Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Don't be a trojan - Codemotion Amsterdam 2019

95 views

Published on

slides from my talk at Codemotion Amsterdam 2019

Published in: Software
  • Be the first to comment

  • Be the first to like this

Don't be a trojan - Codemotion Amsterdam 2019

  1. 1. DON’T BE A TROJAN BRIAN VERMEER (@BRIANVERM)
  2. 2. @BrianVerm DATA IS THE NEW GOLD
  3. 3. @BrianVerm
  4. 4. @BrianVerm
  5. 5. @BrianVerm BRIAN VERMEER DEVELOPER ADVOCATE
  6. 6. @BrianVerm BUT I GOT NOTHING TO HIDE … DON’T BE A TROJAN
  7. 7. @BrianVerm HTTPS://NLTIMES.NL/ 2018/03/08/NUDE-VIDEOS- DUTCH-HANDBALL-TEAM- LEAK-ONLINE-SAUNA- CAMERA-HACK
  8. 8. @BrianVerm HTTP://WWW.ALPHR.COM/ HEALTH/1005587/THE-NUMBER- OF-PEOPLE-ASKING-GOOGLE- FOR-MEDICAL-ADVICE-HAS- SKYROCKETED-IN-A-DECADE
  9. 9. SOCIAL RANKING CHINA
  10. 10. @BrianVerm BUT NOW WE HAVE GDPR…RIGHT?!
  11. 11. @BrianVerm HTTPS://FUSION.TV/STORY/281543/REAL-FUTURE-EPISODE-8-HACK- ATTACK/?CURATOR=TECHREDEF KEVIN ROOSE - 24 FEB 2016
  12. 12. @BrianVerm HTTPS://FUSION.TV/STORY/281543/REAL-FUTURE-EPISODE-8-HACK- ATTACK/?CURATOR=TECHREDEF KEVIN ROOSE - 24 FEB 2016
  13. 13. @BrianVerm
  14. 14. @BrianVerm
  15. 15. @BrianVerm
  16. 16. @BrianVerm LAPTOP
  17. 17. @BrianVerm PASSWORDS
  18. 18. @BrianVerm DEVOPS
  19. 19. @BrianVerm TEST DATA
  20. 20. @BrianVerm SECURITY BY DESIGN DEVELOPMENT
  21. 21. @BrianVerm DON’T BE A TROJAN DATA STORAGE ▸ WHAT DATA DO WE STORE? ▸ WHAT DATA DO WE NEED? ▸ HOW LONG DO WE NEED TO KEEP THIS DATA? ▸ HOW DOES THIS DATA TRACE BACK TO AN INDIVIDUAL? ▸ WHO HAS ACCESS TO THIS DATA
  22. 22. @BrianVerm SOFTWARE DEVELOPMENT OVER TIME
  23. 23. @BrianVerm DON’T BE A TROJAN STAGE 1 - BUILD A NICE CLEAN SYSTEM
  24. 24. @BrianVerm DON’T BE A TROJAN STAGE 2 - A LITTLE ADDITION
  25. 25. @BrianVerm DON’T BE A TROJAN STAGE 3 - A COMPLETE NEW FEATURE ON TOP
  26. 26. @BrianVerm DON’T BE A TROJAN STAGE 4 - EXPANDING WITH A NEW SCOPE
  27. 27. @BrianVerm DON’T BE A TROJAN STAGE 5 - AND NOW WE WANT TO RULE THE WORLD
  28. 28. @BrianVerm EXAMPLE PROFILE SERVICE CREATE PROFILE UPDATE PREFERENCES GET PROFILE BY UUID PROFILE - UUID - LIST OF PREFERENCES
  29. 29. @BrianVerm EXAMPLE PROFILE SERVICE CREATE PROFILE UPDATE PREFERENCES GET PROFILE BY UUID PROFILE - UUID - EMAIL - LIST OF PREFERENCES MYHOME SERVICE CLAIM A HOUSE UPDATE YOUR HOUSE FIND ALL HOUSES MyHOUSE - UUID - HOUSE ADDRESS
 - HOUSE PICTURES SECURED LOGIN
  30. 30. @BrianVerm EXAMPLE PROFILE SERVICE GET PROFILE BY UUID PROFILE - UUID - EMAIL - LIST OF PREFERENCES MYHOME SERVICE FIND ALL HOUSES MyHOUSE - UUID (EXPOSED) - HOUSE ADDRESS
 - HOUSE PICTURES
  31. 31. @BrianVerm WHAT DATA IS EXPOSED TO THE OUTSIDE WORLD
  32. 32. DATA LEAK?
  33. 33. @BrianVerm WHO WAS EXPOSED? HOW LONG WAS IT THERE? WHAT WAS THE IMPACT? WHAT KIND OF DATA IS LEAKED? AM I A VICTIM?
  34. 34. @BrianVerm LOG EVERYTHING
  35. 35. @BrianVerm BUT WHAT ABOUT CI/CD ?
  36. 36. @BrianVerm AUTOMATED SECURITY TESTS
  37. 37. @BrianVerm SHIFT SECURITY LEFT
 <—
  38. 38. @BrianVerm WHATS IN IT DEPENDENCIES
  39. 39. @BrianVerm Your App
  40. 40. @BrianVerm Your Code Your App
  41. 41. @BrianVerm SPRING SERVERLESS EXAMPLE
  42. 42. @BrianVerm 222 Lines of Code SPRING SERVERLESS EXAMPLE
  43. 43. @BrianVerm 222 Lines of Code SPRING SERVERLESS EXAMPLE
  44. 44. @BrianVerm 222 Lines of Code 5 Direct dependencies SPRING SERVERLESS EXAMPLE
  45. 45. @BrianVerm 222 Lines of Code 5 Direct dependencies 54 dependencies (incl. indirect) SPRING SERVERLESS EXAMPLE
  46. 46. @BrianVerm 222 Lines of Code 5 Direct dependencies 54 dependencies (incl. indirect) 460,046 Lines of Code SPRING SERVERLESS EXAMPLE
  47. 47. @BrianVerm Your Code Your App
  48. 48. @BrianVerm
  49. 49. @BrianVerm CODE REVIEW
  50. 50. DON’T BE A TROJAN CODE REVIEW @GetMapping(path="/all") public List<MyHouse> getAllHouses() { return MyHouseRepository.findAll(); } public class MyHouse { @Id private String id; private Date creationDate; private Date modificationDate; private String userId; private String street; private Integer number; private String zip; private String city; }
  51. 51. DON’T BE A TROJAN CODE REVIEW @GetMapping(path="/all") public List<MyHouse> getAllHouses() { return MyHouseRepository.findAll(); } public class MyHouse { @Id private String id; private Date creationDate; private Date modificationDate; @JsonIgnore private String userId; private String street; private Integer number; private String zip; private String city; }
  52. 52. @BrianVerm DESIGN TO BE COMPROMISED
  53. 53. @BrianVerm CENTRALIZED LOGGING AND ALERT ON IT
  54. 54. @BrianVerm KEEP SCANNING IN PRODUCTION
  55. 55. @BrianVerm SHIFT SECURITY LEFT
 <—
  56. 56. @BrianVerm BRIAN VERMEER @BRIANVERM BRIANVERMEER@SNYK.IO

×