Patricia Aas, profile picture
Uploaded byPatricia Aas
PDF, PPTX408 views

Make It Fixable (Sikkert NOK 2017)

The document discusses the challenges of security in software development, emphasizing issues like the inability to roll out fixes, lack of control over dependencies, and the risks associated with the absence of an in-house team. It also highlights the importance of user experience in security practices and suggests various strategies for addressing these challenges, such as maintaining good coding practices, ensuring proper documentation, and creating a trustworthy environment for users. Ultimately, it calls for collective responsibility in protecting users and improving security across the industry.

Embed presentation

Download as PDF, PPTX
@pati_gallardo
Make it Fixable Living with Risk Patricia Aas Sikkert NOK 2017 @pati_gallardo
Who am I? @pati_gallardo
Patricia Aas Programmer - mainly in C++ and Java Currently : Vivaldi Technologies Previously : Cisco Systems, Knowit, Opera Software Master in Computer Science Twitter : @pati_gallardo
Security is Hard @pati_gallardo
Just Remember : - You live in the real world - Take one step at a time - Make a Plan @pati_gallardo
You Need A Security “Hotline” security@example.com Symbiotic relationship Be polite Be grateful Be professional Be efficient and transparent @pati_gallardo
Everybody's An Expert @pati_gallardo
- They Are. Really. - @pati_gallardo
1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
Unable to Roll Out Fixes @pati_gallardo 1
Unable to Roll out Fixes - Relying on User Updates - Unable to Build - Unable to Deploy - Regression Fear - No Issue Tracking - No Release Tags - No Source - Issue in infrastructure @pati_gallardo
Internet of Things Toys: My Friend Cayla, i-Que Intelligent Robots, Hello Barbie Mirai: Botnets created with IOT devices, users don’t update “Shelfware” No Maintenance contract Abandonware Closed source - no way to fix/fork @pati_gallardo Unable to Roll Out Fixes.
Fix : Ship It! Holy Grail : Auto Update Code - Get the Code - Use Version Control - Keep Build Environment - Write Integration Tests Configuration Management - Have Security Contact - Track issues - Make a Deployment Plan - Control Infrastructure @pati_gallardo Unable to Roll Out Fixes.
Internet of Things - Auto-update - Different default passwords - Unboxing security “Shelfware” - Get maintenance contract - Change supplier - Do in-house - Use only Open Source Software Fix : Ship It! @pati_gallardoUnable to Roll Out Fixes.
No Control over Dependencies @pati_gallardo 2
No Control over Dependencies - Too Many Dependencies - Frameworks are Abandoned - Libraries Disappear - Insecure Platform APIs - Insecure Tooling - End-of-Life OS (Windows) - Licenses expire/change - Known Issues not Fixed - OS Not Updated (Android) @pati_gallardo
Stagefright Bugs in the multimedia library on Android Heartbleed Bug in openssl Left-Pad Developer unpublished a mini-Js library @pati_gallardo No Control over Dependencies
Fix: Control It! Goal : Dependency Control Be conservative - Is it needed? - Do you understand it? Be cautious - Audit your upstream - Avoid forking - Have an upgrade plan - Have someone responsible @pati_gallardo No Control over Dependencies
Stagefright Workaround in apps calling into stagefright Heartbleed Control over production environment Left-Pad Removing unnecessary dependency Fix: Control It! @pati_gallardoNo Control over Dependencies
The Team is Gone @pati_gallardo 3
The Team Is Gone - Team were consultants - They were downsized - The job was outsourced - “Bus factor” - “Binary blob” - Abandonware @pati_gallardo
“Public Sector” - Leaves the code with subcontractor - No build environment - Third-party access to production environment Abandoned frameworks - Framework interdependency - Unable to upgrade - Known bugs The Team is Gone @pati_gallardo
Fix : Own It! Goal : Regain Control Take it on yourselves - Build competence in-house - Fork, take control - “Barely Sufficient” Docs - Ship It and Control It Outsource - Maintenance Contract - Add Security Clause - Own deployment channel @pati_gallardo The Team Is Gone.
