Uploaded bysblom
PPT, PDF307 views

Developing Software with Security in Mind

The document outlines 10 rules for developing software with security in mind. The rules are: 1. Learn about security or it will teach you the hard way through vulnerabilities. 2. Security knowledge becomes obsolete quickly, so keep learning. Have a security expert on your team. 3. Befriend security researchers and let them test your software for vulnerabilities. 4. Expect to ship software with security bugs despite your best efforts. 5. Have security response plans to quickly address issues that arise. 6. Security and usability will always be in tension so aim for good, not perfect. 7. Have open conversations about security with users and researchers to build trust. 8. There may

Embed presentation

Download to read offline
Developing Software with Security in Mind Scott Blomquist CTO, Vidoop
Format This session is: 10 useful rules for developing with security in mind Not just mine: feel free to interrupt at any time This session isn't: A talk about specific security pitfalls, development techniques, etc.
Rule #1 Learn about security or it will teach you.
How my security education began July 2001: Code Red slows corporate networks to a crawl   September 2001: Nimda does it again   February/March 2002: Windows Security Push   January 2003: This time it's Slammer   Summer 2003: Work begins on "Springboard"   August 2003: Blaster terrorizes the world
Rule #2 Learn about security or it will teach you. Security knowledge goes obsolete quickly.
Security trends Tools, languages, development practices get better Static analysis tools Safer versions of C run-time functions Input fuzzing tools Stack attack detection   So do the badguys Tools advances may help them, too New techniques are discovered all the time   ALL: favorite examples of either of these?
Rule #3 Learn about security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more).
Passions get the best attention Security geek doesn't have to be a full-time job. You might already work with one (or might be one). To get started, you just have to make it a point to read about and talk about security. With luck, it will just "fit" for someone.
Rule #4 Learn about security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field.
Security researchers: symbiotic parasites We have great local resources here in Tulsa. Spend time poking holes in your project over coffee or beer. Suggest exciting research projects. Make sure they know how to reach you if they have an interesting thought.  Despite how bad it feels when a flaw in your project gets published, you want them to find the flaw.
Rule #5 Learn about security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field. Despite knowledge, you  will ship security bugs.
Software is never defect-free No one would claim to be unbreakable (okay, except Oracle) But many projects sure act like they are.
Rule #6 Learn about security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field. Despite knowledge, you  will ship security bugs. Have security response plans in place.
Emergency response plans How to know when to respond Web products and boxed products are different. How to disseminate the response Everyone needs an update process. Sometimes you need damage control levers, too.
Rue #7 Learn about security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field. Despite knowledge, you  will ship security bugs. Have security response plans in place. Security and usability will always be in tension.
Secrity vs. Usability "The most secure computer in the world is in a concrete and steel vault, protected by armed guards, and not plugged in to the network or even power. But it's not very useful, either." --Various
Rule #8 Learn about security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field. Despite knowledge, you  will ship security bugs. Have security response plans in place. Security and usability will always be in tension. The perfect is the enemy of the good.
A case study: OpenID First, what is OpenID: OpenID According to Dave   Many OpenID objections center around how it doesn't solve as many problems as pick-your-favorite-heavy-crypto-based-auth-protocol. Despite those strong objections, OpenID is poised to be an Internet phenomenon.
Rule #9 Learn about security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field. Despite knowledge, you  will ship security bugs. Have security response plans in place. Security and usability will always be in tension. The perfect is the enemy of the good. Have open conversations about security.
Open conversation You want to know at least as much about your security as everyone else.  Sometimes conversations will be uncomfortable, but you have to learn and your users have to be reassured about their future with your software. Who to talk to: Users Researchers
Rule #10 Learn about security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field. Despite knowledge, you  will ship security bugs. Have security response plans in place. Security and usability will always be in tension. The perfect is the enemy of the good. Have open conversations about security. Sometimes there is no rule #10.
No rule #10 Security is unpredictable. Be ready for anything.
Additional Resources More information about Microsoft's security turning point Inside Windows XP SP2 Inside the Windows Security Push
Questions? Slides available at http://Scott.Blomqui.st

More Related Content

PPTX
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
PPT
Anton Chuvakin on What is NOT Working in Security 2004
byAnton Chuvakin
 
PDF
Sigma Open Tech Week: Bitter Truth About Software Security
byVlad Styran
 
PPTX
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
byCODE BLUE
 
PPTX
Database Security Risks You Might Not Have Considered, but Need To
byIDERA Software
 
PPTX
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
byAdrian Sanabria
 
PDF
A Journey Into Pen-tester land: Myths or Facts!
byAmmar WK
 
PDF
Enabling effective hunt teaming and incident response
byjeffmcjunkin
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
Anton Chuvakin on What is NOT Working in Security 2004
byAnton Chuvakin
 
Sigma Open Tech Week: Bitter Truth About Software Security
byVlad Styran
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
byCODE BLUE
 
Database Security Risks You Might Not Have Considered, but Need To
byIDERA Software
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
byAdrian Sanabria
 
A Journey Into Pen-tester land: Myths or Facts!
byAmmar WK
 
Enabling effective hunt teaming and incident response
byjeffmcjunkin
 

What's hot

PDF
Pen-testing is Dead?
byAmmar WK
 
PPTX
KISSPatent open source presentation
byKISSPatent
 
PPTX
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
byFrode Hommedal
 
PDF
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
byVlad Styran
 
PDF
2020 FRSecure CISSP Mentor Program - Class 9
byFRSecure
 
PDF
2018 CISSP Mentor Program Session 3
byFRSecure
 
PPTX
Ed McCabe - Putting the Intelligence back in Threat Intelligence
bycentralohioissa
 
PPT
PHP-IDS
bysilenceIT Inc.
 
PPTX
Jim Wojno: Incident Response - No Pain, No Gain!
bycentralohioissa
 
PDF
2019 FRSecure CISSP Mentor Program: Class Three
byFRSecure
 
PDF
2020 FRSecure CISSP Mentor Program - Class 10
byFRSecure
 
PDF
DEF CON 23 - Wesley McGrew - i hunt penetration testers
byFelipe Prado
 
PPTX
Open stack security emea launch
byJoshua McKenty
 
PPT
Cf.Objective.2009
byBill Shelton
 
PDF
10 Reasons Why You Fix Bugs As Soon As You Find Them
byRosie Sherry
 
PPTX
Security and privacy for journalists
byJillian York
 
PDF
Physical Penetration Testing (RootedCON 2015)
byEduardo Arriols Nuñez
 
PDF
How to be come a hacker slide for 2600 laos
byOuthai SAIOUDOM
 
PDF
2020 FRSecure CISSP Mentor Program - Class 11
byFRSecure
 
PPT
Module5 desktop-laptop-security-b
byBbAOC
 
Pen-testing is Dead?
byAmmar WK
 
KISSPatent open source presentation
byKISSPatent
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
byFrode Hommedal
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
byVlad Styran
 
2020 FRSecure CISSP Mentor Program - Class 9
byFRSecure
 
2018 CISSP Mentor Program Session 3
byFRSecure
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
bycentralohioissa
 
PHP-IDS
bysilenceIT Inc.
 
Jim Wojno: Incident Response - No Pain, No Gain!
bycentralohioissa
 
2019 FRSecure CISSP Mentor Program: Class Three
byFRSecure
 
2020 FRSecure CISSP Mentor Program - Class 10
byFRSecure
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
byFelipe Prado
 
Open stack security emea launch
byJoshua McKenty
 
Cf.Objective.2009
byBill Shelton
 
10 Reasons Why You Fix Bugs As Soon As You Find Them
byRosie Sherry
 
Security and privacy for journalists
byJillian York
 
Physical Penetration Testing (RootedCON 2015)
byEduardo Arriols Nuñez
 
How to be come a hacker slide for 2600 laos
byOuthai SAIOUDOM
 
2020 FRSecure CISSP Mentor Program - Class 11
byFRSecure
 
Module5 desktop-laptop-security-b
byBbAOC
 

Similar to Developing Software with Security in Mind

ODP
Break it while you make it: writing (more) secure software
byLeigh Honeywell
 
PPTX
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
PPT
Software Security in the Real World
byMark Curphey
 
PPT
Survey Presentation About Application Security
byNicholas Davis
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
PDF
Tech Talent Meetup Hacking Security Event Recap
byDominic Vogel
 
PDF
12 Simple Cybersecurity Rules For Your Small Business
byNSUGSCIS
 
PPT
Intro to-ssdl--lone-star-php-2013
bynanderoo
 
PPTX
How to-become-secure-and-stay-secure
byIIMBNSRCEL
 
PDF
Biggest info security mistakes security innovation inc.
byuNIX Jim
 
KEY
Application Security Done Right
bypvanwoud
 
PPT
3.Secure Design Principles And Process
byphanleson
 
PDF
Wfh security risks - Ed Adams, President, Security Innovation
byPriyanka Aash
 
PDF
Secured Development
byBurhan Khalid
 
PDF
Mr. Burhan Khalid - secure dev.
bynooralmousa
 
PDF
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
PDF
Designing Secure APIs
bySteven Chen
 
PPTX
Week 4.1 Building security into the software development lifecycle copy.pptx
byazida3
 
PDF
The Most Important Thing: How Mozilla Does Security and What You Can Steal
bymozilla.presentations
 
PDF
The Permanent Campaign
byDenim Group
 
Break it while you make it: writing (more) secure software
byLeigh Honeywell
 
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
Software Security in the Real World
byMark Curphey
 
Survey Presentation About Application Security
byNicholas Davis
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
Tech Talent Meetup Hacking Security Event Recap
byDominic Vogel
 
