defense in depth in depth
play

Defense in Depth: In Depth Presented by: Chelsea H. Komlo About me - PowerPoint PPT Presentation

Jan 04, 2023 •229 likes •564 views

Defense in Depth: In Depth Presented by: Chelsea H. Komlo About me - Software engineer, privacy and security engineer - HashiCorp, ThoughtWorks, Tor - Worked in 5 countries and two languages About this talk - NOT how to do security -

  1. Defense in Depth: In Depth Presented by: Chelsea H. Komlo

  2. About me - Software engineer, privacy and security engineer - HashiCorp, ThoughtWorks, Tor - Worked in 5 countries and two languages

  3. About this talk - NOT how to do security - The purpose of this talk to discuss how to think defensively about your system at every level.

  4. What I often come across when talking about security

  5. You could have the most awesome encryption standard, but pressing the enter key could sidestep all authentication.

  6. One vulnerable third-party library leads to hundreds of millions of sensitive PII being stolen

  7. Security is holistic.

  8. Defense in depth is necessary for a secure system Goal: One vulnerability won’t result in compromising the entire system.

  9. We’ll look at defense in depth from a variety of viewpoints - Low level (code) - Mid level (teams) - High level (architecture) - Highest level (product strategy)

  10. Defense in depth: Code - Maintain code quality - Leverage automated tooling - Meaningful automated tests

  11. Defense in Depth: Maintain code quality - Antipattern: Making assumptions when writing code. - Pattern: Code should written defensively - Takeaway: Security vulnerabilities are bugs!

  12. Example: Brittle code // Should never be called with nil func sayName(p *Person) { fmt.Printf(“%s”, p.Name) }

  13. Defense in Depth: Leverage automated tooling - Antipattern: Minimal compile-time validation - Pattern: Enable language-specific compile-time checks - Takeaway: Humans fail! Leverage automated tooling where possible

  14. Example: Automated code analysis - Go Race Detector - ASAN - GCC: -Wall -Wextra

  15. Defense in Depth: Meaningful automated test cases - Antipattern: Adding a single test case for a function - Pattern: Having test cases that exercise your code with varying granularity. - Takeaway: Don’t be single-dimensional in your tests!

  16. Testing at multiple levels: - Unit - Integration - E2E - Soak - Time-based - Fuzzing

  17. Defense in depth: Teams - No more “rock stars” - No “throw over the wall” security requirements

  18. Defense in Depth: No more rock stars - Antipattern: Someone on the team pushing lots of code to master without a review. - Pattern: All code goes through thorough code review (from anyone on the team) - Takeaway: Security is a team sport!

  19. Defense in Depth: No “throw over the wall” security requirements - Antipattern: Long list of requirements from your security team. - Pattern: Development teams and security teams closely collaborating. - Takeaway: Collaborate.

  20. Defense in depth: Architecture - Managing evolution cleanly - Automate infrastructure

  21. Defense in Depth: Manage evolution cleanly - Anitipattern: Layers of “cruft” and deprecated features. - Pattern: Remove deprecated code paths, strive for minimal branching. - Takeaway: Your attacker will know your system better than you will!

  22. Example: OpenSSL versus OpenBSD’s LibreSSL Over 90,000 lines of code removed.

  23. Defense in depth: Automate infrastructure - Anitipattern: Bespoke, artisanal server management. - Pattern: Use automated tooling to manage your cluster. - Takeaway: The less manual effort, the fewer “forgotten holes.”

  24. Example: Cluster schedulers for Secops

  25. Defense in depth: Product Strategy - Privacy and security serve the same ends - Consider your users’ threat model

  26. Defense in Depth: Privacy and security serve the same ends - Antipattern: Collecting all possible data - Pattern: Collect only what is strictly necessary - Takeaway: Strive for privacy by design, as opposed to retroactive privacy.

  27. Example: Encrypted messaging applications

  28. Defense in Depth: Consider your users’ threat model - Antipattern: Planning for only your organization’s security needs - Pattern: Consider every user’s needs, including at-risk users in your threat model - Takeaway: Be aware of decisions that place users at greater risk

  29. Example: Sensitive data and third parties

  30. Example: Consider vulnerable users

  31. Security must be holistic! This means all roles, all people, working together thoughtfully. There is no partial credit in security!