Fix : Own It! “Public Sector” - Backsourcing - Bring back work previously outsourced Abandoned frameworks - Replace with equivalent (OSS) - Remove dependency - Fork if you don’t have a choice @pati_gallardoThe Team Is Gone.
Use It! @pati_gallardo
It’s in Our Code @pati_gallardo 4
It’s in Our Code - Injection - Exploited crash etc - Debug code in production - Server compromised - Outdated platform - Intercepted traffic - Mined local data - Good old fashioned BUG @pati_gallardo
REMA 1000 Æ App - Reporter: Hallvard Nygård (@hallny) - All user data could be retrieved - Badly handled report - “Bug” (Lack of security) in App BEST CASE SCENARIO @pati_gallardo It’s In Our Code
Fix : Live It! Goal : Prevent & Cure Prevent - Sanitize your input - Send crash reports - Code review + tests - Review server security - Encrypt all traffic - Review local storage - Sign and check Cure - Ship it! @pati_gallardo It’s In Our Code
Browsers are very experienced - And therefore boring ;) gitlab.com - “rm -rf” - Sysadmin maintenance - Cascading errors as backups fail - All logged Publicly in real time Transparency Fix : Live It! @pati_gallardo It’s In Our Code
My Boss Made Me Do It @pati_gallardo 5
My Boss Made Me Do It The Feature is the Bug How? - Security Problem - Privacy Problem - Unethical - Illegal @pati_gallardo
Capcom's Street Fighter V - Installed a driver - “anti-crack solution” “...disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions..” - Reddit user extrwi My Boss Made Me Do It @pati_gallardo
Fix : Protect It! Goal : Protect your user Prevent : Protect your team - Workers rights - Build trust Cure : Protect your company - Find a Powerful Ally - Do Risk Analysis : Brand Reputation, Trust - Use the Law LAST RESORT : Whistleblowing & Quitting @pati_gallardo My Boss Made Me Do It
Statoil - Internal reports of security incidents after outsourcing - Only public after serious IRL incidents Nødnett - Transitive outsourcing - National Security These are often the Unsung Heros (Last Resort : Edward Snowden) Fix : Protect It! @pati_gallardo My Boss Made Me Do It
Ship It, Control It, Own It, Live It Protect It @pati_gallardo
- You need a Security Hotline - You Have to Ship - You Can’t do This Alone Recap @pati_gallardo
Designing the User Experience of Security @pati_gallardo 6
The Users Won’t Read Error blindness - Most users will mentally erase permanent error notifiers - they won’t read “Just click next” - Most users will accept the defaults - they won’t read “Make it go away” - The user will try to make the error dialog go away - they won’t read @pati_gallardo
Fix : Less is More Don’t leave it to the user - Just do the right thing, you don’t have to ask Have good defaults - Make sure that clicking next will leave the user in a good place Be very explicit when needed - If the user is in a “dangerous” situation - design carefully and if you have to explain : use language the user can understand @pati_gallardo
They Trust You With Personal information - They trust you to protect them from both hackers and governments With Data - They trust you to protect their pictures, documents, email … With Money - They trust you to protect their payment information and passwords @pati_gallardo
Fix : Be Trustworthy Only store what you have to - Try to use end-to-end encryption, so that even you don’t have access. Encrypt as much as you can Back up everything - Your users can’t afford to lose their baby pictures Use third party payment - Avoid having responsibility for their money @pati_gallardo
Everyone Is An Expert @pati_gallardo
1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Challenges @pati_gallardo
Protect Your User - Be a Force For Good @pati_gallardo
The Spaces We Create Online Are REAL @pati_gallardo
Make Everyone Feel Safe To Be Themselves @pati_gallardo
Make it Fixable Living with Risk Patricia Aas, Vivaldi Technologies @pati_gallardo Photos from pixabay.com - CC0 Creative Commons License
Some Vivaldi Swag! @pati_gallardo

