The document discusses the growing threats of cybercrime and importance of security by design in software development. It notes that data has become the new gold and cybercrime damages reached $3 trillion worldwide in 2016. The document advocates storing only necessary data and limiting access. It provides examples of how software systems can expose private data if not designed securely from the start. Throughout, it emphasizes close collaboration between developers and security experts to implement controls like centralized logging, strong passwords, and automated security testing in development practices.

1. DON’T BE A TROJAN
BRIAN VERMEER (@BRIANVERM)

2. DATA IS THE NEW
GOLD

5. BRIAN VERMEER
SOFTWARE ENGINEER

6. BUT I GOT NOTHING TO HIDE …
DON’T BE A TROJAN

7. HTTPS://NLTIMES.NL/
2018/03/08/NUDE-VIDEOS-
DUTCH-HANDBALL-TEAM-
LEAK-ONLINE-SAUNA-
CAMERA-HACK

8. HTTP://WWW.ALPHR.COM/
HEALTH/1005587/THE-NUMBER-
OF-PEOPLE-ASKING-GOOGLE-
FOR-MEDICAL-ADVICE-HAS-
SKYROCKETED-IN-A-DECADE

9. SOCIAL RANKING CHINA

10. CYBERCRIME
REAL THREAT
AND IT IS GROWING
ORGANISED AND PROFESSIONAL
IT’S A BUSINESS
RISKS ARE LOW
WE ARE NOT READY
LOT OF MONEY INVOLVED

11. HOW PROFITABLE IS CYBERCRIME?
US Military and Defence Expanses
(2015)
600 Billion dollars
Cyber crime damage world wide
(2016)
3 Trillion dollars
Bank of Iraq Heist (2003)
1 Billion dollars

13. BUT NOW WE HAVE
GDPR…RIGHT?!

14. HTTPS://FUSION.TV/STORY/281543/REAL-FUTURE-EPISODE-8-HACK-
ATTACK/?CURATOR=TECHREDEF KEVIN ROOSE - 24 FEB 2016

16. LAPTOP

17. PASSWORDS

18. DEVOPS

19. TEST DATA

20. SCENARIO
THE “NEW GUY”

21. SECURITY BY DESIGN
DEVELOPMENT

22. DON’T BE A TROJAN
DATA STORAGE
▸ WHAT DATA DO WE STORE?
▸ WHAT DATA DO WE NEED?
▸ HOW LONG DO WE NEED TO KEEP THIS
DATA?
▸ HOW DOES THIS DATA TRACE BACK TO AN
INDIVIDUAL?
▸ WHO HAS ACCESS TO THIS DATA

23. SOFTWARE DEVELOPMENT
OVER TIME

24. DON’T BE A TROJAN
STAGE 1 - BUILD A NICE CLEAN SYSTEM

25. DON’T BE A TROJAN
STAGE 2 - A LITTLE ADDITION

26. DON’T BE A TROJAN
STAGE 3 - A COMPLETE NEW FEATURE ON TOP

27. DON’T BE A TROJAN
STAGE 4 - EXPANDING WITH A NEW SCOPE

28. DON’T BE A TROJAN
STAGE 5 - AND NOW WE WANT TO RULE THE WORLD

29. EXAMPLE
PROFILE
SERVICE
CREATE PROFILE
UPDATE PREFERENCES
GET PROFILE BY UUID
PROFILE
- UUID
- LIST OF PREFERENCES

30. EXAMPLE
PROFILE
SERVICE
CREATE PROFILE
UPDATE PREFERENCES
GET PROFILE BY UUID
PROFILE
- UUID
- EMAIL
- LIST OF PREFERENCES
MYHOME
SERVICE
CLAIM A HOUSE
UPDATE YOUR HOUSE
FIND ALL HOUSES
MyHOUSE
- UUID
- HOUSE ADDRESS
- HOUSE PICTURES
SECURED LOGIN

31. EXAMPLE
PROFILE
SERVICE
GET PROFILE BY UUID
PROFILE
- UUID
- EMAIL
- LIST OF PREFERENCES
MYHOME
SERVICE
FIND ALL HOUSES
MyHOUSE
- UUID (EXPOSED)
- HOUSE ADDRESS
- HOUSE PICTURES

32. WHAT DATA IS EXPOSED
TO THE OUTSIDE WORLD

33. DATA LEAK?

34. WHO WAS EXPOSED?
HOW LONG WAS IT THERE?
WHAT WAS THE IMPACT?
WHAT KIND OF DATA IS LEAKED?
AM I A VICTIM?

35. LOG EVERYTHING

36. BUT WHAT ABOUT
CI/CD ?

37. AUTOMATED SECURITY
TESTS

38. WHATS IN IT
DEPENDENCIES

39. CODE REVIEW

40. DON’T BE A TROJAN
CODE REVIEW
@GetMapping(path="/all")
public List<MyHouse> getAllHouses() {
return MyHouseRepository.findAll();
}
public class MyHouse {
@Id private String id;
private Date creationDate;
private Date modificationDate;
private String userId;
private String street;
private Integer number;
private String zip;
private String city;
}

41. DON’T BE A TROJAN
CODE REVIEW
@GetMapping(path="/all")
public List<MyHouse> getAllHouses() {
return MyHouseRepository.findAll();
}
public class MyHouse {
@Id private String id;
private Date creationDate;
private Date modificationDate;
@JsonIgnore private String userId;
private String street;
private Integer number;
private String zip;
private String city;
}

42. DESIGN TO BE
COMPROMISED

43. TEXT
PASSWORD PROTECTION
▸ Use a password policy
▸ Use a cryptographically strong credential-specific salt
▸ Use a cryptographic hash algorithm (e.g. PBKDF2 / bCrypt)
▸ Use a HMAC (keyed-hash message authentication code), HMAC-SHA256
▸ Review algorithms

44. CENTRALIZED LOGGING
AND ALERT ON IT

45. WORK TOGETHER WITH
SECURITY DEPARTMENT

46. BRIAN VERMEER
@BRIANVERM
BRIAN@BRIANVERMEER.NL