Conference:March 6-8, 2017
Workshops:March 9-10, 2017
Presentation: Making the Most out of a Bad Day as a Developer
Location:
- St James, 4th flr.
Duration
Day of week:
- Wednesday
Level:
- Intermediate
Persona:
- Developer
Key Takeaways
- Learn why threat modeling is important and how you can do it
- Analyze examples and good practices for dealing with things like secure communication and secure data storage
- Gain ideas for breaking down barriers between development and security
Abstract
You know how it goes. There is always someone that finds out how to break all the hard work you and your team have put in developing a kick-ass application. Nobody likes to receive security bug reports but they are a reality we have to deal with. Penetration testers, bug bounty programs, independent researchers, and security incidents all provide us with invaluable information to develop better code. The question then becomes what we do with what we learned and how we prevent similar vulnerabilities to appear again. This presentation is a tale of war stories from my experience as a penetration tester and the numerous years of work with development teams building secure development practices. I hope to help you in understanding the value of security bugs for you, your organisations and your clients.
Interview
Nowadays everything has to have a threat model, otherwise it’s not even considered for development. My talk will be a lessons learned overview of what I’ve done in the past. There will be practical examples at a technical level of things that I always see in threat modeling exercises. Examples about things like secure communication, secure data storage, etc.
One example that I will talk about is on third party libraries. Many people want to use them for cryptography, for example from .NET or OpenSSL but often they don’t know how to use them properly. When validating code I’ve seen things like hardcoded encryption keys in the code that is the same for every client that they deploy the application to. If one of those keys gets compromised, all your clients get compromised. This is something that shouldn’t be done like this. In my talk I will show good practices how to incorporate third party libraries and use them.
Looking at threat modeling, architects can get a lot of input from developers and product owners who know how the product should work. They can also get very useful input from QA people who know how it actually fails and how it doesn’t work. It’s important to have interaction between these stakeholders in one room to get sufficient insight into the vulnerabilities.
My talk aims at developers and architects, but there are things in there for anybody involved in the development process.
Intermediate to advanced level.
I’m confident that developers don’t come into work to create vulnerable software. Problem is that we’re not able to express security requirements very well. Security people often want to own the security process. I tell them that they are not the owner of the process, and suggest them to provide developers with tools and practices, teach them, and then step back. Of course developers also need to move closer to the security people.
I would say it’s the Internet of Things, very small devices providing a lot of data that is consumed by web services all around the world. The protection of that data and the security of those devices, and the visibility of those devices and the capabilities that are offered to attackers are immense. We need to pay much more attention to that, both from a developer and security perspective.
Similar Talks
Tracks
-
Architecting for Failure
Building fault tolerate systems that are truly resilient
-
Architectures You've Always Wondered about
QCon classic track. You know the names. Hear their lessons and challenges.
-
Modern Distributed Architectures
Migrating, deploying, and realizing modern cloud architecture.
-
Fast & Furious: Ad Serving, Finance, & Performance
Learn some of the tips and technicals of high speed, low latency systems in Ad Serving and Finance
-
Java - Performance, Patterns and Predictions
Skills embracing the evolution of Java (multi-core, cloud, modularity) and reenforcing core platform fundamentals (performance, concurrency, ubiquity).
-
Performance Mythbusting
Performance myths that need busting and the tools & techniques to get there
-
Dark Code: The Legacy/Tech Debt Dilemma
How do you evolve your code and modernize your architecture when you're stuck with part legacy code and technical debt? Lessons from the trenches.
-
Modern Learning Systems
Real world use of the latest machine learning technologies in production environments
-
Practical Cryptography & Blockchains: Beyond the Hype
Looking past the hype of blockchain technologies, alternate title: Weaselfree Cryptography & Blockchain
-
Applied JavaScript - Atomic Applications and APIs
Angular, React, Electron, Node: The hottest trends and techniques in the JavaScript space
-
Containers - State Of The Art
What is the state of the art, what's next, & other interesting questions on containers.
-
Observability Done Right: Automating Insight & Software Telemetry
Tools, practices, and methods to know what your system is doing
-
Data Engineering : Where the Rubber meets the Road in Data Science
Science does not imply engineering. Engineering tools and techniques for Data Scientists
-
Modern CS in the Real World
Applied, practical, & real-world dive into industry adoption of modern CS ideas
-
Workhorse Languages, Not Called Java
Workhorse languages not called Java.
-
Security: Lessons Learned From Being Pwned
How Attackers Think. Penetration testing techniques, exploits, toolsets, and skills of software hackers
-
Engineering Culture @{{cool_company}}
Culture, Organization Structure, Modern Agile War Stories
-
Softskills: Essential Skills for Developers
Skills for the developer in the workplace
Conference for Professional Software Developers