12 Simple Cybersecurity Rules For Your Small Business
byNSUGSCIS
 
Intro to-ssdl--lone-star-php-2013
bynanderoo
 
How to-become-secure-and-stay-secure
byIIMBNSRCEL
 
Biggest info security mistakes security innovation inc.
byuNIX Jim
 
Application Security Done Right
bypvanwoud
 
3.Secure Design Principles And Process
byphanleson
 
Wfh security risks - Ed Adams, President, Security Innovation
byPriyanka Aash
 
Secured Development
byBurhan Khalid
 
Mr. Burhan Khalid - secure dev.
bynooralmousa
 
Application Security Testing for Software Engineers: An approach to build sof...
byMichael Hidalgo
 
Designing Secure APIs
bySteven Chen
 
Week 4.1 Building security into the software development lifecycle copy.pptx
byazida3
 
The Most Important Thing: How Mozilla Does Security and What You Can Steal
bymozilla.presentations
 
The Permanent Campaign
byDenim Group
 

Recently uploaded

PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 

Developing Software with Security in Mind

  • 1.
    Developing Software withSecurity in Mind Scott Blomquist CTO, Vidoop
  • 2.
    Format This sessionis: 10 useful rules for developing with security in mind Not just mine: feel free to interrupt at any time This session isn't: A talk about specific security pitfalls, development techniques, etc.
  • 3.
    Rule #1 Learnabout security or it will teach you.
  • 4.
    How my securityeducation began July 2001: Code Red slows corporate networks to a crawl   September 2001: Nimda does it again   February/March 2002: Windows Security Push   January 2003: This time it's Slammer   Summer 2003: Work begins on "Springboard"   August 2003: Blaster terrorizes the world
  • 5.
    Rule #2 Learnabout security or it will teach you. Security knowledge goes obsolete quickly.
  • 6.
    Security trends Tools,languages, development practices get better Static analysis tools Safer versions of C run-time functions Input fuzzing tools Stack attack detection   So do the badguys Tools advances may help them, too New techniques are discovered all the time   ALL: favorite examples of either of these?
  • 7.
    Rule #3 Learnabout security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more).
  • 8.
    Passions get thebest attention Security geek doesn't have to be a full-time job. You might already work with one (or might be one). To get started, you just have to make it a point to read about and talk about security. With luck, it will just "fit" for someone.
  • 9.
    Rule #4 Learnabout security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field.
  • 10.
    Security researchers: symbioticparasites We have great local resources here in Tulsa. Spend time poking holes in your project over coffee or beer. Suggest exciting research projects. Make sure they know how to reach you if they have an interesting thought.  Despite how bad it feels when a flaw in your project gets published, you want them to find the flaw.
  • 11.
    Rule #5 Learnabout security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field. Despite knowledge, you  will ship security bugs.
  • 12.
    Software is neverdefect-free No one would claim to be unbreakable (okay, except Oracle) But many projects sure act like they are.
  • 13.
    Rule #6 Learnabout security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field. Despite knowledge, you  will ship security bugs. Have security response plans in place.
  • 14.
    Emergency response plansHow to know when to respond Web products and boxed products are different. How to disseminate the response Everyone needs an update process. Sometimes you need damage control levers, too.
  • 15.
    Rue #7 Learnabout security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field. Despite knowledge, you  will ship security bugs. Have security response plans in place. Security and usability will always be in tension.
  • 16.
    Secrity vs. Usability"The most secure computer in the world is in a concrete and steel vault, protected by armed guards, and not plugged in to the network or even power. But it's not very useful, either." --Various
  • 17.
    Rule #8 Learnabout security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field. Despite knowledge, you  will ship security bugs. Have security response plans in place. Security and usability will always be in tension. The perfect is the enemy of the good.
  • 18.
    A case study:OpenID First, what is OpenID: OpenID According to Dave   Many OpenID objections center around how it doesn't solve as many problems as pick-your-favorite-heavy-crypto-based-auth-protocol. Despite those strong objections, OpenID is poised to be an Internet phenomenon.
  • 19.
    Rule #9 Learnabout security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field. Despite knowledge, you  will ship security bugs. Have security response plans in place. Security and usability will always be in tension. The perfect is the enemy of the good. Have open conversations about security.
  • 20.
    Open conversation Youwant to know at least as much about your security as everyone else.  Sometimes conversations will be uncomfortable, but you have to learn and your users have to be reassured about their future with your software. Who to talk to: Users Researchers
  • 21.
    Rule #10 Learnabout security or it will teach you. Security knowledge goes obsolete quickly. Your team should have a security geek (or more). Befriend the security researchers in your field. Despite knowledge, you  will ship security bugs. Have security response plans in place. Security and usability will always be in tension. The perfect is the enemy of the good. Have open conversations about security. Sometimes there is no rule #10.
  • 22.
    No rule #10Security is unpredictable. Be ready for anything.
  • 23.
    Additional Resources Moreinformation about Microsoft's security turning point Inside Windows XP SP2 Inside the Windows Security Push
  • 24.
    Questions? Slides availableat http://Scott.Blomqui.st