SlideShare a Scribd company logo

CppCon 2018 - Make it Fixable: Living with Risk

Patricia Aas
Patricia Aas

From experience we have learned that almost any surface we expose could have weaknesses. We have to have a plan on how to deal with issues as they arise, and an architecture that allows us to correct and protect in products that are already in use. When security is lifted up to the discretion of the user, however, we often fail to inform their decision properly. The usability of security and the architecture of fixability are closely connected, and both need continued refinement and focus. This talk will describe architectural and organizational features that make it easier to make corrective measures. They are down-to-earth everyday scenarios, illustrated by real world software projects and security incidents. Some of the stories are well known, some are anonymized to protect the innocent. Finally we will show examples of how difficult it is to design the user experience of security.

Technology
1 of 46
Download to read offline
@pati_gallardo T S
Make it Fixable Living with Risk Patricia Aas CppCon 2018 T S @pati_gallardo
Patricia Aas - Consultant Programmer, Application Security Currently : T S Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science - main language Java Pronouns: she/her T S @pati_gallardo
Security is Hard @pati_gallardo 5
Just Remember : - You live in the real world - Take one step at a time - Make a Plan @pati_gallardo 6
You Need A Security “Hotline” security@example.com Symbiotic relationship Be polite Be grateful Be professional Be efficient and transparent @pati_gallardo 7
- What is a System? - What is a vulnerability? - @pati_gallardo 8
1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo 9
Unable to Roll Out Fixes 1 @pati_gallardo 10
Unable to Roll out Fixes Unable to Update Unable to Build @pati_gallardo 11
Internet of Things Toys: My Friend Cayla, i-Que Intelligent Robots, Hello Barbie Mirai: Botnets created with IOT devices, users don’t update “Shelfware” No Maintenance contract Abandonware Closed source - no way to fix/fork Unable to Roll Out Fixes. 12 @pati_gallardo
Internet of Things - Auto-update - Different default passwords - Unboxing security (make the user change the password) “Shelfware” - Get maintenance contract - Change supplier - Do in-house - Use only Open Source Software Fix : Ship It! Unable to Roll Out Fixes. 13 @pati_gallardo
Fix : Ship It! Holy Grail : Continuous Deployment and Auto Update - A Build Environment - Update Mechanism Unable to Roll Out Fixes. 14 @pati_gallardo
Some systems should not be “fixed” A major election software maker allowed remote access on its systems for years Exceptions? 15 @pati_gallardo
No Control over Dependencies 2 @pati_gallardo
No Control over Dependencies No inventory No update routines No auditing @pati_gallardo 17
Equifax Breach Known vulunerability in Apache Struts 2 Heartbleed Bug in openssl Left-Pad Developer unpublished a mini-Js library No Control over Dependencies 18 @pati_gallardo
Equifax Breach Continuous Dependency Auditing Heartbleed Control over production environment Left-Pad Remove unnecessary dependencies Fix: Control It! No Control over Dependencies 19 @pati_gallardo
Fix: Control It! Goal : Largely Automated Dependency Monitoring Remember transitive dependencies Monitor and Update No Control over Dependencies @pati_gallardo 20
The Team is Gone 3 @pati_gallardo 21
The Team Is Gone - Team were consultants - They were downsized - The job was outsourced - “Bus factor” - “Binary blob” - Abandonware @pati_gallardo 22
Fix : Own It! Goal : Complete Build Environment Fork it, own it The Team Is Gone. @pati_gallardo 23
Use It! @pati_gallardo 24
It’s in Our Code 4 @pati_gallardo 25
It’s in Our Code Congratulations! This is Actually the BEST CASE SCENARIO @pati_gallardo 26
Keeper Password Manager - Reporter: Tavis Ormandy (@taviso) - “allowing any website to steal any password” - Browser plugin preinstalled on Windows - Badly handled report: Sues news reporter Dan Goodin It’s In Our Code 27 @pati_gallardo
gitlab.com - “rm -rf” - Sysadmin maintenance - Cascading errors as backups fail - All logged Publicly in real time Transparency Breeds Trust That is how you recover Fix : Live It! It’s In Our Code 28 @pati_gallardo
Fix : Live It! Goal : Prevent & Cure Prevention is great, but the Cure is to Ship It’s In Our Code 29 @pati_gallardo
My Boss Made Me Do It 5 @pati_gallardo 30
My Boss Made Me Do It The Feature is the Bug How? - Security Problem - Privacy Problem - Unethical - Illegal @pati_gallardo 31
Capcom's Street Fighter V - Installed a driver - “anti-crack solution” “...disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions..” - Reddit user extrwi My Boss Made Me Do It 32 @pati_gallardo
KrebsOnSecurity: "For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records" @pati_gallardo 33
Fix : Protect It! Goal : Protect your user Prevent : Protect your team - Workers rights - Team can diffuse blame Cure : Protect your company - Find a Powerful Ally - Do Risk Analysis : Brand Reputation, Trust - Use the Law LAST RESORT : Whistleblowing & Quitting My Boss Made Me Do It 34 @pati_gallardo
Google: DragonFly - "A plan to launch a censored search engine in China" - Employee authors a memo - Internal protests Maersk: NotPetya - Ransomware spreads globally, insufficient network segmentation - “IT executives had pushed for a preemptive security redesign” These are often the Unsung Heroes (Last Resort : Edward Snowden) Fix : Protect It! My Boss Made Me Do It 35 @pati_gallardo
Ship It, Control It, Own It, Live It & Protect It @pati_gallardo 36
- You need a Security Hotline - You Have to Ship Recap @pati_gallardo 37
Designing the User Experience of Security 6 @pati_gallardo 38
@pati_gallardo 39
The Users Won’t Read Error blindness “Just click next” “Make it go away” 40 @pati_gallardo
Fix : Less is More Don’t leave it to the user Have good defaults Be very explicit when needed 41 @pati_gallardo
They Trust You With Personal Information With Data With Money 42 @pati_gallardo
Fix : Be Trustworthy Only store what you have to Back up everything Use third party payment Be loyal to your end user 43 @pati_gallardo
Ship It, Control It, Own It, Live It & Protect It Design For It @pati_gallardo 44
T S P f . Patricia Aas, T S @pati_gallardo
@pati_gallardo T S

