SlideShare a Scribd company logo
© 2021 SEC Consult | All rights reserved
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
WELCOME!
Building a secure architecture
A deep-dive into security design principles
January 21, 2021 | with Thomas Kerbl
1
© 2021 SEC Consult | All rights reserved
• 20+ years experience in information security
• 50+ speeches
• Service Owner for
„Secure Software Development Consulting“
• Teamleader
• Security Analyst, Security Architect
Education
• MSc @ Technikum Vienna, Specialization in
Multimedia & Software Development
• Dipl. Ing @ Hagenberg, Specialization in
Computer- and Media Security
Certificates
• Accredited ÖNORM A 7700 Auditor
• ISTQB Certified Tester
• ISAQB Certified Professional for
Software Architecture
• ISSECO Certified Professional for
Secure Software Engineering
• PCiIAA Practitioner Certificate in
Information Assurance Architecture
Thomas Kerbl
Principal Security Consultant
t.kerbl@sec-consult.com
https://twitter.com/dementophobia
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
2
© 2021 SEC Consult | All rights reserved
➢ Principle: A rule or belief governing one's behavior.
➢ High level concepts that guide security design
➢ Agnostic concerning
• Technology
• Mechanism
• Development Methodology
• Industry / Type of Organization
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
What are Security Design Principles?
AVAILABILITY
CONFIDENTIALITY
INTEGRITY
Choose your principles carefully for each protection profile!
3
© 2021 SEC Consult | All rights reserved
➢ Multiple security controls on multiple layers
➢ If one control breaks, others mitigate the impact
➢ Mechanisms must not rely on each other
➢ No single point of failure from a defense perspective
Security Design Principles – Defense in Depth
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Build as many walls as required around your crown jewels!
4
© 2021 SEC Consult | All rights reserved
➢ Also known as: No Security by Obscurity
➢ Security does not depend on concealment of algorithms and architecture
➢ The application shall remain secure even when the architecture is made public
➢ Does not include credentials for authentication and cryptographic secrets
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Security Design Principles – Open Design
This does not imply, that the source code must be open source,
but you should be comfortable even if your source code leaks!
5
© 2021 SEC Consult | All rights reserved
➢ External data should be viewed as not trustworthy
➢ Many vulnerability classes can be eliminated
through proper input validation
➢ All validation mechanisms must be at least
implemented on server side
➢ Rules must be strict, but still allow all valid use cases
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Security Design Principles – Principle of general mistrust
Regardless whether data originates from a user or a backend system,
input data must always be subjected to strict validation.
6
© 2021 SEC Consult | All rights reserved
➢ Actors are given the minimum level of access rights
➢ Privileges are only granted as long as required
➢ Potential damage caused by actors (real or compromised) is limited
➢ Example: Never browse the web with administrative privileges
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Security Design Principles – Least Privilege
Assigning rights to actors beyond the necessary scope can allow
actors to obtain or modify information in unwanted ways.
7
© 2021 SEC Consult | All rights reserved
➢ Critical operations require two or more authenticated actors
➢ If only one secret gets compromised, no damage can be done
➢ Examples for implementation:
• Two or more key cards to access Hardware Security Module (HSM)
• Two or more cryptographic keys are required to decrypt a message
• Two or more people split a passphrase for a system
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Security Design Principles – Separation of Privilege
Ensure that no single actor can perform critical operations on their own!
8
© 2021 SEC Consult | All rights reserved
➢ Also known as: KISS – Keep it small and simple
➢ Also known as: Minimize the attack surface
➢ Only functionality defined by use cases is implemented
➢ Small systems are less prone to error and easier to audit
➢ Only include libraries and frameworks that you really need
