SlideShare ist ein Scribd-Unternehmen logo

Building Security Design Principles

SBA Research
SBA Research

This document provides an overview of security design principles presented by Thomas Kerbl. It discusses 16 principles including defense in depth, open design, principle of general mistrust, least privilege, separation of privilege, economy of mechanism, isolation, complete mediation, secure the weakest link first, fail safe, psychological acceptability, eliminate root causes, leverage existing components. The presentation aims to provide high-level concepts to guide secure architecture design regardless of technology or industry. It encourages applying principles carefully for each protection profile.

Technologie
1 von 19
Downloaden Sie, um offline zu lesen
© 2021 SEC Consult | All rights reserved A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public WELCOME! Building a secure architecture A deep-dive into security design principles January 21, 2021 | with Thomas Kerbl 1
© 2021 SEC Consult | All rights reserved • 20+ years experience in information security • 50+ speeches • Service Owner for „Secure Software Development Consulting“ • Teamleader • Security Analyst, Security Architect Education • MSc @ Technikum Vienna, Specialization in Multimedia & Software Development • Dipl. Ing @ Hagenberg, Specialization in Computer- and Media Security Certificates • Accredited ÖNORM A 7700 Auditor • ISTQB Certified Tester • ISAQB Certified Professional for Software Architecture • ISSECO Certified Professional for Secure Software Engineering • PCiIAA Practitioner Certificate in Information Assurance Architecture Thomas Kerbl Principal Security Consultant t.kerbl@sec-consult.com https://twitter.com/dementophobia A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public 2
© 2021 SEC Consult | All rights reserved ➢ Principle: A rule or belief governing one's behavior. ➢ High level concepts that guide security design ➢ Agnostic concerning • Technology • Mechanism • Development Methodology • Industry / Type of Organization A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public What are Security Design Principles? AVAILABILITY CONFIDENTIALITY INTEGRITY Choose your principles carefully for each protection profile! 3
© 2021 SEC Consult | All rights reserved ➢ Multiple security controls on multiple layers ➢ If one control breaks, others mitigate the impact ➢ Mechanisms must not rely on each other ➢ No single point of failure from a defense perspective Security Design Principles – Defense in Depth A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Build as many walls as required around your crown jewels! 4
© 2021 SEC Consult | All rights reserved ➢ Also known as: No Security by Obscurity ➢ Security does not depend on concealment of algorithms and architecture ➢ The application shall remain secure even when the architecture is made public ➢ Does not include credentials for authentication and cryptographic secrets A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Open Design This does not imply, that the source code must be open source, but you should be comfortable even if your source code leaks! 5
© 2021 SEC Consult | All rights reserved ➢ External data should be viewed as not trustworthy ➢ Many vulnerability classes can be eliminated through proper input validation ➢ All validation mechanisms must be at least implemented on server side ➢ Rules must be strict, but still allow all valid use cases A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Principle of general mistrust Regardless whether data originates from a user or a backend system, input data must always be subjected to strict validation. 6
© 2021 SEC Consult | All rights reserved ➢ Actors are given the minimum level of access rights ➢ Privileges are only granted as long as required ➢ Potential damage caused by actors (real or compromised) is limited ➢ Example: Never browse the web with administrative privileges A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Least Privilege Assigning rights to actors beyond the necessary scope can allow actors to obtain or modify information in unwanted ways. 7
© 2021 SEC Consult | All rights reserved ➢ Critical operations require two or more authenticated actors ➢ If only one secret gets compromised, no damage can be done ➢ Examples for implementation: • Two or more key cards to access Hardware Security Module (HSM) • Two or more cryptographic keys are required to decrypt a message • Two or more people split a passphrase for a system A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Separation of Privilege Ensure that no single actor can perform critical operations on their own! 8