Recommended

Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Patricia Aas
 
Continuous Security
Continuous SecurityContinuous Security
Continuous SecurityEqual Experts
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Segurança além do Pentest
Segurança além do PentestSegurança além do Pentest
Segurança além do PentestAnchises Moraes
 
Só o Pentest não resolve!
Só o Pentest não resolve!Só o Pentest não resolve!
Só o Pentest não resolve!Anchises Moraes
 
Fighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safeFighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safePrayukth K V
 
Dutch PHP 2018 - Cryptography for Beginners
Dutch PHP 2018 - Cryptography for BeginnersDutch PHP 2018 - Cryptography for Beginners
Dutch PHP 2018 - Cryptography for BeginnersAdam Englander
 
2019 dsec stego_ppt
2019 dsec stego_ppt2019 dsec stego_ppt
2019 dsec stego_ppt승형 이
 

Recommended

Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Patricia Aas
 
Continuous Security
Continuous SecurityContinuous Security
Continuous SecurityEqual Experts
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Segurança além do Pentest
Segurança além do PentestSegurança além do Pentest
Segurança além do PentestAnchises Moraes
 
Só o Pentest não resolve!
Só o Pentest não resolve!Só o Pentest não resolve!
Só o Pentest não resolve!Anchises Moraes
 
Fighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safeFighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safePrayukth K V
 
Dutch PHP 2018 - Cryptography for Beginners
Dutch PHP 2018 - Cryptography for BeginnersDutch PHP 2018 - Cryptography for Beginners
Dutch PHP 2018 - Cryptography for BeginnersAdam Englander
 
2019 dsec stego_ppt
2019 dsec stego_ppt2019 dsec stego_ppt
2019 dsec stego_ppt승형 이
 
It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013Ben Ten (0xA)
 
Revealing Resilience Vulnerabilities in Spring Boot Architectures
Revealing Resilience Vulnerabilities in Spring Boot ArchitecturesRevealing Resilience Vulnerabilities in Spring Boot Architectures
Revealing Resilience Vulnerabilities in Spring Boot ArchitecturesVMware Tanzu
 
2019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-22019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-2Cameron Townshend
 
Charan Resume
Charan ResumeCharan Resume
Charan ResumeCharan Mukkamala
 
Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)Patricia Aas
 
API Security: Assume Possible Interference
API Security: Assume Possible InterferenceAPI Security: Assume Possible Interference
API Security: Assume Possible InterferenceJulie Tsai
 
Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Patricia Aas
 
Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Patricia Aas
 
Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Patricia Aas
 
Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Patricia Aas
 
NCET Tech Bite - Cloud Storage and Data Backup - June 2015
NCET Tech Bite - Cloud Storage and Data Backup - June 2015NCET Tech Bite - Cloud Storage and Data Backup - June 2015
NCET Tech Bite - Cloud Storage and Data Backup - June 2015Archersan
 
NCET Tech
NCET Tech NCET Tech
NCET Tech Archersan
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Patricia Aas
 
Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Patricia Aas
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 

More Related Content

What's hot

It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013Ben Ten (0xA)
 
Revealing Resilience Vulnerabilities in Spring Boot Architectures
Revealing Resilience Vulnerabilities in Spring Boot ArchitecturesRevealing Resilience Vulnerabilities in Spring Boot Architectures
Revealing Resilience Vulnerabilities in Spring Boot ArchitecturesVMware Tanzu
 
2019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-22019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-2Cameron Townshend
 
Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)Patricia Aas
 
API Security: Assume Possible Interference
API Security: Assume Possible InterferenceAPI Security: Assume Possible Interference
API Security: Assume Possible InterferenceJulie Tsai
 
Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Patricia Aas
 

What's hot (7)

It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013
 
Revealing Resilience Vulnerabilities in Spring Boot Architectures
Revealing Resilience Vulnerabilities in Spring Boot ArchitecturesRevealing Resilience Vulnerabilities in Spring Boot Architectures
Revealing Resilience Vulnerabilities in Spring Boot Architectures
 