More Related Content

PDF
Make It Fixable, Living with Risk (NDC London 2018)
byPatricia Aas
 
PDF
Make it Fixable, Living with Risk (Paranoia 2017)
byPatricia Aas
 
PDF
Make it Fixable (NDC Copenhagen 2018)
byPatricia Aas
 
PDF
Make it Fixable (CppCon 2018)
byPatricia Aas
 
PDF
Make it Fixable (Security Divas 2017)
byPatricia Aas
 
PDF
It's Okay To Touch Yourself - DerbyCon 2013
byBen Ten (0xA)
 
PDF
A Journey Into Pen-tester land: Myths or Facts!
byAmmar WK
 
PDF
A Research Study into DevOps Bottlenecks as presented at Codemash 2018
byBaruch Sadogursky
 
Make It Fixable, Living with Risk (NDC London 2018)
byPatricia Aas
 
Make it Fixable, Living with Risk (Paranoia 2017)
byPatricia Aas
 
Make it Fixable (NDC Copenhagen 2018)
byPatricia Aas
 
Make it Fixable (CppCon 2018)
byPatricia Aas
 
Make it Fixable (Security Divas 2017)
byPatricia Aas
 
It's Okay To Touch Yourself - DerbyCon 2013
byBen Ten (0xA)
 
A Journey Into Pen-tester land: Myths or Facts!
byAmmar WK
 
A Research Study into DevOps Bottlenecks as presented at Codemash 2018
byBaruch Sadogursky
 

Similar to Make It Fixable (Sikkert NOK 2017)

PDF
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
PDF
Hard Truths your CISO won’t tell you.pdf
byTravisMcPeak1
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PPTX
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
PPTX
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
PDF
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
PDF
DevSecOps for Developers, How To Start (ETC 2020)
byPatricia Aas
 
PDF
6 DevSecOps Hacks (femtech 2019)
byPatricia Aas
 
PDF
Faster Secure Software Development with Continuous Deployment - PH Days 2013
byNick Galbreath
 
PDF
Wfh security risks - Ed Adams, President, Security Innovation
byPriyanka Aash
 
PDF
JacksonvilleJUG_CVE101.pdf
byTheresa Mammarella
 
ODP
Break it while you make it: writing (more) secure software
byLeigh Honeywell
 
PDF
Tech Talent Meetup Hacking Security Event Recap
byDominic Vogel
 
PDF
Service now vulnerability patching_move
bySubrat Kumar Dash
 
PDF
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
PDF
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
bySonatype
 
PPTX
Don't blink creating secure software
bylogsentinel
 
PPTX
information system security --internet cyber security
byVivekSinghShekhawat2
 
PDF
SecurityBSides London - Agnitio: it's static analysis but not as we know it
bySecurity Ninja
 
PDF
Injecting simplicity not SQL RSA Europe 2010
bySecurity Ninja
 
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
Hard Truths your CISO won’t tell you.pdf
byTravisMcPeak1
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
DevSecOps for Developers, How To Start (ETC 2020)
byPatricia Aas
 
6 DevSecOps Hacks (femtech 2019)
byPatricia Aas
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
byNick Galbreath
 
Wfh security risks - Ed Adams, President, Security Innovation
byPriyanka Aash
 
JacksonvilleJUG_CVE101.pdf
byTheresa Mammarella
 
Break it while you make it: writing (more) secure software
byLeigh Honeywell
 
Tech Talent Meetup Hacking Security Event Recap
byDominic Vogel
 
Service now vulnerability patching_move
bySubrat Kumar Dash
 
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
bySonatype
 
Don't blink creating secure software
bylogsentinel
 
information system security --internet cyber security
byVivekSinghShekhawat2
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
bySecurity Ninja
 
Injecting simplicity not SQL RSA Europe 2010
bySecurity Ninja
 

More from Patricia Aas

PDF
The fundamental misunderstanding in Team Topologies
byPatricia Aas
 
PDF
Trying to build an Open Source browser in 2020
byPatricia Aas
 
PDF
Classic Vulnerabilities (MUCplusplus2022).pdf
byPatricia Aas
 
PDF
Dependency Management in C++ (NDC TechTown 2021)
byPatricia Aas
 
PDF
Introduction to Memory Exploitation (Meeting C++ 2021)
byPatricia Aas
 
PDF
The Anatomy of an Exploit (NDC TechTown 2019)
byPatricia Aas
 
PDF
Telling a story
byPatricia Aas
 
PDF
Return Oriented Programming, an introduction
byPatricia Aas
 
PDF
Introduction to Memory Exploitation (CppEurope 2021)
byPatricia Aas
 
PDF
Trying to build an Open Source browser in 2020
byPatricia Aas
 
PDF
Embedded Ethics (EuroBSDcon 2019)
byPatricia Aas
 
PDF
Chromium Sandbox on Linux (NDC Security 2019)
byPatricia Aas
 
PDF
Classic Vulnerabilities (ACCU Keynote 2022)
byPatricia Aas
 
PDF
Thoughts On Learning A New Programming Language
byPatricia Aas
 
PDF
The Anatomy of an Exploit (NDC TechTown 2019))
byPatricia Aas
 
PDF
Survival Tips for Women in Tech (JavaZone 2019)
byPatricia Aas
 
PDF
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
byPatricia Aas
 
PDF
Elections, Trust and Critical Infrastructure (NDC TechTown)
byPatricia Aas
 
PDF
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
byPatricia Aas
 
PDF
I can't work like this (KDE Academy Keynote 2021)
byPatricia Aas
 
The fundamental misunderstanding in Team Topologies
byPatricia Aas
 
Trying to build an Open Source browser in 2020
byPatricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
byPatricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
byPatricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
byPatricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
byPatricia Aas
 