© 2021 SEC Consult | All rights reserved ➢ Also known as: KISS – Keep it small and simple ➢ Also known as: Minimize the attack surface ➢ Only functionality defined by use cases is implemented ➢ Small systems are less prone to error and easier to audit ➢ Only include libraries and frameworks that you really need A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Economy of Mechanism The more functionality that is built in, the more potential points of entry attackers have. 9
© 2021 SEC Consult | All rights reserved ➢ Limit shared resources and information paths ➢ Compromise of one component does not affect other components ➢ Examples for implementation • Multitenancy • Sandbox environments • Separate endpoints for authentication of administrators and users A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Least Common Mechanism aka. Isolation Choosing the right level of isolation is the result of a sensible trade-off between cost and security. 10
© 2021 SEC Consult | All rights reserved ➢ Every access to an object must be checked for authority ➢ Permissions must be checked with every request ➢ Examples: • Changed permissions will be applied immediately • Force logout of user to refresh permissions during login A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Complete Mediation Don’t use caches for your permissions or force updates! Changes will only be applied after cache is updated. 11
© 2021 SEC Consult | All rights reserved ➢ Invest your resources where they matter most ➢ Attackers are more likely to attack weak spots ➢ A single high-risk vulnerability can put the whole system in jeopardy ➢ Consider the weakest link first in all your security decisions A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Secure the weakest link first Put yourself into the perspective of the attacker. Where would YOU break into the system? 12
© 2021 SEC Consult | All rights reserved ➢ If the application fails it shall do so securely ➢ Failing safe involves restoring to a secure state ➢ Attackers cannot gain access and obtain information during a failure ➢ Confidentiality and integrity shall remain although availability was lost A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Fail Safe Anticipate failures and handle them in your application. Use last resort error handlers for unexpected failures! 13
© 2021 SEC Consult | All rights reserved ➢ Make your systems easy to use in a secure fashion ➢ Security mechanisms should be as unintrusive as possible ➢ Examples: • Allow copy/paste from password stores • Provide guidance for the creation of strong passwords • Provide secure defaults A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Psychological acceptability If you make the life of users too complicated, they will find ways to circumvent important security mechanisms. 14
© 2021 SEC Consult | All rights reserved ➢ Don’t apply localized patches to systemic problems ➢ Identified vulnerabilities must be eliminated at their root ➢ Perform root cause analysis for all new types of vulnerabilities ➢ This should be part of a well-defined security defect life-cycle A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Eliminate root causes Patching a vulnerability locally fixes one issue. Eliminating the root cause improves the whole architecture. 15
© 2021 SEC Consult | All rights reserved ➢ Shared services should be properly validated and considered secure ➢ Invest in security once, benefit often ➢ Using those components does not introduce new vulnerabilities ➢ Provide guidance on how to use them in a secure fashion A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Leverage existing components Components can be many things: Infrastructure, Services, Frameworks, Libraries, Functions, etc. 16
© 2021 SEC Consult | All rights reserved A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Recommended Reading @Dementophobia Follow me for Updates! A deep dive into Secure Software Development based on OWASP SAMM https://r.sec-consult.com/SSDLC https://www.heise.de/hintergrund/ Sichere-Software-entwickeln-mit- OWASP-SAMM-4918292.html 17
© 2021 SEC Consult | All rights reserved A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public 18
© 2021 SEC Consult | All rights reserved A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Q&A ASK ME ANYTHING! Thomas Kerbl t.kerbl@sec-consult.com https://twitter.com/dementophobia https://at.linkedin.com/in/thomas-kerbl-2ab81648 19 19