  32. Thank you!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GANT: A Defense in Depth Approach TF-MSP Wayne Routly Trondheim.no Security Manager

GANT: A Defense in Depth Approach TF-MSP Wayne Routly Trondheim.no Security Manager

GANT: A Defense in Depth Approach TF-MSP Wayne Routly Trondheim.no Security Manager September 2013 DANTE connect communicate collaborate Before . connect communicate collaborate Agenda Defence in Depth - A Layered

323 views • 9 slides
Tsinghua University Monocular Depth-Pose Prediction [R, t] Depth and Pose RGB PoseNet

Tsinghua University Monocular Depth-Pose Prediction [R, t] Depth and Pose RGB PoseNet

Wang Zhao, Shaohui Liu, Yezhi Shu, Yong-Jin Liu Tsinghua University Monocular Depth-Pose Prediction [R, t] Depth and Pose RGB PoseNet Fails to Generalize! All Drift ! Depth estimation in Indoor environments with Visual Odometry with

610 views • 15 slides
RGBD Tutorial 14210240041 Gu Pan Image RGB YUV Lab Depth Image RGB image Depth image Each pixel in

RGBD Tutorial 14210240041 Gu Pan Image RGB YUV Lab Depth Image RGB image Depth image Each pixel in

RGBD Tutorial 14210240041 Gu Pan Image RGB YUV Lab Depth Image RGB image Depth image Each pixel in depth image shows the distance to camera Device Kinect Kinect2 (we use) SoftKinetic Leapmotion Kinect Depth camera developed by

480 views • 29 slides
Depth from HDR: Depth Induction or Increased Realism? P. Vangorp 1 R. K. Mantiuk 2 B. Bazyluk 3

Depth from HDR: Depth Induction or Increased Realism? P. Vangorp 1 R. K. Mantiuk 2 B. Bazyluk 3

Depth from HDR: Depth Induction or Increased Realism? P. Vangorp 1 R. K. Mantiuk 2 B. Bazyluk 3 K. Myszkowski 1 R. Mantiuk 3 S. J. Watt 2 H.-P. Seidel 1 1 MPI Informatik 2 Bangor University 3 West Pomeranian 3 University of Technology Depth from

466 views • 34 slides
Depth & Complexity Framework - Understanding the pieces ELP Depth and Complexity Resource

Depth & Complexity Framework - Understanding the pieces ELP Depth and Complexity Resource

Depth & Complexity Framework - Understanding the pieces ELP Depth and Complexity Resource Page: https://www.jtayloreducation.com/tagtelp/ J Taylor Education, 2016 Depth & Complexity Framework Understanding the parts Think Like A

254 views • 22 slides
Learnings from Fukushima Dai-ichi Accident: - Defense-in-Depth, Human and Organizational aspects,

Learnings from Fukushima Dai-ichi Accident: - Defense-in-Depth, Human and Organizational aspects,

2016/3/30 Learnings from Fukushima Dai-ichi Accident: - Defense-in-Depth, Human and Organizational aspects, Safety approaches- Akira OMOTO, Professor, Tokyo Institute of Technology (omoto@nr.titech.ac.jp) Ou Outline Weakness in the application

650 views • 38 slides
How to use Encryption for Defense in Depth In Native and Browser Apps Isaac Potoczny-Jones

How to use Encryption for Defense in Depth In Native and Browser Apps Isaac Potoczny-Jones

How to use Encryption for Defense in Depth In Native and Browser Apps Isaac Potoczny-Jones ijones@tozny.com November 13, 2019 @SyntaxPolice https://tozny.com When we think of driving safety We address both the road and the car.

446 views • 42 slides
Tillage Depth Control (TDC) Benefits of Tillage Depth Control Is the definition of precision

Tillage Depth Control (TDC) Benefits of Tillage Depth Control Is the definition of precision

Tillage Depth Control (TDC) Benefits of Tillage Depth Control Is the definition of precision agriculture! Increased efficiency Automating time consuming tasks Enables less skilled workers to perform the task better Accurate

353 views • 11 slides
WHAT DEPTH ? Drillers Depth Determination Harald Bolt 1 45 th General Meeting March 17 th ,

WHAT DEPTH ? Drillers Depth Determination Harald Bolt 1 45 th General Meeting March 17 th ,

WHAT DEPTH ? Drillers Depth Determination Harald Bolt 1 45 th General Meeting March 17 th , 2017 The Hague, The Netherlands Wellbore Positioning Technical Section Speaker Information Harald Bolt What Depth ? March 17, 2017

266 views • 24 slides
Unsupervised Monocular Depth Estimation CNN Robust to Training Data Diversity Valery

Unsupervised Monocular Depth Estimation CNN Robust to Training Data Diversity Valery

Unsupervised Monocular Depth Estimation CNN Robust to Training Data Diversity Valery Anisimovskiy, Andrey Shcherbinin, 15 May, 2020 Sergey Turko and Ilya Kurilin Problem Statement: Depth Sensors limitations IR depth sensor Stereo camera

670 views • 21 slides
A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer

A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer

A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer Science and Engineering Department, Indian Institute of Technology, Bombay, (IITB) India. Joint work with Suryajith Chillara, Christian Engels,

2.53k views • 191 slides
Depth Sensing and Deep Learning: Grasping and Segmenting 3D Objects from Real Depth Images using

Depth Sensing and Deep Learning: Grasping and Segmenting 3D Objects from Real Depth Images using

Depth Sensing and Deep Learning: Grasping and Segmenting 3D Objects from Real Depth Images using Synthetic Data Mike D e Dan aniel elczuk uk, Jeffrey Mahler, Matthew Matl, Saurabh Gupta, Andrew Lee, Andrew Li, Vishal Satish, Bill DeRose,

