SlideShare a Scribd company logo

CppCon 2018 - Make it Fixable: Living with Risk

Patricia Aas
Patricia Aas

From experience we have learned that almost any surface we expose could have weaknesses. We have to have a plan on how to deal with issues as they arise, and an architecture that allows us to correct and protect in products that are already in use. When security is lifted up to the discretion of the user, however, we often fail to inform their decision properly. The usability of security and the architecture of fixability are closely connected, and both need continued refinement and focus. This talk will describe architectural and organizational features that make it easier to make corrective measures. They are down-to-earth everyday scenarios, illustrated by real world software projects and security incidents. Some of the stories are well known, some are anonymized to protect the innocent. Finally we will show examples of how difficult it is to design the user experience of security.

Technology
1 of 46
Download to read offline
@pati_gallardo T S
Make it Fixable Living with Risk Patricia Aas CppCon 2018 T S @pati_gallardo
Patricia Aas - Consultant Programmer, Application Security Currently : T S Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science - main language Java Pronouns: she/her T S @pati_gallardo
Security is Hard @pati_gallardo 5
Just Remember : - You live in the real world - Take one step at a time - Make a Plan @pati_gallardo 6
You Need A Security “Hotline” security@example.com Symbiotic relationship Be polite Be grateful Be professional Be efficient and transparent @pati_gallardo 7
- What is a System? - What is a vulnerability? - @pati_gallardo 8
1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo 9
Unable to Roll Out Fixes 1 @pati_gallardo 10
Unable to Roll out Fixes Unable to Update Unable to Build @pati_gallardo 11
Internet of Things Toys: My Friend Cayla, i-Que Intelligent Robots, Hello Barbie Mirai: Botnets created with IOT devices, users don’t update “Shelfware” No Maintenance contract Abandonware Closed source - no way to fix/fork Unable to Roll Out Fixes. 12 @pati_gallardo
Internet of Things - Auto-update - Different default passwords - Unboxing security (make the user change the password) “Shelfware” - Get maintenance contract - Change supplier - Do in-house - Use only Open Source Software Fix : Ship It! Unable to Roll Out Fixes. 13 @pati_gallardo
Fix : Ship It! Holy Grail : Continuous Deployment and Auto Update - A Build Environment - Update Mechanism Unable to Roll Out Fixes. 14 @pati_gallardo
Some systems should not be “fixed” A major election software maker allowed remote access on its systems for years Exceptions? 15 @pati_gallardo
No Control over Dependencies 2 @pati_gallardo
No Control over Dependencies No inventory No update routines No auditing @pati_gallardo 17
Equifax Breach Known vulunerability in Apache Struts 2 Heartbleed Bug in openssl Left-Pad Developer unpublished a mini-Js library No Control over Dependencies 18 @pati_gallardo
Equifax Breach Continuous Dependency Auditing Heartbleed Control over production environment Left-Pad Remove unnecessary dependencies Fix: Control It! No Control over Dependencies 19 @pati_gallardo
Fix: Control It! Goal : Largely Automated Dependency Monitoring Remember transitive dependencies Monitor and Update No Control over Dependencies @pati_gallardo 20
The Team is Gone 3 @pati_gallardo 21
The Team Is Gone - Team were consultants - They were downsized - The job was outsourced - “Bus factor” - “Binary blob” - Abandonware @pati_gallardo 22
Fix : Own It! Goal : Complete Build Environment Fork it, own it The Team Is Gone. @pati_gallardo 23
Use It! @pati_gallardo 24
It’s in Our Code 4 @pati_gallardo 25
It’s in Our Code Congratulations! This is Actually the BEST CASE SCENARIO @pati_gallardo 26
Keeper Password Manager - Reporter: Tavis Ormandy (@taviso) - “allowing any website to steal any password” - Browser plugin preinstalled on Windows - Badly handled report: Sues news reporter Dan Goodin It’s In Our Code 27 @pati_gallardo
gitlab.com - “rm -rf” - Sysadmin maintenance - Cascading errors as backups fail - All logged Publicly in real time Transparency Breeds Trust That is how you recover Fix : Live It! It’s In Our Code 28 @pati_gallardo
Fix : Live It! Goal : Prevent & Cure Prevention is great, but the Cure is to Ship It’s In Our Code 29 @pati_gallardo
My Boss Made Me Do It 5 @pati_gallardo 30
My Boss Made Me Do It The Feature is the Bug How? - Security Problem - Privacy Problem - Unethical - Illegal @pati_gallardo 31
Capcom's Street Fighter V - Installed a driver - “anti-crack solution” “...disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions..” - Reddit user extrwi My Boss Made Me Do It 32 @pati_gallardo
KrebsOnSecurity: "For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records" @pati_gallardo 33
Fix : Protect It! Goal : Protect your user Prevent : Protect your team - Workers rights - Team can diffuse blame Cure : Protect your company - Find a Powerful Ally - Do Risk Analysis : Brand Reputation, Trust - Use the Law LAST RESORT : Whistleblowing & Quitting My Boss Made Me Do It 34 @pati_gallardo
Google: DragonFly - "A plan to launch a censored search engine in China" - Employee authors a memo - Internal protests Maersk: NotPetya - Ransomware spreads globally, insufficient network segmentation - “IT executives had pushed for a preemptive security redesign” These are often the Unsung Heroes (Last Resort : Edward Snowden) Fix : Protect It! My Boss Made Me Do It 35 @pati_gallardo
Ship It, Control It, Own It, Live It & Protect It @pati_gallardo 36
- You need a Security Hotline - You Have to Ship Recap @pati_gallardo 37
Designing the User Experience of Security 6 @pati_gallardo 38
@pati_gallardo 39
The Users Won’t Read Error blindness “Just click next” “Make it go away” 40 @pati_gallardo
Fix : Less is More Don’t leave it to the user Have good defaults Be very explicit when needed 41 @pati_gallardo
They Trust You With Personal Information With Data With Money 42 @pati_gallardo
Fix : Be Trustworthy Only store what you have to Back up everything Use third party payment Be loyal to your end user 43 @pati_gallardo
Ship It, Control It, Own It, Live It & Protect It Design For It @pati_gallardo 44
T S P f . Patricia Aas, T S @pati_gallardo
@pati_gallardo T S

