Download to read offline
Uploaded byBrian Vermeer
Don't be a Trojan
This document discusses cybersecurity threats and best practices for software development. It notes that cybercrime is a large and growing business, with damages estimated at $3 trillion worldwide in 2016. The document advocates designing systems with security in mind from the start, avoiding exposing unnecessary data, logging all activity, reviewing code for vulnerabilities, using secure password practices, and working with security teams. Developers are warned that without care, software can be "trojanized" over time to expose more data or capabilities than intended.
More Related Content
![CYBER SECURITY AWARENESS.pptx [Read-Only].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/operatingsysteam1new-230723061644-ffddfa30-thumbnail.jpg?width=640&height=640&fit=bounds)
Don't be a Trojan
- 1. DON’T BE ATROJAN BRIAN VERMEER @BrianVerm#DevoxxPL
- 2.
- 3. DATA IS THENEW GOLD
- 6.
- 7. BUT I GOTNOTHING TO HIDE … DON’T BE A TROJAN
- 8.
- 9.
- 10.
- 11. CYBERCRIME REAL THREAT AND ITIS GROWING ORGANISED AND PROFESSIONAL IT’S A BUSINESS RISKS ARE LOW WE ARE NOT READY LOT OF MONEY INVOLVED
- 12. HOW PROFITABLE ISCYBERCRIME? US Military and Defence Expanses (2015) 600 Billion dollars Cyber crime damage world wide (2016) 3 Trillion dollars Bank of Iraq Heist (2003) 1 Billion dollars
- 14. BUT NOW WEHAVE GDPR…RIGHT?!
- 15.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23. DON’T BE ATROJAN DATA STORAGE ▸ WHAT DATA DO WE STORE? ▸ WHAT DATA DO WE NEED? ▸ HOW LONG DO WE NEED TO KEEP THIS DATA? ▸ HOW DOES THIS DATA TRACE BACK TO AN INDIVIDUAL? ▸ WHO HAS ACCESS TO THIS DATA
- 24.
- 25. DON’T BE ATROJAN STAGE 1 - BUILD A NICE CLEAN SYSTEM
- 26. DON’T BE ATROJAN STAGE 2 - A LITTLE ADDITION
- 27. DON’T BE ATROJAN STAGE 3 - A COMPLETE NEW FEATURE ON TOP
- 28. DON’T BE ATROJAN STAGE 4 - EXPANDING WITH A NEW SCOPE
- 29. DON’T BE ATROJAN STAGE 5 - AND NOW WE WANT TO RULE THE WORLD
- 30. EXAMPLE PROFILE SERVICE CREATE PROFILE UPDATE PREFERENCES GETPROFILE BY UUID PROFILE - UUID - LIST OF PREFERENCES
- 31. EXAMPLE PROFILE SERVICE CREATE PROFILE UPDATE PREFERENCES GETPROFILE BY UUID PROFILE - UUID - EMAIL - LIST OF PREFERENCES MYHOME SERVICE CLAIM A HOUSE UPDATE YOUR HOUSE FIND ALL HOUSES MyHOUSE - UUID - HOUSE ADDRESS - HOUSE PICTURES SECURED LOGIN
- 32. EXAMPLE PROFILE SERVICE GET PROFILE BYUUID PROFILE - UUID - EMAIL - LIST OF PREFERENCES MYHOME SERVICE FIND ALL HOUSES MyHOUSE - UUID (EXPOSED) - HOUSE ADDRESS - HOUSE PICTURES
- 33. WHAT DATA ISEXPOSED TO THE OUTSIDE WORLD
- 34.
- 35. WHO WAS EXPOSED? HOWLONG WAS IT THERE? WHAT WAS THE IMPACT? WHAT KIND OF DATA IS LEAKED? AM I A VICTIM?
- 36.
- 37.
- 38.
- 39.
- 40.
- 41. DON’T BE ATROJAN CODE REVIEW @GetMapping(path="/all") public List<MyHouse> getAllHouses() { return MyHouseRepository.findAll(); } public class MyHouse { @Id private String id; private Date creationDate; private Date modificationDate; private String userId; private String street; private Integer number; private String zip; private String city; }
- 42. DON’T BE ATROJAN CODE REVIEW @GetMapping(path="/all") public List<Woning> getAllHouses() { return MyHouseRepository.findAll(); } public class MyHouse { @Id private String id; private Date creationDate; private Date modificationDate; @JsonIgnore private String userId; private String street; private Integer number; private String zip; private String city; }
- 43.
- 44. TEXT PASSWORD PROTECTION ▸ Usea password policy ▸ Use a cryptographically strong credential-specific salt ▸ Use a cryptographic hash algorithm (e.g. PBKDF2 / bCrypt) ▸ Use a HMAC (keyed-hash message authentication code), HMAC-SHA256 ▸ Review algorithms
- 45.
- 46. WORK TOGETHER WITH SECURITYDEPARTMENT
- 47.