774 views • 73 slides
MineSweeper: An In-depth Look into Drive-by Mining and its Defense Veelasha Moonsamy Utrecht

MineSweeper: An In-depth Look into Drive-by Mining and its Defense Veelasha Moonsamy Utrecht

MineSweeper: An In-depth Look into Drive-by Mining and its Defense Veelasha Moonsamy Utrecht University, The Netherlands 28 August 2018 University of Adelaide, Australia Utrecht University, The Netherlands 2 Acknowledgment Joint

874 views • 61 slides
Information Security Offense and Defense HIMSS Heart of America Chapter February 2015 Depth

Information Security Offense and Defense HIMSS Heart of America Chapter February 2015 Depth

Information Security Offense and Defense HIMSS Heart of America Chapter February 2015 Depth Security Who we are Boutique Information Security Firm Founded in 2006 Based in Kansas City, Missouri Your organizations best

253 views • 12 slides
3D Modeling with Depth Sensors Andreas Geiger, Torsten Sattler Spring 2017

3D Modeling with Depth Sensors Andreas Geiger, Torsten Sattler Spring 2017

3D Modeling with Depth Sensors Andreas Geiger, Torsten Sattler Spring 2017 http://www.cvg.ethz.ch/teaching/3dvision/ 3D Modeling with Depth Sensors Todays class Obtaining depth maps / range images unstructured light

617 views • 47 slides
Week 5 Kullmann Analysing BFS Depth-first search Depth-first search Analysing DFS

Week 5 Kullmann Analysing BFS Depth-first search Depth-first search Analysing DFS

CS 270 Algorithms Oliver Week 5 Kullmann Analysing BFS Depth-first search Depth-first search Analysing DFS Analysing BFS Dags and 1 topological sorting Detecting Depth-first search 2 cycles Analysing DFS 3 Dags and topological

482 views • 23 slides
Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud

Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud

Enabling Cloud-Native Applications with Application Credentials in Keystone Colleen Murphy Cloud Developer at SUSE cmurphy @_colleenm Overview Why we needed application credentials What are application credentials? (with demo!)

637 views • 25 slides
secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring motivation & start

secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring motivation & start

secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring motivation & start motivation & start internet security evaluate password cracker to check security of passwords passwords problems problems default

703 views • 27 slides
Hands on Virtualization with Ganeti Part 2: Ganeti Web Manager OSCON 2011 Ganeti Web Manager has

Hands on Virtualization with Ganeti Part 2: Ganeti Web Manager OSCON 2011 Ganeti Web Manager has

Hands on Virtualization with Ganeti Part 2: Ganeti Web Manager OSCON 2011 Ganeti Web Manager has been pre-installed on the master node. This tutorial assumes you have a working Ganeti cluster with at least a single node. Full install docs and

401 views • 18 slides
Payment Card Industry (PCI) Challenges and Issues for RACF Systems Jim Yurek Vanguard Integrity

Payment Card Industry (PCI) Challenges and Issues for RACF Systems Jim Yurek Vanguard Integrity

Payment Card Industry (PCI) Challenges and Issues for RACF Systems Jim Yurek Vanguard Integrity Professionals February 28, 2011 Session Number 8507 The Problem: Credit Card Breaches As long as we have the Internet and a Black Market for

643 views • 39 slides
CYBER ATTACK ON YOUR UMBILICALS SUT YES CYBER SECURITY EVENT Andrea Kesterson | Change Manager

CYBER ATTACK ON YOUR UMBILICALS SUT YES CYBER SECURITY EVENT Andrea Kesterson | Change Manager

CYBER ATTACK ON YOUR UMBILICALS SUT YES CYBER SECURITY EVENT Andrea Kesterson | Change Manager Loai Khalayli | Operational Technology Engineer 25 May 2017 Disclaimer and important notice Outline Current, real and ever increasing threat

152 views • 11 slides
Enhancement of the Safety of the Jordan Research and Training Reactor (JRTR) Dr. Khalifeh

Enhancement of the Safety of the Jordan Research and Training Reactor (JRTR) Dr. Khalifeh

Enhancement of the Safety of the Jordan Research and Training Reactor (JRTR) Dr. Khalifeh AbuSaleem Commissioner for Nuclear Research JRTR Manager During Construction & Commissioning Phase Jordan Atomic Energy Commission 0 Jordan Atomic

372 views • 34 slides
Welcome! Getting to Defensible: Your Roadmap to Maturing Defensible Security in your Organization

Welcome! Getting to Defensible: Your Roadmap to Maturing Defensible Security in your Organization

Conference 2018 Conference 2018 Welcome! Getting to Defensible: Your Roadmap to Maturing Defensible Security in your Organization Global Context global annual cybercrime will cost the world in excess of $6 trillion annually by 2021 - this

366 views • 34 slides
Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is

Security Vulnerabilities Decomposition Katy Anton OWASP Top 10 @KatyAnton When the report is published @KatyAnton Katy Anton Software development background Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

1.21k views • 45 slides

More recommend