Recommended

Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Patricia Aas
 
Continuous Security
Continuous SecurityContinuous Security
Continuous SecurityEqual Experts
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Segurança além do Pentest
Segurança além do PentestSegurança além do Pentest
Segurança além do PentestAnchises Moraes
 
Só o Pentest não resolve!
Só o Pentest não resolve!Só o Pentest não resolve!
Só o Pentest não resolve!Anchises Moraes
 
Fighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safeFighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safePrayukth K V
 
Dutch PHP 2018 - Cryptography for Beginners
Dutch PHP 2018 - Cryptography for BeginnersDutch PHP 2018 - Cryptography for Beginners
Dutch PHP 2018 - Cryptography for BeginnersAdam Englander
 
2019 dsec stego_ppt
2019 dsec stego_ppt2019 dsec stego_ppt
2019 dsec stego_ppt승형 이
 

Recommended

Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Patricia Aas
 
Continuous Security
Continuous SecurityContinuous Security
Continuous SecurityEqual Experts
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Segurança além do Pentest
Segurança além do PentestSegurança além do Pentest
Segurança além do PentestAnchises Moraes
 
Só o Pentest não resolve!
Só o Pentest não resolve!Só o Pentest não resolve!
Só o Pentest não resolve!Anchises Moraes
 
Fighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safeFighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safePrayukth K V
 
Dutch PHP 2018 - Cryptography for Beginners
Dutch PHP 2018 - Cryptography for BeginnersDutch PHP 2018 - Cryptography for Beginners
Dutch PHP 2018 - Cryptography for BeginnersAdam Englander
 
2019 dsec stego_ppt
2019 dsec stego_ppt2019 dsec stego_ppt
2019 dsec stego_ppt승형 이
 
It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013Ben Ten (0xA)
 
Revealing Resilience Vulnerabilities in Spring Boot Architectures
Revealing Resilience Vulnerabilities in Spring Boot ArchitecturesRevealing Resilience Vulnerabilities in Spring Boot Architectures
Revealing Resilience Vulnerabilities in Spring Boot ArchitecturesVMware Tanzu
 
2019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-22019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-2Cameron Townshend
 
Charan Resume
Charan ResumeCharan Resume
Charan ResumeCharan Mukkamala
 
Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)Patricia Aas
 
API Security: Assume Possible Interference
API Security: Assume Possible InterferenceAPI Security: Assume Possible Interference
API Security: Assume Possible InterferenceJulie Tsai
 
Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Patricia Aas
 
Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Patricia Aas
 
Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Patricia Aas
 
Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Patricia Aas
 
NCET Tech Bite - Cloud Storage and Data Backup - June 2015
NCET Tech Bite - Cloud Storage and Data Backup - June 2015NCET Tech Bite - Cloud Storage and Data Backup - June 2015
NCET Tech Bite - Cloud Storage and Data Backup - June 2015Archersan
 