Empfohlen

Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesAjeet Singh Raina
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesImesh Gunaratne
 
Red Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptxRed Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptxssuser18b1c6
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveLINE Corporation
 
Docker
DockerDocker
DockerA.K.M. Ahsrafuzzaman
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes BasicsRishabh Kumar
 
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...Brian Grant
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 

Empfohlen

Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesAjeet Singh Raina
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesImesh Gunaratne
 
Red Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptxRed Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptxssuser18b1c6
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveLINE Corporation
 
Docker
DockerDocker
DockerA.K.M. Ahsrafuzzaman
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes BasicsRishabh Kumar
 
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...
WSO2Con US 2015 Kubernetes: a platform for automating deployment, scaling, an...Brian Grant
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introductionSparkbit
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)Vladimir Melnic
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsSuraj Deshmukh
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101inside-BigData.com
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenTrang Nguyen
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
Rancher Rodeo
Rancher RodeoRancher Rodeo
Rancher RodeoSUSE
 
Runing JMeter Tests On Rancher
Runing JMeter Tests On RancherRuning JMeter Tests On Rancher
Runing JMeter Tests On RancherBogdan Marian
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker, Inc.
 
Docker introduction (1)
Docker introduction (1)Docker introduction (1)
Docker introduction (1)Gourav Varma
 
Kubernetes Helm: Why It Matters
Kubernetes Helm: Why It MattersKubernetes Helm: Why It Matters
Kubernetes Helm: Why It MattersPlatform9
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as codeAmazon Web Services
 
Alphorm.com Formation Microsoft 365 (MS-101) : Sécurité et Mobilité
Alphorm.com Formation Microsoft 365 (MS-101) : Sécurité et MobilitéAlphorm.com Formation Microsoft 365 (MS-101) : Sécurité et Mobilité
Alphorm.com Formation Microsoft 365 (MS-101) : Sécurité et MobilitéAlphorm
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Greg Castle
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
 
Jet Blue Syndicate Presentation
Jet Blue Syndicate PresentationJet Blue Syndicate Presentation
Jet Blue Syndicate PresentationMahammad Khadafi
 
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...SlideTeam
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSTripwire
 

Weitere ähnliche Inhalte

Was ist angesagt?

Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introductionSparkbit
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsSuraj Deshmukh
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101inside-BigData.com
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenTrang Nguyen
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
Rancher Rodeo
Rancher RodeoRancher Rodeo
Rancher RodeoSUSE
 
Runing JMeter Tests On Rancher
Runing JMeter Tests On RancherRuning JMeter Tests On Rancher
Runing JMeter Tests On RancherBogdan Marian
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker, Inc.
 
Docker introduction (1)
Docker introduction (1)Docker introduction (1)
Docker introduction (1)Gourav Varma
 
Kubernetes Helm: Why It Matters
Kubernetes Helm: Why It MattersKubernetes Helm: Why It Matters
Kubernetes Helm: Why It MattersPlatform9
 
Alphorm.com Formation Microsoft 365 (MS-101) : Sécurité et Mobilité
Alphorm.com Formation Microsoft 365 (MS-101) : Sécurité et MobilitéAlphorm.com Formation Microsoft 365 (MS-101) : Sécurité et Mobilité
Alphorm.com Formation Microsoft 365 (MS-101) : Sécurité et MobilitéAlphorm
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Greg Castle
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
 
Jet Blue Syndicate Presentation
Jet Blue Syndicate PresentationJet Blue Syndicate Presentation
Jet Blue Syndicate PresentationMahammad Khadafi
 
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...SlideTeam
 

Was ist angesagt? (20)

Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing Pods
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in Kubernetes
 
Linux Container Technology 101
Linux Container Technology 101Linux Container Technology 101
Linux Container Technology 101
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang Nguyen
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
 
Rancher Rodeo
Rancher RodeoRancher Rodeo
Rancher Rodeo
 
Runing JMeter Tests On Rancher
Runing JMeter Tests On RancherRuning JMeter Tests On Rancher
Runing JMeter Tests On Rancher
 
Docker Swarm 0.2.0
Docker Swarm 0.2.0Docker Swarm 0.2.0
Docker Swarm 0.2.0
 
Docker introduction (1)
Docker introduction (1)Docker introduction (1)
Docker introduction (1)
 
Kubernetes Helm: Why It Matters
Kubernetes Helm: Why It MattersKubernetes Helm: Why It Matters
Kubernetes Helm: Why It Matters
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as code
 
Alphorm.com Formation Microsoft 365 (MS-101) : Sécurité et Mobilité
Alphorm.com Formation Microsoft 365 (MS-101) : Sécurité et MobilitéAlphorm.com Formation Microsoft 365 (MS-101) : Sécurité et Mobilité
Alphorm.com Formation Microsoft 365 (MS-101) : Sécurité et Mobilité
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
 
Jet Blue Syndicate Presentation
Jet Blue Syndicate PresentationJet Blue Syndicate Presentation
Jet Blue Syndicate Presentation
 
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
 

Ähnlich wie Building Security Design Principles

Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSTripwire
 
BT Cloud Enterprise Service Store - Rob Rowlingson
BT Cloud Enterprise Service Store - Rob RowlingsonBT Cloud Enterprise Service Store - Rob Rowlingson
BT Cloud Enterprise Service Store - Rob RowlingsonDigital Catapult
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...John M. Willis
 
Enumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCEnumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCJohn M. Willis
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...Denim Group
 
1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx
1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx
1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docxoswald1horne84988
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseJason Bloomberg
 
