokens for each component script

  67. @vixentael Deployment 1. Download, build, install every component 3. Put

    keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys) one command! 2. Generate keys / tokens for each component

  68. @vixentael Deployment Pre-baked configurations docker-compose -f <compose_file>.yml up

  69. @vixentael Deployment Pre-baked configurations mysql-ssl-server-ssl.yml MySQL <-SSL-> AServer <-SSL-> client

  70. @vixentael Deployment Pre-baked configurations mysql-ssl-server-ssl.yml MySQL <-SSL-> AServer <-SSL-> client

    pgsql-nossl-server-ssession-connector.yml PostgreSQL <-> AServer <-SecureSession-> AConnector <---> client ‘-> AWebconfig

  71. @vixentael Deployment Pre-baked configurations

  72. @vixentael Deployment Integration tests everywhere – run on 12 OSs

    – run on empty environments – provide testing scripts for users

  73. @vixentael Integration – logging formats (plaintext, json, CEF) – infrastructure

    as a code (configs everywhere) – event formats (unique event codes) Good products do not exist in a vacuum

  74. @vixentael

  75. @vixentael Secure by default

  76. @vixentael default strict parameters pre-defined configuration files make accidental changes

    unlikely Secure by default

  77. API design

  78. API design from pythemis.scell import SCellSeal scell = SCellSeal(key) encrypted_message

    = scell.encrypt(message, context) message = scell.decrypt(encrypted_message, context) github.com/cossacklabs @vixentael

  79. easy to use @vixentael API design unambiguous to use 2017.hack.lu/archive/2017/hacklu-crypto-api.pdf

    &&

  80. @vixentael Naming

  81. @vixentael Naming writer proxy server database

  82. db proxy client app @vixentael Naming writer proxy server database

  83. db proxy client app @vixentael Naming writer connector server database

  84. @vixentael Naming https://circleci.com/blog/why-did-builds-become-jobs-in-the-ui/

  85. @vixentael Client side client app writer Nodejs Go Python Ruby

    PHP

  86. @vixentael

  87. @vixentael Docs no docs tons of docs

  88. @vixentael Docs for developers integration scenarios security recommendations simple explanations

    benchmarks security model threat vectors schemes & formulas for security ppl

  89. @vixentael Playgrounds who reads docs if you can play with

    simulator?

  90. @vixentael Interactive simulator check your encryption works

  91. Examples-examples- examples @vixentael

  92. Dogfooding @vixentael use update feedback share

  93. There is no absolute security @vixentael develop test deploy repeat

  94. Short feedback cycle is a key @vixentael

  95. IV. Where it got us? @vixentael

  96. @vixentael Secure defaults Unambiguous APIs Easy deployment Shipped scripts /

    libs Playgrounds

  97. @vixentael Secure defaults Unambiguous APIs Easy deployment Shipped scripts /

    libs Playgrounds

  98. @vixentael adopt faster become less frustrated make less mistakes

  99. @vixentael make user-facing decisions iterate faster plan better become less

    frustrated

  100. usable ≠ over-simplified @vixentael

  101. @vixentael

  102. Home reading? https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27 Security as a Product https://github.com/forter/security-101-for-saas-startups/blob/english/security.md Organization security

    for startups https://2017.hack.lu/archive/2017/hacklu-crypto-api.pdf API design for cryptography https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Boring crypto, Daniel J. Bernstein

  103. My other security slides github.com/vixentael/ my-talks

  104. @vixentael Product Engineer Feel free to reach me with security

    questions. I do check my inbox :)

  105. Image credits www.flaticon.com freepik, linector, switficons, pixelperfect, smashicons, icon pond,

    dinosoftlabs Authors: