Presentation: Security Vulnerabilities Decomposition

Track: Scaling Security, from Device to Cloud

Location: St James, 4th flr.

Duration: 2:55pm - 3:45pm

Day of week: Wednesday

Share this on:

What You’ll Learn

  1. Find out how to prevent security vulnerabilities from onset.
  2. Learn to decompose security vulnerabilities into the security controls preventing them.

Abstract

In most companies security is driven by compliance regulations. The policies are designed to contain the CWEs each company is interested to comply with. The result of this approach is a high number of insecure applications are still produced and injection is still King. Is there another way to secure the software in a more developer friendly manner? 

This presentation will look at security vulnerabilities from a different angle.  We will decompose the vulnerabilities into the security controls that prevent them and developers are familiar with. We will flip the security from focusing on vulnerabilities (measured at the end) to focus on the security controls which can be used by developers from beginning in software development cycle. 

Recommended to all developers looking to integrate security in their software applications.

Question: 

What is the work you're doing today?

Answer: 

Today I work as an application security consultant at Veracode. As part of my job, I help developers and software architects to secure their software. I work with development teams and help them fix correctly the security flaws identified by automated tools, to ensure that they have been remediated in a secure manner.

Question: 

What are the goals for your talk?

Answer: 

This talk is based on my experience from the work I do. What I see a lot of, is when companies are implementing application security, they are primarily checking the software for most common vulnerabilities, like the OWASP Top 10, for example. The problem with this approach is that you can check for these vulnerabilities only at the end, after the software has been developed. After all, you cannot test for SQL injection before you have written the software which connects to the database. My primary goal for this talk is to empower developers to look at application security from another point of view. If we go back to some basics, security vulnerabilities are just software flaws which have been introduced at various stages of the software development: either at architecture, at design or at the code level. The concept I will explore as part of this talk is to analyze these software vulnerabilities, to decompose them to identify the security controls which prevent them,  are familiar to developers, and can be used on a regular basis when writing the software. The final goal is to give the audience, the developers, another view where we flip the security, and instead of focusing on the vulnerabilities (which can be measured only at the end) to focus instead on the security controls which prevent these vulnerabilities and can be used in the software from the beginning.

Question: 

What key takeaways do you want people to leave the talk with?

Answer: 

What I like the attendees to take away is that in order to build more secure software, we should focus on one category of vulnerabilities at a time. And for each category of vulnerabilities, we should first identify the security controls which prevent the vulnerability. Then, identify the best place to apply those security controls in the software to effectively prevent that vulnerability. For example, in the latest OWASP Top 10, there have been few new entries. One of them is A4-XML External Entities where by default, older XML processors allow specification of an external entity. If developers want to prevent their software having this vulnerability, the first thing is to identify the security control. For XXE,  the control is hardening the software by disabling parsing XML external entities. Next, is to identify the best place to apply this control when writing the software. It depends on the framework/language. For example, in Java, the best place is before parsing the XML document. There we need to harden the configuration by writing few extra lines of code. And by doing this every time an XML document is parsed, we ensure that the software will proactively prevent this particular vulnerability. This angle of securing the software, by identifying the security controls which must be used, is what I would like the attendees of this conference ( senior developers, tech leads, and the software architects) to take back to their teams and start applying in their software development cycle.

Speaker: Katy Anton

Principal Application Security Consultant @Veracode

Katy Anton is a security professional with a background in software development. An international public speaker, she enjoys speaking about software security and how to secure software applications.

In her previous roles she led software development teams and implemented security best practices in software development life cycle. As part of her work she got involved in OWASP Top Ten Proactive Controls project where she joined as project leader.

In her current role as Application Security Consultant, Katy works with security teams and software developers around the world and helps them secure their software.

Find Katy Anton at

Similar Talks

Tracks

  • Architectures You've Always Wondered About

    Hard-earned lessons from the names you know on scalability, reliability, security, and performance.

  • Machine Learning: The Latest Innovations

    AI and machine learning is more approachable than ever. Discover how ML, deep learning, and other modern approaches are being used in practice.

  • Kubernetes and Cloud Architectures

    Learn about cloud native architectural approaches from the leading industry experts who have operated Kubernetes and FaaS at scale, and explore the associated modern DevOps practices.

  • Evolving Java

    JVM futures, JIT directions and improvements to the runtimes stack is the theme of this year’s JVM track.

  • Next Generation Microservices: Building Distributed Systems the Right Way

    Microservice-based applications are everywhere, but well-built distributed systems are not so common. Early adopters of microservices share their insights on how to design systems the right way.

  • Chaos and Resilience: Architecting for Success

    Making systems resilient involves people and tech. Learn about strategies being used, from cognitive systems engineering to chaos engineering.

  • The Future of the API: REST, gRPC, GraphQL and More

    The humble web-based API is evolving. This track provides the what, how, and why of future APIs.

  • Streaming Data Architectures

    Today's systems move huge volumes of data. Hear how the innovators in this space are designing systems and leveraging modern data stream processing platforms.

  • Modern Compilation Targets

    Learn about the innovation happening in the compilation target space. WebAssembly is only the tip of the iceberg.

  • Modern CS in the Real World

    Head back to academia to solve today's problems in software engineering.

  • Bare Knuckle Performance

    Crushing latency and getting the most out of your hardware.

  • Leading Distributed Teams

    Remote and distributed working are increasing in popularity, but many organisations underestimate the leadership challenges. Learn from those who are doing this effectively.

  • Driving Full Cycle Engineering Teams at Every Level

    "Full cycle developers" is not just another catch phrase; it's about engineers taking ownership and delivering value, and doing so with the support of their entire organisation. Learn more from the pioneers.

  • JavaScript: Pushing the Client Beyond the Browser

    JavaScript is not just the language of the web. Join this track to learn how the innovators are pushing the boundaries of this classic language and ecosystem

  • When Things Go Wrong: GDPR, Ethics, & Politics

    Privacy, confidentiality, safety and security: learning from the frontlines, from both good and bad experiences

  • Growing Unicorns in the EU: Building, Leading and Scaling Financial Tech Start Ups

    Learn how EU FinTech innovators have designed, built, and led both their technologies and organisations.

  • Building High Performing Teams

    There are many discussions outlining the secret sauce of high-performing teams. Learn how to balance the essential ingredients of high performing teams such as trust and delegation, as well as recognising the pitfalls and problems that will ruin any recipe.

  • Scaling Security, from Device to Cloud

    Implementing effective security is vitally important, regardless of where you are deploying software applications