Developing Software with Security in Mind Scott Blomquist CTO, Vidoop
Format <ul><li>This session is: </li></ul><ul><ul><li>10 useful rules for developing with security in mind </li></ul></ul>...
Rule #1 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul>
How my security education began <ul><li>July 2001: Code Red slows corporate networks to a crawl </li></ul><ul><li>  </li><...
Rule #2 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete...
Security trends <ul><li>Tools, languages, development practices get better </li></ul><ul><ul><li>Static analysis tools </l...
Rule #3 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete...
Passions get the best attention <ul><ul><li>Security geek doesn't have to be a full-time job. </li></ul></ul><ul><ul><li>Y...
Rule #4 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete...
Security researchers: symbiotic parasites <ul><ul><li>We have great local resources here in Tulsa. </li></ul></ul><ul><ul>...
Rule #5 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete...
Software is never defect-free <ul><ul><li>No one would  claim  to be unbreakable (okay, except Oracle) </li></ul></ul><ul>...
Rule #6 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete...
Emergency response plans <ul><ul><li>How to know when to respond </li></ul></ul><ul><ul><ul><li>Web products and boxed pro...
Rue #7 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete ...
Secrity vs. Usability <ul><li>&quot;The most secure computer in the world is in a concrete and steel vault, protected by a...
Rule #8 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete...
A case study: OpenID <ul><li>First, what is OpenID:  OpenID According to Dave </li></ul><ul><li>  </li></ul><ul><ul><li>Ma...
Rule #9 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete...
Open conversation <ul><ul><li>You want to know at least as much about your security as everyone else.  </li></ul></ul><ul>...
Rule #10 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolet...
No rule #10 <ul><ul><li>Security is unpredictable. </li></ul></ul><ul><ul><li>Be ready for anything. </li></ul></ul>
Additional Resources <ul><li>More information about Microsoft's security turning point </li></ul><ul><ul><li>Inside Window...
Questions? <ul><li>Slides available at  http://Scott.Blomqui.st </li></ul>
Upcoming SlideShare
Loading in …5
×

Developing Software with Security in Mind

311
-1

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
311
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Developing Software with Security in Mind