NCET Tech
NCET Tech NCET Tech
NCET Tech Archersan
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Patricia Aas
 
Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Patricia Aas
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 

More Related Content

What's hot

It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013Ben Ten (0xA)
 
Revealing Resilience Vulnerabilities in Spring Boot Architectures
Revealing Resilience Vulnerabilities in Spring Boot ArchitecturesRevealing Resilience Vulnerabilities in Spring Boot Architectures
Revealing Resilience Vulnerabilities in Spring Boot ArchitecturesVMware Tanzu
 
2019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-22019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-2Cameron Townshend
 
Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)Patricia Aas
 
API Security: Assume Possible Interference
API Security: Assume Possible InterferenceAPI Security: Assume Possible Interference
API Security: Assume Possible InterferenceJulie Tsai
 
Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Patricia Aas
 

What's hot (7)

It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013
 
Revealing Resilience Vulnerabilities in Spring Boot Architectures
Revealing Resilience Vulnerabilities in Spring Boot ArchitecturesRevealing Resilience Vulnerabilities in Spring Boot Architectures
Revealing Resilience Vulnerabilities in Spring Boot Architectures
 
2019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-22019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-2
 
Charan Resume
Charan ResumeCharan Resume
Charan Resume
 
Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)
 
API Security: Assume Possible Interference
API Security: Assume Possible InterferenceAPI Security: Assume Possible Interference
API Security: Assume Possible Interference
 
Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019)
 

Similar to CppCon 2018 - Make it Fixable: Living with Risk

Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Patricia Aas
 
Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Patricia Aas
 
Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Patricia Aas
 
NCET Tech Bite - Cloud Storage and Data Backup - June 2015
NCET Tech Bite - Cloud Storage and Data Backup - June 2015NCET Tech Bite - Cloud Storage and Data Backup - June 2015
NCET Tech Bite - Cloud Storage and Data Backup - June 2015Archersan
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Patricia Aas
 
Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Patricia Aas
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikSergey Gordeychik
 
6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)Patricia Aas
 

Similar to CppCon 2018 - Make it Fixable: Living with Risk (20)

Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)
 
Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)
 
Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
 
Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)
 
NCET Tech Bite - Cloud Storage and Data Backup - June 2015
NCET Tech Bite - Cloud Storage and Data Backup - June 2015NCET Tech Bite - Cloud Storage and Data Backup - June 2015
NCET Tech Bite - Cloud Storage and Data Backup - June 2015
 
NCET Tech
NCET Tech NCET Tech
NCET Tech
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)
 
Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
 
6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)
 

More from Patricia Aas

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfPatricia Aas
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introductionPatricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)Patricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Patricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfPatricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Patricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguagePatricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Patricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Patricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Patricia Aas
 

More from Patricia Aas (20)

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
 
Telling a story
Telling a storyTelling a story
Telling a story
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
 

Recently uploaded

Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Recently uploaded (20)

Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 

CppCon 2018 - Make it Fixable: Living with Risk

  • 2.
  • 3. Make it Fixable Living with Risk Patricia Aas CppCon 2018 T S @pati_gallardo
  • 4. Patricia Aas - Consultant Programmer, Application Security Currently : T S Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science - main language Java Pronouns: she/her T S @pati_gallardo
  • 5. Security is Hard @pati_gallardo 5
  • 6. Just Remember : - You live in the real world - Take one step at a time - Make a Plan @pati_gallardo 6
  • 7. You Need A Security “Hotline” security@example.com Symbiotic relationship Be polite Be grateful Be professional Be efficient and transparent @pati_gallardo 7
  • 8. - What is a System? - What is a vulnerability? - @pati_gallardo 8
  • 9. 1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo 9
  • 10. Unable to Roll Out Fixes 1 @pati_gallardo 10
  • 11. Unable to Roll out Fixes Unable to Update Unable to Build @pati_gallardo 11
  • 12. Internet of Things Toys: My Friend Cayla, i-Que Intelligent Robots, Hello Barbie Mirai: Botnets created with IOT devices, users don’t update “Shelfware” No Maintenance contract Abandonware Closed source - no way to fix/fork Unable to Roll Out Fixes. 12 @pati_gallardo
  • 13. Internet of Things - Auto-update - Different default passwords - Unboxing security (make the user change the password) “Shelfware” - Get maintenance contract - Change supplier - Do in-house - Use only Open Source Software Fix : Ship It! Unable to Roll Out Fixes. 13 @pati_gallardo
  • 14. Fix : Ship It! Holy Grail : Continuous Deployment and Auto Update - A Build Environment - Update Mechanism Unable to Roll Out Fixes. 14 @pati_gallardo
  • 15. Some systems should not be “fixed” A major election software maker allowed remote access on its systems for years Exceptions? 15 @pati_gallardo
  • 16. No Control over Dependencies 2 @pati_gallardo
  • 17. No Control over Dependencies No inventory No update routines No auditing @pati_gallardo 17
  • 18. Equifax Breach Known vulunerability in Apache Struts 2 Heartbleed Bug in openssl Left-Pad Developer unpublished a mini-Js library No Control over Dependencies 18 @pati_gallardo
  • 19. Equifax Breach Continuous Dependency Auditing Heartbleed Control over production environment Left-Pad Remove unnecessary dependencies Fix: Control It! No Control over Dependencies 19 @pati_gallardo
  • 20. Fix: Control It! Goal : Largely Automated Dependency Monitoring Remember transitive dependencies Monitor and Update No Control over Dependencies @pati_gallardo 20
  • 21. The Team is Gone 3 @pati_gallardo 21
  • 22. The Team Is Gone - Team were consultants - They were downsized - The job was outsourced - “Bus factor” - “Binary blob” - Abandonware @pati_gallardo 22
  • 23. Fix : Own It! Goal : Complete Build Environment Fork it, own it The Team Is Gone. @pati_gallardo 23
  • 25. It’s in Our Code 4 @pati_gallardo 25
  • 26. It’s in Our Code Congratulations! This is Actually the BEST CASE SCENARIO @pati_gallardo 26
  • 27. Keeper Password Manager - Reporter: Tavis Ormandy (@taviso) - “allowing any website to steal any password” - Browser plugin preinstalled on Windows - Badly handled report: Sues news reporter Dan Goodin It’s In Our Code 27 @pati_gallardo
  • 28. gitlab.com - “rm -rf” - Sysadmin maintenance - Cascading errors as backups fail - All logged Publicly in real time Transparency Breeds Trust That is how you recover Fix : Live It! It’s In Our Code 28 @pati_gallardo
  • 29. Fix : Live It! Goal : Prevent & Cure Prevention is great, but the Cure is to Ship It’s In Our Code 29 @pati_gallardo
  • 30. My Boss Made Me Do It 5 @pati_gallardo 30
  • 31. My Boss Made Me Do It The Feature is the Bug How? - Security Problem - Privacy Problem - Unethical - Illegal @pati_gallardo 31
  • 32. Capcom's Street Fighter V - Installed a driver - “anti-crack solution” “...disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions..” - Reddit user extrwi My Boss Made Me Do It 32 @pati_gallardo
  • 33. KrebsOnSecurity: "For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records" @pati_gallardo 33
  • 34. Fix : Protect It! Goal : Protect your user Prevent : Protect your team - Workers rights - Team can diffuse blame Cure : Protect your company - Find a Powerful Ally - Do Risk Analysis : Brand Reputation, Trust - Use the Law LAST RESORT : Whistleblowing & Quitting My Boss Made Me Do It 34 @pati_gallardo
  • 35. Google: DragonFly - "A plan to launch a censored search engine in China" - Employee authors a memo - Internal protests Maersk: NotPetya - Ransomware spreads globally, insufficient network segmentation - “IT executives had pushed for a preemptive security redesign” These are often the Unsung Heroes (Last Resort : Edward Snowden) Fix : Protect It! My Boss Made Me Do It 35 @pati_gallardo
  • 36. Ship It, Control It, Own It, Live It & Protect It @pati_gallardo 36
  • 37. - You need a Security Hotline - You Have to Ship Recap @pati_gallardo 37
  • 38. Designing the User Experience of Security 6 @pati_gallardo 38
  • 40. The Users Won’t Read Error blindness “Just click next” “Make it go away” 40 @pati_gallardo
  • 41. Fix : Less is More Don’t leave it to the user Have good defaults Be very explicit when needed 41 @pati_gallardo
  • 42. They Trust You With Personal Information With Data With Money 42 @pati_gallardo
  • 43. Fix : Be Trustworthy Only store what you have to Back up everything Use third party payment Be loyal to your end user 43 @pati_gallardo
  • 44. Ship It, Control It, Own It, Live It & Protect It Design For It @pati_gallardo 44
  • 45. T S P f . Patricia Aas, T S @pati_gallardo