Telling a story
byPatricia Aas
 
Return Oriented Programming, an introduction
byPatricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
byPatricia Aas
 
Trying to build an Open Source browser in 2020
byPatricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
byPatricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
byPatricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
byPatricia Aas
 
Thoughts On Learning A New Programming Language
byPatricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
byPatricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
byPatricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
byPatricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
byPatricia Aas
 
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
byPatricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
byPatricia Aas
 

Recently uploaded

PPTX
Build Smarter with Google: A Workshop on MediaPipe, Firebase, Gemini and Anti...
byvanshikaprakash05
 
PDF
CodeFulcrum Company Profile - Engineering Scalable Software for High-Growth E...
byCodeFulcrum
 
PPTX
Best Way to Convert PST File to MBOX Format
bykyla142000
 
PPTX
UAE-Based Insurer Transforms Operations with InsureEdge
byInsurance Tech Services
 
PPTX
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
PPTX
How MathCo Solved Enterprise AI Validation Challenges
byIT IDOL Technologies
 
PPTX
The Triple Bottom Line of Software: Uses, Misuses, and Strategic Risks
byrawaisah124
 
PDF
DSD-INT 2025 Modelling cold water infiltration with the Groundwater Energy (G...
byDeltares
 
PDF
Job Interview for Global Federal Government MD Panel Presentation
byafnupe09
 
PPTX
EMR Software for Pulmonology Clinics Why EasyClinic Supports Accuracy, Contin...
byEasy Clinic
 
PPTX
Aviation Fleet Management Software for Airlines & Operators
bySISGAIN
 
PPTX
Testing Strategies for Agile Teams in 2026
byMatt Calder
 
PPTX
How to Extract Google Maps Business Leads Efficiently
bywakasoftteam
 
PDF
AI Concepts - MCP Neurons - part of a series
byPhilip Schwarz
 
PDF
Salesforce Agentforce Service Agent​.pdf
byRobert Mark
 
PDF
REST in Peace (Laravel Senegal Meetup 2025)
byWendell Adriel
 
PDF
Cloud Engineering Services | Infysion Technologies
bysolutioninginfysion
 
PDF
Prasenjit Bhaumik Plano - Specializing In Web Applications
byPrasenjit Bhaumik Plano
 
PDF
DSD-INT 2025 Flexible quadtree submodelling with MODFLOW 6 - Case Hegewarren ...
byDeltares
 
PPT
Data Structure & Algorithm Lec- HeapSort.ppt
bypanhra1
 
Build Smarter with Google: A Workshop on MediaPipe, Firebase, Gemini and Anti...
byvanshikaprakash05
 
CodeFulcrum Company Profile - Engineering Scalable Software for High-Growth E...
byCodeFulcrum
 
Best Way to Convert PST File to MBOX Format
bykyla142000
 
UAE-Based Insurer Transforms Operations with InsureEdge
byInsurance Tech Services
 
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
How MathCo Solved Enterprise AI Validation Challenges
byIT IDOL Technologies
 
The Triple Bottom Line of Software: Uses, Misuses, and Strategic Risks
byrawaisah124
 
DSD-INT 2025 Modelling cold water infiltration with the Groundwater Energy (G...
byDeltares
 
Job Interview for Global Federal Government MD Panel Presentation
byafnupe09
 
EMR Software for Pulmonology Clinics Why EasyClinic Supports Accuracy, Contin...
byEasy Clinic
 
Aviation Fleet Management Software for Airlines & Operators
bySISGAIN
 
Testing Strategies for Agile Teams in 2026
byMatt Calder
 
How to Extract Google Maps Business Leads Efficiently
bywakasoftteam
 
AI Concepts - MCP Neurons - part of a series
byPhilip Schwarz
 
Salesforce Agentforce Service Agent​.pdf
byRobert Mark
 
REST in Peace (Laravel Senegal Meetup 2025)
byWendell Adriel
 
Cloud Engineering Services | Infysion Technologies
bysolutioninginfysion
 
Prasenjit Bhaumik Plano - Specializing In Web Applications
byPrasenjit Bhaumik Plano
 