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Security Design Principles – Economy of Mechanism
The more functionality that is built in,
the more potential points of entry attackers have.
9
© 2021 SEC Consult | All rights reserved
➢ Limit shared resources and information paths
➢ Compromise of one component does not affect other components
➢ Examples for implementation
• Multitenancy
• Sandbox environments
• Separate endpoints for authentication of administrators and users
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Security Design Principles – Least Common Mechanism aka. Isolation
Choosing the right level of isolation is the result of
a sensible trade-off between cost and security.
10
© 2021 SEC Consult | All rights reserved
➢ Every access to an object must be checked for authority
➢ Permissions must be checked with every request
➢ Examples:
• Changed permissions will be applied immediately
• Force logout of user to refresh permissions during login
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Security Design Principles – Complete Mediation
Don’t use caches for your permissions or force updates!
Changes will only be applied after cache is updated.
11
© 2021 SEC Consult | All rights reserved
➢ Invest your resources where they matter most
➢ Attackers are more likely to attack weak spots
➢ A single high-risk vulnerability can put the whole system in jeopardy
➢ Consider the weakest link first in all your security decisions
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Security Design Principles – Secure the weakest link first
Put yourself into the perspective of the attacker.
Where would YOU break into the system?
12
© 2021 SEC Consult | All rights reserved
➢ If the application fails it shall do so securely
➢ Failing safe involves restoring to a secure state
➢ Attackers cannot gain access and obtain information during a failure
➢ Confidentiality and integrity shall remain although availability was lost
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Security Design Principles – Fail Safe
Anticipate failures and handle them in your application.
Use last resort error handlers for unexpected failures!
13
© 2021 SEC Consult | All rights reserved
➢ Make your systems easy to use in a secure fashion
➢ Security mechanisms should be as unintrusive as possible
➢ Examples:
• Allow copy/paste from password stores
• Provide guidance for the creation of strong passwords
• Provide secure defaults
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Security Design Principles – Psychological acceptability
If you make the life of users too complicated,
they will find ways to circumvent important security mechanisms.
14
© 2021 SEC Consult | All rights reserved
➢ Don’t apply localized patches to systemic problems
➢ Identified vulnerabilities must be eliminated at their root
➢ Perform root cause analysis for all new types of vulnerabilities
➢ This should be part of a well-defined security defect life-cycle
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Security Design Principles – Eliminate root causes
Patching a vulnerability locally fixes one issue.
Eliminating the root cause improves the whole architecture.
15
© 2021 SEC Consult | All rights reserved
➢ Shared services should be properly validated and considered secure
➢ Invest in security once, benefit often
➢ Using those components does not introduce new vulnerabilities
➢ Provide guidance on how to use them in a secure fashion
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Security Design Principles – Leverage existing components
Components can be many things:
Infrastructure, Services, Frameworks, Libraries, Functions, etc.
16
© 2021 SEC Consult | All rights reserved
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Recommended Reading
@Dementophobia
Follow me for Updates!
A deep dive into Secure Software Development
based on OWASP SAMM
https://r.sec-consult.com/SSDLC
https://www.heise.de/hintergrund/
Sichere-Software-entwickeln-mit-
OWASP-SAMM-4918292.html
17
© 2021 SEC Consult | All rights reserved
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
18
© 2021 SEC Consult | All rights reserved
A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public
Q&A
ASK ME ANYTHING!
Thomas Kerbl
t.kerbl@sec-consult.com
https://twitter.com/dementophobia
https://at.linkedin.com/in/thomas-kerbl-2ab81648
19
19