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...The Linux Foundation
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554TISA
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security LandscapePeter Wood
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectEoin Woods
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
GPA Open Source Gpa Users Forum 2011 09 07
GPA Open Source Gpa Users Forum 2011 09 07GPA Open Source Gpa Users Forum 2011 09 07
GPA Open Source Gpa Users Forum 2011 09 07flelmend
 
GDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdfGDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdfJames Anderson
 

Ähnlich wie Building Security Design Principles (20)

Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICS
 
BT Cloud Enterprise Service Store - Rob Rowlingson
BT Cloud Enterprise Service Store - Rob RowlingsonBT Cloud Enterprise Service Store - Rob Rowlingson
BT Cloud Enterprise Service Store - Rob Rowlingson
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...
 
Enumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCEnumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLC
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
 
1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx
1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx
1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
 
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security Landscape
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working Architect
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
GPA Open Source Gpa Users Forum 2011 09 07
GPA Open Source Gpa Users Forum 2011 09 07GPA Open Source Gpa Users Forum 2011 09 07
GPA Open Source Gpa Users Forum 2011 09 07
 
Security Design Concepts
Security Design ConceptsSecurity Design Concepts
Security Design Concepts
 
GDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdfGDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdf
 

Mehr von SBA Research

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Research
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...SBA Research
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Research
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Research
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas KopeinigSBA Research
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSBA Research
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Research
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Research
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Research
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...SBA Research
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...SBA Research
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Research
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Research
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Research
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Research
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Research
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Research
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Research
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Research
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Research
 

Mehr von SBA Research (20)

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a Container
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computing
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
 

Kürzlich hochgeladen

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Kürzlich hochgeladen (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Building Security Design Principles