DSD-INT 2025 Flexible quadtree submodelling with MODFLOW 6 - Case Hegewarren ...
byDeltares
 
Data Structure & Algorithm Lec- HeapSort.ppt
bypanhra1
 

Make It Fixable (Sikkert NOK 2017)

  • 1.
  • 2.
    Make it Fixable Livingwith Risk Patricia Aas Sikkert NOK 2017 @pati_gallardo
  • 3.
    Who am I?@pati_gallardo
  • 4.
    Patricia Aas Programmer -mainly in C++ and Java Currently : Vivaldi Technologies Previously : Cisco Systems, Knowit, Opera Software Master in Computer Science Twitter : @pati_gallardo
  • 5.
    Security is Hard@pati_gallardo
  • 6.
    Just Remember : -You live in the real world - Take one step at a time - Make a Plan @pati_gallardo
  • 7.
    You Need ASecurity “Hotline” security@example.com Symbiotic relationship Be polite Be grateful Be professional Be efficient and transparent @pati_gallardo
  • 8.
  • 9.
    - They Are.Really. - @pati_gallardo
  • 10.
    1. Unable toRoll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
  • 11.
    Unable to RollOut Fixes @pati_gallardo 1
  • 12.
    Unable to Roll outFixes - Relying on User Updates - Unable to Build - Unable to Deploy - Regression Fear - No Issue Tracking - No Release Tags - No Source - Issue in infrastructure @pati_gallardo
  • 13.
    Internet of Things Toys:My Friend Cayla, i-Que Intelligent Robots, Hello Barbie Mirai: Botnets created with IOT devices, users don’t update “Shelfware” No Maintenance contract Abandonware Closed source - no way to fix/fork @pati_gallardo Unable to Roll Out Fixes.
  • 14.
    Fix : ShipIt! Holy Grail : Auto Update Code - Get the Code - Use Version Control - Keep Build Environment - Write Integration Tests Configuration Management - Have Security Contact - Track issues - Make a Deployment Plan - Control Infrastructure @pati_gallardo Unable to Roll Out Fixes.
  • 15.
    Internet of Things -Auto-update - Different default passwords - Unboxing security “Shelfware” - Get maintenance contract - Change supplier - Do in-house - Use only Open Source Software Fix : Ship It! @pati_gallardoUnable to Roll Out Fixes.
  • 16.
    No Control overDependencies @pati_gallardo 2
  • 17.
    No Control over Dependencies -Too Many Dependencies - Frameworks are Abandoned - Libraries Disappear - Insecure Platform APIs - Insecure Tooling - End-of-Life OS (Windows) - Licenses expire/change - Known Issues not Fixed - OS Not Updated (Android) @pati_gallardo
  • 18.
    Stagefright Bugs in themultimedia library on Android Heartbleed Bug in openssl Left-Pad Developer unpublished a mini-Js library @pati_gallardo No Control over Dependencies
  • 19.
    Fix: Control It! Goal: Dependency Control Be conservative - Is it needed? - Do you understand it? Be cautious - Audit your upstream - Avoid forking - Have an upgrade plan - Have someone responsible @pati_gallardo No Control over Dependencies
  • 20.
    Stagefright Workaround in appscalling into stagefright Heartbleed Control over production environment Left-Pad Removing unnecessary dependency Fix: Control It! @pati_gallardoNo Control over Dependencies
  • 21.
    The Team isGone @pati_gallardo 3
  • 22.
    The Team IsGone - Team were consultants - They were downsized - The job was outsourced - “Bus factor” - “Binary blob” - Abandonware @pati_gallardo
  • 23.
    “Public Sector” - Leavesthe code with subcontractor - No build environment - Third-party access to production environment Abandoned frameworks - Framework interdependency - Unable to upgrade - Known bugs The Team is Gone @pati_gallardo
  • 24.
    Fix : OwnIt! Goal : Regain Control Take it on yourselves - Build competence in-house - Fork, take control - “Barely Sufficient” Docs - Ship It and Control It Outsource - Maintenance Contract - Add Security Clause - Own deployment channel @pati_gallardo The Team Is Gone.
  • 25.
    Fix : OwnIt! “Public Sector” - Backsourcing - Bring back work previously outsourced Abandoned frameworks - Replace with equivalent (OSS) - Remove dependency - Fork if you don’t have a choice @pati_gallardoThe Team Is Gone.