More Related Content

What's hot

Getting Started with Databricks SQL Analytics
Getting Started with Databricks SQL AnalyticsGetting Started with Databricks SQL Analytics
Getting Started with Databricks SQL Analytics
Databricks
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
SlideTeam
 
DevOps explained
DevOps explainedDevOps explained
DevOps explained
Jérôme Kehrli
 
Databricks Overview for MLOps
Databricks Overview for MLOpsDatabricks Overview for MLOps
Databricks Overview for MLOps
Databricks
 
Screw DevOps, Let's Talk DataOps
Screw DevOps, Let's Talk DataOpsScrew DevOps, Let's Talk DataOps
Screw DevOps, Let's Talk DataOps
Kellyn Pot'Vin-Gorman
 
API Governance and GitOps in Hybrid Integration Platform (MuleSoft)
API Governance and GitOps in Hybrid Integration Platform (MuleSoft)API Governance and GitOps in Hybrid Integration Platform (MuleSoft)
API Governance and GitOps in Hybrid Integration Platform (MuleSoft)
Sumanth Donthi
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteira
Diego Gabriel Cardoso
 
Hadoop Interview Questions And Answers Part-2 | Big Data Interview Questions ...
Hadoop Interview Questions And Answers Part-2 | Big Data Interview Questions ...Hadoop Interview Questions And Answers Part-2 | Big Data Interview Questions ...
Hadoop Interview Questions And Answers Part-2 | Big Data Interview Questions ...
Simplilearn
 
DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Kubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS examKubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS exam
Ahmed AbouZaid
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
Liran Tal
 
DevOps and Tools
DevOps and ToolsDevOps and Tools
DevOps and Tools
Mohammed Fazuluddin
 
Designing Data-Intensive Applications_ The Big Ideas Behind Reliable, Scalabl...
Designing Data-Intensive Applications_ The Big Ideas Behind Reliable, Scalabl...Designing Data-Intensive Applications_ The Big Ideas Behind Reliable, Scalabl...
Designing Data-Intensive Applications_ The Big Ideas Behind Reliable, Scalabl...
SindhuVasireddy1
 
DATADOG TIPS #1
DATADOG TIPS #1DATADOG TIPS #1
DATADOG TIPS #1
Naoya Nakazawa
 
Cloud Native PostgreSQL
Cloud Native PostgreSQLCloud Native PostgreSQL
Cloud Native PostgreSQL
EDB
 
Microservices, DevOps & SRE
Microservices, DevOps & SREMicroservices, DevOps & SRE
Microservices, DevOps & SRE
Araf Karsh Hamid
 
Observability vs APM vs Monitoring Comparison
Observability vs APM vs  Monitoring ComparisonObservability vs APM vs  Monitoring Comparison
Observability vs APM vs Monitoring Comparison
jeetendra mandal
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
Steampipe - use SQL to retrieve data from cloud, platforms and files (Code Ca...
Steampipe - use SQL to retrieve data from cloud, platforms and files (Code Ca...Steampipe - use SQL to retrieve data from cloud, platforms and files (Code Ca...
Steampipe - use SQL to retrieve data from cloud, platforms and files (Code Ca...
Lucas Jellema
 

What's hot (20)

Getting Started with Databricks SQL Analytics
Getting Started with Databricks SQL AnalyticsGetting Started with Databricks SQL Analytics
Getting Started with Databricks SQL Analytics
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
 
DevOps explained
DevOps explainedDevOps explained
DevOps explained
 
Databricks Overview for MLOps
Databricks Overview for MLOpsDatabricks Overview for MLOps
Databricks Overview for MLOps
 
Screw DevOps, Let's Talk DataOps
Screw DevOps, Let's Talk DataOpsScrew DevOps, Let's Talk DataOps
Screw DevOps, Let's Talk DataOps
 
API Governance and GitOps in Hybrid Integration Platform (MuleSoft)
API Governance and GitOps in Hybrid Integration Platform (MuleSoft)API Governance and GitOps in Hybrid Integration Platform (MuleSoft)
API Governance and GitOps in Hybrid Integration Platform (MuleSoft)
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteira
 
Hadoop Interview Questions And Answers Part-2 | Big Data Interview Questions ...
Hadoop Interview Questions And Answers Part-2 | Big Data Interview Questions ...Hadoop Interview Questions And Answers Part-2 | Big Data Interview Questions ...
Hadoop Interview Questions And Answers Part-2 | Big Data Interview Questions ...
 
DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Kubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS examKubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS exam
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
 
DevOps and Tools
DevOps and ToolsDevOps and Tools
DevOps and Tools
 
Designing Data-Intensive Applications_ The Big Ideas Behind Reliable, Scalabl...
Designing Data-Intensive Applications_ The Big Ideas Behind Reliable, Scalabl...Designing Data-Intensive Applications_ The Big Ideas Behind Reliable, Scalabl...
Designing Data-Intensive Applications_ The Big Ideas Behind Reliable, Scalabl...
 
DATADOG TIPS #1
DATADOG TIPS #1DATADOG TIPS #1
DATADOG TIPS #1
 
Cloud Native PostgreSQL
Cloud Native PostgreSQLCloud Native PostgreSQL
Cloud Native PostgreSQL
 
Microservices, DevOps & SRE
Microservices, DevOps & SREMicroservices, DevOps & SRE
Microservices, DevOps & SRE
 
Observability vs APM vs Monitoring Comparison
Observability vs APM vs  Monitoring ComparisonObservability vs APM vs  Monitoring Comparison
Observability vs APM vs Monitoring Comparison
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
 
Steampipe - use SQL to retrieve data from cloud, platforms and files (Code Ca...
Steampipe - use SQL to retrieve data from cloud, platforms and files (Code Ca...Steampipe - use SQL to retrieve data from cloud, platforms and files (Code Ca...
Steampipe - use SQL to retrieve data from cloud, platforms and files (Code Ca...
 

Similar to SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Security Design Principles by Thomas Kerbl

Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICS
Tripwire
 
BT Cloud Enterprise Service Store - Rob Rowlingson
BT Cloud Enterprise Service Store - Rob RowlingsonBT Cloud Enterprise Service Store - Rob Rowlingson
BT Cloud Enterprise Service Store - Rob Rowlingson
Digital Catapult
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc   cosac - 201...Enumerating software security design flaws throughout the ssdlc   cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...
John M. Willis
 
Enumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCEnumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLC
John M. Willis
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
Adrian Sanabria
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
 
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
Denim Group
 
1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx
1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx
1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx
oswald1horne84988
 
chapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptxchapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptx
GhofraneFerchichi2
 
Certes webinar securing the frictionless enterprise
Certes webinar   securing the frictionless enterpriseCertes webinar   securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
Jason Bloomberg
 
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
The Linux Foundation
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
TISA
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security Landscape
Peter Wood
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
Knoldus Inc.
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working Architect
Eoin Woods
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
GPA Open Source Gpa Users Forum 2011 09 07
GPA Open Source   Gpa Users Forum 2011 09 07GPA Open Source   Gpa Users Forum 2011 09 07
GPA Open Source Gpa Users Forum 2011 09 07
flelmend
 
Security Design Concepts
Security Design ConceptsSecurity Design Concepts
Security Design Concepts
Mohammed Fazuluddin
 

Similar to SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Security Design Principles by Thomas Kerbl (20)

Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICS
 
BT Cloud Enterprise Service Store - Rob Rowlingson
BT Cloud Enterprise Service Store - Rob RowlingsonBT Cloud Enterprise Service Store - Rob Rowlingson
BT Cloud Enterprise Service Store - Rob Rowlingson
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc   cosac - 201...Enumerating software security design flaws throughout the ssdlc   cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...
 
Enumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCEnumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLC
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
 
1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx
1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx
1 1 Copyright © 2012, Elsevier Inc. All Rights Reserved .docx
 
chapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptxchapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptx
 
Certes webinar securing the frictionless enterprise
Certes webinar   securing the frictionless enterpriseCertes webinar   securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
 
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security Landscape
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working Architect
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
GPA Open Source Gpa Users Forum 2011 09 07
GPA Open Source   Gpa Users Forum 2011 09 07GPA Open Source   Gpa Users Forum 2011 09 07
GPA Open Source Gpa Users Forum 2011 09 07
 
Security Design Concepts
Security Design ConceptsSecurity Design Concepts
Security Design Concepts
 