  1. 1. Developing Software with Security in Mind Scott Blomquist CTO, Vidoop
  2. 2. Format <ul><li>This session is: </li></ul><ul><ul><li>10 useful rules for developing with security in mind </li></ul></ul><ul><ul><li>Not just mine: feel free to interrupt at any time </li></ul></ul><ul><li>This session isn't: </li></ul><ul><ul><li>A talk about specific security pitfalls, development techniques, etc. </li></ul></ul>
  3. 3. Rule #1 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul>
  4. 4. How my security education began <ul><li>July 2001: Code Red slows corporate networks to a crawl </li></ul><ul><li>  </li></ul><ul><li>September 2001: Nimda does it again </li></ul><ul><li>  </li></ul><ul><li>February/March 2002: Windows Security Push </li></ul><ul><li>  </li></ul><ul><li>January 2003: This time it's Slammer </li></ul><ul><li>  </li></ul><ul><li>Summer 2003: Work begins on &quot;Springboard&quot; </li></ul><ul><li>  </li></ul><ul><li>August 2003: Blaster terrorizes the world </li></ul>
  5. 5. Rule #2 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete quickly. </li></ul></ul>
  6. 6. Security trends <ul><li>Tools, languages, development practices get better </li></ul><ul><ul><li>Static analysis tools </li></ul></ul><ul><ul><li>Safer versions of C run-time functions </li></ul></ul><ul><ul><li>Input fuzzing tools </li></ul></ul><ul><ul><li>Stack attack detection </li></ul></ul><ul><li>  </li></ul><ul><li>So do the badguys </li></ul><ul><ul><li>Tools advances may help them, too </li></ul></ul><ul><ul><li>New techniques are discovered all the time </li></ul></ul><ul><li>  </li></ul><ul><li>ALL: favorite examples of either of these? </li></ul>
  7. 7. Rule #3 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete quickly. </li></ul></ul><ul><ul><li>Your team should have a security geek (or more). </li></ul></ul>
  8. 8. Passions get the best attention <ul><ul><li>Security geek doesn't have to be a full-time job. </li></ul></ul><ul><ul><li>You might already work with one (or might be one). </li></ul></ul><ul><ul><li>To get started, you just have to make it a point to read about and talk about security. </li></ul></ul><ul><ul><li>With luck, it will just &quot;fit&quot; for someone. </li></ul></ul>
  9. 9. Rule #4 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete quickly. </li></ul></ul><ul><ul><li>Your team should have a security geek (or more). </li></ul></ul><ul><ul><li>Befriend the security researchers in your field. </li></ul></ul>
  10. 10. Security researchers: symbiotic parasites <ul><ul><li>We have great local resources here in Tulsa. </li></ul></ul><ul><ul><li>Spend time poking holes in your project over coffee or beer. </li></ul></ul><ul><ul><li>Suggest exciting research projects. </li></ul></ul><ul><ul><li>Make sure they know how to reach you if they have an interesting thought.  </li></ul></ul><ul><ul><li>Despite how bad it feels when a flaw in your project gets published, you want them to find the flaw. </li></ul></ul>
  11. 11. Rule #5 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete quickly. </li></ul></ul><ul><ul><li>Your team should have a security geek (or more). </li></ul></ul><ul><ul><li>Befriend the security researchers in your field. </li></ul></ul><ul><ul><li>Despite knowledge, you  will ship security bugs. </li></ul></ul>
  12. 12. Software is never defect-free <ul><ul><li>No one would claim to be unbreakable (okay, except Oracle) </li></ul></ul><ul><ul><li>But many projects sure act like they are. </li></ul></ul>
  13. 13. Rule #6 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete quickly. </li></ul></ul><ul><ul><li>Your team should have a security geek (or more). </li></ul></ul><ul><ul><li>Befriend the security researchers in your field. </li></ul></ul><ul><ul><li>Despite knowledge, you  will ship security bugs. </li></ul></ul><ul><ul><li>Have security response plans in place. </li></ul></ul>
  14. 14. Emergency response plans <ul><ul><li>How to know when to respond </li></ul></ul><ul><ul><ul><li>Web products and boxed products are different. </li></ul></ul></ul><ul><ul><li>How to disseminate the response </li></ul></ul><ul><ul><ul><li>Everyone needs an update process. </li></ul></ul></ul><ul><ul><ul><li>Sometimes you need damage control levers, too. </li></ul></ul></ul>
  15. 15. Rue #7 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete quickly. </li></ul></ul><ul><ul><li>Your team should have a security geek (or more). </li></ul></ul><ul><ul><li>Befriend the security researchers in your field. </li></ul></ul><ul><ul><li>Despite knowledge, you  will ship security bugs. </li></ul></ul><ul><ul><li>Have security response plans in place. </li></ul></ul><ul><ul><li>Security and usability will always be in tension. </li></ul></ul>
  16. 16. Secrity vs. Usability <ul><li>&quot;The most secure computer in the world is in a concrete and steel vault, protected by armed guards, and not plugged in to the network or even power. But it's not very useful, either.&quot; </li></ul><ul><li>--Various </li></ul>
  17. 17. Rule #8 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete quickly. </li></ul></ul><ul><ul><li>Your team should have a security geek (or more). </li></ul></ul><ul><ul><li>Befriend the security researchers in your field. </li></ul></ul><ul><ul><li>Despite knowledge, you  will ship security bugs. </li></ul></ul><ul><ul><li>Have security response plans in place. </li></ul></ul><ul><ul><li>Security and usability will always be in tension. </li></ul></ul><ul><ul><li>The perfect is the enemy of the good. </li></ul></ul>
  18. 18. A case study: OpenID <ul><li>First, what is OpenID: OpenID According to Dave </li></ul><ul><li>  </li></ul><ul><ul><li>Many OpenID objections center around how it doesn't solve as many problems as pick-your-favorite-heavy-crypto-based-auth-protocol. </li></ul></ul><ul><ul><li>Despite those strong objections, OpenID is poised to be an Internet phenomenon. </li></ul></ul>
  19. 19. Rule #9 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete quickly. </li></ul></ul><ul><ul><li>Your team should have a security geek (or more). </li></ul></ul><ul><ul><li>Befriend the security researchers in your field. </li></ul></ul><ul><ul><li>Despite knowledge, you  will ship security bugs. </li></ul></ul><ul><ul><li>Have security response plans in place. </li></ul></ul><ul><ul><li>Security and usability will always be in tension. </li></ul></ul><ul><ul><li>The perfect is the enemy of the good. </li></ul></ul><ul><ul><li>Have open conversations about security. </li></ul></ul>
  20. 20. Open conversation <ul><ul><li>You want to know at least as much about your security as everyone else.  </li></ul></ul><ul><ul><li>Sometimes conversations will be uncomfortable, but you have to learn and your users have to be reassured about their future with your software. </li></ul></ul><ul><ul><li>Who to talk to: </li></ul></ul><ul><ul><ul><li>Users </li></ul></ul></ul><ul><ul><ul><li>Researchers </li></ul></ul></ul>
  21. 21. Rule #10 <ul><ul><li>Learn about security or it will teach you. </li></ul></ul><ul><ul><li>Security knowledge goes obsolete quickly. </li></ul></ul><ul><ul><li>Your team should have a security geek (or more). </li></ul></ul><ul><ul><li>Befriend the security researchers in your field. </li></ul></ul><ul><ul><li>Despite knowledge, you  will ship security bugs. </li></ul></ul><ul><ul><li>Have security response plans in place. </li></ul></ul><ul><ul><li>Security and usability will always be in tension. </li></ul></ul><ul><ul><li>The perfect is the enemy of the good. </li></ul></ul><ul><ul><li>Have open conversations about security. </li></ul></ul><ul><ul><li>Sometimes there is no rule #10. </li></ul></ul>
  22. 22. No rule #10 <ul><ul><li>Security is unpredictable. </li></ul></ul><ul><ul><li>Be ready for anything. </li></ul></ul>
  23. 23. Additional Resources <ul><li>More information about Microsoft's security turning point </li></ul><ul><ul><li>Inside Windows XP SP2 </li></ul></ul><ul><ul><li>Inside the Windows Security Push </li></ul></ul>
  24. 24. Questions? <ul><li>Slides available at http://Scott.Blomqui.st </li></ul>

×