  • 26.
  • 27.
    It’s in OurCode @pati_gallardo 4
  • 28.
    It’s in OurCode - Injection - Exploited crash etc - Debug code in production - Server compromised - Outdated platform - Intercepted traffic - Mined local data - Good old fashioned BUG @pati_gallardo
  • 29.
    REMA 1000 ÆApp - Reporter: Hallvard Nygård (@hallny) - All user data could be retrieved - Badly handled report - “Bug” (Lack of security) in App BEST CASE SCENARIO @pati_gallardo It’s In Our Code
  • 30.
    Fix : LiveIt! Goal : Prevent & Cure Prevent - Sanitize your input - Send crash reports - Code review + tests - Review server security - Encrypt all traffic - Review local storage - Sign and check Cure - Ship it! @pati_gallardo It’s In Our Code
  • 31.
    Browsers are veryexperienced - And therefore boring ;) gitlab.com - “rm -rf” - Sysadmin maintenance - Cascading errors as backups fail - All logged Publicly in real time Transparency Fix : Live It! @pati_gallardo It’s In Our Code
  • 32.
    My Boss MadeMe Do It @pati_gallardo 5
  • 33.
    My Boss MadeMe Do It The Feature is the Bug How? - Security Problem - Privacy Problem - Unethical - Illegal @pati_gallardo
  • 34.
    Capcom's Street FighterV - Installed a driver - “anti-crack solution” “...disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions..” - Reddit user extrwi My Boss Made Me Do It @pati_gallardo
  • 35.
    Fix : ProtectIt! Goal : Protect your user Prevent : Protect your team - Workers rights - Build trust Cure : Protect your company - Find a Powerful Ally - Do Risk Analysis : Brand Reputation, Trust - Use the Law LAST RESORT : Whistleblowing & Quitting @pati_gallardo My Boss Made Me Do It
  • 36.
    Statoil - Internal reportsof security incidents after outsourcing - Only public after serious IRL incidents Nødnett - Transitive outsourcing - National Security These are often the Unsung Heros (Last Resort : Edward Snowden) Fix : Protect It! @pati_gallardo My Boss Made Me Do It
  • 37.
    Ship It, ControlIt, Own It, Live It Protect It @pati_gallardo
  • 38.
    - You needa Security Hotline - You Have to Ship - You Can’t do This Alone Recap @pati_gallardo
  • 39.
    Designing the UserExperience of Security @pati_gallardo 6
  • 40.
    The Users Won’tRead Error blindness - Most users will mentally erase permanent error notifiers - they won’t read “Just click next” - Most users will accept the defaults - they won’t read “Make it go away” - The user will try to make the error dialog go away - they won’t read @pati_gallardo
  • 41.
    Fix : Lessis More Don’t leave it to the user - Just do the right thing, you don’t have to ask Have good defaults - Make sure that clicking next will leave the user in a good place Be very explicit when needed - If the user is in a “dangerous” situation - design carefully and if you have to explain : use language the user can understand @pati_gallardo
  • 42.
    They Trust You WithPersonal information - They trust you to protect them from both hackers and governments With Data - They trust you to protect their pictures, documents, email … With Money - They trust you to protect their payment information and passwords @pati_gallardo
  • 43.
    Fix : BeTrustworthy Only store what you have to - Try to use end-to-end encryption, so that even you don’t have access. Encrypt as much as you can Back up everything - Your users can’t afford to lose their baby pictures Use third party payment - Avoid having responsibility for their money @pati_gallardo
  • 44.
    Everyone Is AnExpert @pati_gallardo
  • 45.
    1. Unable toRoll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Challenges @pati_gallardo
  • 46.
    Protect Your User- Be a Force For Good @pati_gallardo
  • 47.
    The Spaces WeCreate Online Are REAL @pati_gallardo
  • 48.
    Make Everyone FeelSafe To Be Themselves @pati_gallardo
  • 49.
    Make it Fixable Livingwith Risk Patricia Aas, Vivaldi Technologies @pati_gallardo Photos from pixabay.com - CC0 Creative Commons License
  • 50.