More from SBA Research

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
SBA Research
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Research
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Research
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
SBA Research
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
SBA Research
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Research
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Research
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computing
SBA Research
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla   sba live a...Tools & techniques, building a dev secops culture at mozilla   sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...
SBA Research
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
SBA Research
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Research
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Research
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Research
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Research
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Research
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Research
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Research
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Research
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Research
 

More from SBA Research (20)

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a Container
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computing
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla   sba live a...Tools & techniques, building a dev secops culture at mozilla   sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
 

Recently uploaded

The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
digitalxplive
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
moinahousna
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
Ivanti
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
Shiv Technolabs
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
Lidia A.
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
KAMAL CHOUDHARY
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
SynapseIndia
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Mydbops
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
Anant Gupta
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
rajancomputerfbd
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 

Recently uploaded (20)

The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 

SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Security Design Principles by Thomas Kerbl

  • 1. © 2021 SEC Consult | All rights reserved A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public WELCOME! Building a secure architecture A deep-dive into security design principles January 21, 2021 | with Thomas Kerbl 1
  • 2. © 2021 SEC Consult | All rights reserved • 20+ years experience in information security • 50+ speeches • Service Owner for „Secure Software Development Consulting“ • Teamleader • Security Analyst, Security Architect Education • MSc @ Technikum Vienna, Specialization in Multimedia & Software Development • Dipl. Ing @ Hagenberg, Specialization in Computer- and Media Security Certificates • Accredited ÖNORM A 7700 Auditor • ISTQB Certified Tester • ISAQB Certified Professional for Software Architecture • ISSECO Certified Professional for Secure Software Engineering • PCiIAA Practitioner Certificate in Information Assurance Architecture Thomas Kerbl Principal Security Consultant t.kerbl@sec-consult.com https://twitter.com/dementophobia A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public 2
  • 3. © 2021 SEC Consult | All rights reserved ➢ Principle: A rule or belief governing one's behavior. ➢ High level concepts that guide security design ➢ Agnostic concerning • Technology • Mechanism • Development Methodology • Industry / Type of Organization A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public What are Security Design Principles? AVAILABILITY CONFIDENTIALITY INTEGRITY Choose your principles carefully for each protection profile! 3
  • 4. © 2021 SEC Consult | All rights reserved ➢ Multiple security controls on multiple layers ➢ If one control breaks, others mitigate the impact ➢ Mechanisms must not rely on each other ➢ No single point of failure from a defense perspective Security Design Principles – Defense in Depth A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Build as many walls as required around your crown jewels! 4
  • 5. © 2021 SEC Consult | All rights reserved ➢ Also known as: No Security by Obscurity ➢ Security does not depend on concealment of algorithms and architecture ➢ The application shall remain secure even when the architecture is made public ➢ Does not include credentials for authentication and cryptographic secrets A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Open Design This does not imply, that the source code must be open source, but you should be comfortable even if your source code leaks! 5
  • 6. © 2021 SEC Consult | All rights reserved ➢ External data should be viewed as not trustworthy ➢ Many vulnerability classes can be eliminated through proper input validation ➢ All validation mechanisms must be at least implemented on server side ➢ Rules must be strict, but still allow all valid use cases A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Principle of general mistrust Regardless whether data originates from a user or a backend system, input data must always be subjected to strict validation. 6