  • 1. © 2021 SEC Consult | All rights reserved A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public WELCOME! Building a secure architecture A deep-dive into security design principles January 21, 2021 | with Thomas Kerbl 1
  • 2. © 2021 SEC Consult | All rights reserved • 20+ years experience in information security • 50+ speeches • Service Owner for „Secure Software Development Consulting“ • Teamleader • Security Analyst, Security Architect Education • MSc @ Technikum Vienna, Specialization in Multimedia & Software Development • Dipl. Ing @ Hagenberg, Specialization in Computer- and Media Security Certificates • Accredited ÖNORM A 7700 Auditor • ISTQB Certified Tester • ISAQB Certified Professional for Software Architecture • ISSECO Certified Professional for Secure Software Engineering • PCiIAA Practitioner Certificate in Information Assurance Architecture Thomas Kerbl Principal Security Consultant t.kerbl@sec-consult.com https://twitter.com/dementophobia A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public 2
  • 3. © 2021 SEC Consult | All rights reserved ➢ Principle: A rule or belief governing one's behavior. ➢ High level concepts that guide security design ➢ Agnostic concerning • Technology • Mechanism • Development Methodology • Industry / Type of Organization A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public What are Security Design Principles? AVAILABILITY CONFIDENTIALITY INTEGRITY Choose your principles carefully for each protection profile! 3
  • 4. © 2021 SEC Consult | All rights reserved ➢ Multiple security controls on multiple layers ➢ If one control breaks, others mitigate the impact ➢ Mechanisms must not rely on each other ➢ No single point of failure from a defense perspective Security Design Principles – Defense in Depth A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Build as many walls as required around your crown jewels! 4
  • 5. © 2021 SEC Consult | All rights reserved ➢ Also known as: No Security by Obscurity ➢ Security does not depend on concealment of algorithms and architecture ➢ The application shall remain secure even when the architecture is made public ➢ Does not include credentials for authentication and cryptographic secrets A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Open Design This does not imply, that the source code must be open source, but you should be comfortable even if your source code leaks! 5
  • 6. © 2021 SEC Consult | All rights reserved ➢ External data should be viewed as not trustworthy ➢ Many vulnerability classes can be eliminated through proper input validation ➢ All validation mechanisms must be at least implemented on server side ➢ Rules must be strict, but still allow all valid use cases A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Principle of general mistrust Regardless whether data originates from a user or a backend system, input data must always be subjected to strict validation. 6
  • 7. © 2021 SEC Consult | All rights reserved ➢ Actors are given the minimum level of access rights ➢ Privileges are only granted as long as required ➢ Potential damage caused by actors (real or compromised) is limited ➢ Example: Never browse the web with administrative privileges A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Least Privilege Assigning rights to actors beyond the necessary scope can allow actors to obtain or modify information in unwanted ways. 7
  • 8. © 2021 SEC Consult | All rights reserved ➢ Critical operations require two or more authenticated actors ➢ If only one secret gets compromised, no damage can be done ➢ Examples for implementation: • Two or more key cards to access Hardware Security Module (HSM) • Two or more cryptographic keys are required to decrypt a message • Two or more people split a passphrase for a system A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Separation of Privilege Ensure that no single actor can perform critical operations on their own! 8
  • 9. © 2021 SEC Consult | All rights reserved ➢ Also known as: KISS – Keep it small and simple ➢ Also known as: Minimize the attack surface ➢ Only functionality defined by use cases is implemented ➢ Small systems are less prone to error and easier to audit ➢ Only include libraries and frameworks that you really need A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Economy of Mechanism The more functionality that is built in, the more potential points of entry attackers have. 9
  • 10. © 2021 SEC Consult | All rights reserved ➢ Limit shared resources and information paths ➢ Compromise of one component does not affect other components ➢ Examples for implementation • Multitenancy • Sandbox environments • Separate endpoints for authentication of administrators and users A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Least Common Mechanism aka. Isolation Choosing the right level of isolation is the result of a sensible trade-off between cost and security. 10
  • 11. © 2021 SEC Consult | All rights reserved ➢ Every access to an object must be checked for authority ➢ Permissions must be checked with every request ➢ Examples: • Changed permissions will be applied immediately • Force logout of user to refresh permissions during login A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Complete Mediation Don’t use caches for your permissions or force updates! Changes will only be applied after cache is updated. 11
  • 12. © 2021 SEC Consult | All rights reserved ➢ Invest your resources where they matter most ➢ Attackers are more likely to attack weak spots ➢ A single high-risk vulnerability can put the whole system in jeopardy ➢ Consider the weakest link first in all your security decisions A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Secure the weakest link first Put yourself into the perspective of the attacker. Where would YOU break into the system? 12
  • 13. © 2021 SEC Consult | All rights reserved ➢ If the application fails it shall do so securely ➢ Failing safe involves restoring to a secure state ➢ Attackers cannot gain access and obtain information during a failure ➢ Confidentiality and integrity shall remain although availability was lost A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Fail Safe Anticipate failures and handle them in your application. Use last resort error handlers for unexpected failures! 13
  • 14. © 2021 SEC Consult | All rights reserved ➢ Make your systems easy to use in a secure fashion ➢ Security mechanisms should be as unintrusive as possible ➢ Examples: • Allow copy/paste from password stores • Provide guidance for the creation of strong passwords • Provide secure defaults A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Psychological acceptability If you make the life of users too complicated, they will find ways to circumvent important security mechanisms. 14
  • 15. © 2021 SEC Consult | All rights reserved ➢ Don’t apply localized patches to systemic problems ➢ Identified vulnerabilities must be eliminated at their root ➢ Perform root cause analysis for all new types of vulnerabilities ➢ This should be part of a well-defined security defect life-cycle A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Eliminate root causes Patching a vulnerability locally fixes one issue. Eliminating the root cause improves the whole architecture. 15
  • 16. © 2021 SEC Consult | All rights reserved ➢ Shared services should be properly validated and considered secure ➢ Invest in security once, benefit often ➢ Using those components does not introduce new vulnerabilities ➢ Provide guidance on how to use them in a secure fashion A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Leverage existing components Components can be many things: Infrastructure, Services, Frameworks, Libraries, Functions, etc. 16
  • 17. © 2021 SEC Consult | All rights reserved A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Recommended Reading @Dementophobia Follow me for Updates! A deep dive into Secure Software Development based on OWASP SAMM https://r.sec-consult.com/SSDLC https://www.heise.de/hintergrund/ Sichere-Software-entwickeln-mit- OWASP-SAMM-4918292.html 17
  • 18. © 2021 SEC Consult | All rights reserved A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public 18
  • 19. © 2021 SEC Consult | All rights reserved A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Q&A ASK ME ANYTHING! Thomas Kerbl t.kerbl@sec-consult.com https://twitter.com/dementophobia https://at.linkedin.com/in/thomas-kerbl-2ab81648 19 19