  • 7. © 2021 SEC Consult | All rights reserved ➢ Actors are given the minimum level of access rights ➢ Privileges are only granted as long as required ➢ Potential damage caused by actors (real or compromised) is limited ➢ Example: Never browse the web with administrative privileges A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Least Privilege Assigning rights to actors beyond the necessary scope can allow actors to obtain or modify information in unwanted ways. 7
  • 8. © 2021 SEC Consult | All rights reserved ➢ Critical operations require two or more authenticated actors ➢ If only one secret gets compromised, no damage can be done ➢ Examples for implementation: • Two or more key cards to access Hardware Security Module (HSM) • Two or more cryptographic keys are required to decrypt a message • Two or more people split a passphrase for a system A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Separation of Privilege Ensure that no single actor can perform critical operations on their own! 8
  • 9. © 2021 SEC Consult | All rights reserved ➢ Also known as: KISS – Keep it small and simple ➢ Also known as: Minimize the attack surface ➢ Only functionality defined by use cases is implemented ➢ Small systems are less prone to error and easier to audit ➢ Only include libraries and frameworks that you really need A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Economy of Mechanism The more functionality that is built in, the more potential points of entry attackers have. 9
  • 10. © 2021 SEC Consult | All rights reserved ➢ Limit shared resources and information paths ➢ Compromise of one component does not affect other components ➢ Examples for implementation • Multitenancy • Sandbox environments • Separate endpoints for authentication of administrators and users A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Least Common Mechanism aka. Isolation Choosing the right level of isolation is the result of a sensible trade-off between cost and security. 10
  • 11. © 2021 SEC Consult | All rights reserved ➢ Every access to an object must be checked for authority ➢ Permissions must be checked with every request ➢ Examples: • Changed permissions will be applied immediately • Force logout of user to refresh permissions during login A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Complete Mediation Don’t use caches for your permissions or force updates! Changes will only be applied after cache is updated. 11
  • 12. © 2021 SEC Consult | All rights reserved ➢ Invest your resources where they matter most ➢ Attackers are more likely to attack weak spots ➢ A single high-risk vulnerability can put the whole system in jeopardy ➢ Consider the weakest link first in all your security decisions A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Secure the weakest link first Put yourself into the perspective of the attacker. Where would YOU break into the system? 12
  • 13. © 2021 SEC Consult | All rights reserved ➢ If the application fails it shall do so securely ➢ Failing safe involves restoring to a secure state ➢ Attackers cannot gain access and obtain information during a failure ➢ Confidentiality and integrity shall remain although availability was lost A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Fail Safe Anticipate failures and handle them in your application. Use last resort error handlers for unexpected failures! 13
  • 14. © 2021 SEC Consult | All rights reserved ➢ Make your systems easy to use in a secure fashion ➢ Security mechanisms should be as unintrusive as possible ➢ Examples: • Allow copy/paste from password stores • Provide guidance for the creation of strong passwords • Provide secure defaults A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Psychological acceptability If you make the life of users too complicated, they will find ways to circumvent important security mechanisms. 14
  • 15. © 2021 SEC Consult | All rights reserved ➢ Don’t apply localized patches to systemic problems ➢ Identified vulnerabilities must be eliminated at their root ➢ Perform root cause analysis for all new types of vulnerabilities ➢ This should be part of a well-defined security defect life-cycle A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Eliminate root causes Patching a vulnerability locally fixes one issue. Eliminating the root cause improves the whole architecture. 15
  • 16. © 2021 SEC Consult | All rights reserved ➢ Shared services should be properly validated and considered secure ➢ Invest in security once, benefit often ➢ Using those components does not introduce new vulnerabilities ➢ Provide guidance on how to use them in a secure fashion A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Security Design Principles – Leverage existing components Components can be many things: Infrastructure, Services, Frameworks, Libraries, Functions, etc. 16
  • 17. © 2021 SEC Consult | All rights reserved A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Recommended Reading @Dementophobia Follow me for Updates! A deep dive into Secure Software Development based on OWASP SAMM https://r.sec-consult.com/SSDLC https://www.heise.de/hintergrund/ Sichere-Software-entwickeln-mit- OWASP-SAMM-4918292.html 17
  • 18. © 2021 SEC Consult | All rights reserved A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public 18
  • 19. © 2021 SEC Consult | All rights reserved A deep-dive into security design principles | Responsible: T. Kerbl | Version / Date: 1.0 / 2021-01 Confidentiality Class: Public Q&A ASK ME ANYTHING! Thomas Kerbl t.kerbl@sec-consult.com https://twitter.com/dementophobia https://at.linkedin.com/in/thomas-kerbl-2ab81648 19 19