2019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-22019 04-04-dev secops-software supply chain_fst-2
2019 04-04-dev secops-software supply chain_fst-2
 
Charan Resume
Charan ResumeCharan Resume
Charan Resume
 
Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)
 
API Security: Assume Possible Interference
API Security: Assume Possible InterferenceAPI Security: Assume Possible Interference
API Security: Assume Possible Interference
 
Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019)
 

Similar to CppCon 2018 - Make it Fixable: Living with Risk

Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Patricia Aas
 
Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Patricia Aas
 
Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Patricia Aas
 
NCET Tech Bite - Cloud Storage and Data Backup - June 2015
NCET Tech Bite - Cloud Storage and Data Backup - June 2015NCET Tech Bite - Cloud Storage and Data Backup - June 2015
NCET Tech Bite - Cloud Storage and Data Backup - June 2015Archersan
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Patricia Aas
 
Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Patricia Aas
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikSergey Gordeychik
 
6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)Patricia Aas
 

Similar to CppCon 2018 - Make it Fixable: Living with Risk (20)

Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)
 
Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)
 
Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
 
Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)
 
NCET Tech Bite - Cloud Storage and Data Backup - June 2015
NCET Tech Bite - Cloud Storage and Data Backup - June 2015NCET Tech Bite - Cloud Storage and Data Backup - June 2015
NCET Tech Bite - Cloud Storage and Data Backup - June 2015
 
NCET Tech
NCET Tech NCET Tech
NCET Tech
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)
 
Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
 
6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)
 

More from Patricia Aas

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfPatricia Aas
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introductionPatricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)Patricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Patricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfPatricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Patricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguagePatricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Patricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Patricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Patricia Aas
 

More from Patricia Aas (20)

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
 
Telling a story
Telling a storyTelling a story
Telling a story
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
 

Recently uploaded

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

CppCon 2018 - Make it Fixable: Living with Risk

  • 2.
  • 3. Make it Fixable Living with Risk Patricia Aas CppCon 2018 T S @pati_gallardo
  • 4. Patricia Aas - Consultant Programmer, Application Security Currently : T S Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science - main language Java Pronouns: she/her T S @pati_gallardo
  • 5. Security is Hard @pati_gallardo 5
  • 6. Just Remember : - You live in the real world - Take one step at a time - Make a Plan @pati_gallardo 6
  • 7. You Need A Security “Hotline” security@example.com Symbiotic relationship Be polite Be grateful Be professional Be efficient and transparent @pati_gallardo 7
  • 8. - What is a System? - What is a vulnerability? - @pati_gallardo 8
  • 9. 1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo 9
  • 10. Unable to Roll Out Fixes 1 @pati_gallardo 10
  • 11. Unable to Roll out Fixes Unable to Update Unable to Build @pati_gallardo 11
  • 12. Internet of Things Toys: My Friend Cayla, i-Que Intelligent Robots, Hello Barbie Mirai: Botnets created with IOT devices, users don’t update “Shelfware” No Maintenance contract Abandonware Closed source - no way to fix/fork Unable to Roll Out Fixes. 12 @pati_gallardo
  • 13. Internet of Things - Auto-update - Different default passwords - Unboxing security (make the user change the password) “Shelfware” - Get maintenance contract - Change supplier - Do in-house - Use only Open Source Software Fix : Ship It! Unable to Roll Out Fixes. 13 @pati_gallardo
  • 14. Fix : Ship It! Holy Grail : Continuous Deployment and Auto Update - A Build Environment - Update Mechanism Unable to Roll Out Fixes. 14 @pati_gallardo
  • 15. Some systems should not be “fixed” A major election software maker allowed remote access on its systems for years Exceptions? 15 @pati_gallardo
  • 16. No Control over Dependencies 2 @pati_gallardo
  • 17. No Control over Dependencies No inventory No update routines No auditing @pati_gallardo 17
  • 18. Equifax Breach Known vulunerability in Apache Struts 2 Heartbleed Bug in openssl Left-Pad Developer unpublished a mini-Js library No Control over Dependencies 18 @pati_gallardo
  • 19. Equifax Breach Continuous Dependency Auditing Heartbleed Control over production environment Left-Pad Remove unnecessary dependencies Fix: Control It! No Control over Dependencies 19 @pati_gallardo
  • 20. Fix: Control It! Goal : Largely Automated Dependency Monitoring Remember transitive dependencies Monitor and Update No Control over Dependencies @pati_gallardo 20
  • 21. The Team is Gone 3 @pati_gallardo 21
  • 22. The Team Is Gone - Team were consultants - They were downsized - The job was outsourced - “Bus factor” - “Binary blob” - Abandonware @pati_gallardo 22
  • 23. Fix : Own It! Goal : Complete Build Environment Fork it, own it The Team Is Gone. @pati_gallardo 23
  • 25. It’s in Our Code 4 @pati_gallardo 25
  • 26. It’s in Our Code Congratulations! This is Actually the BEST CASE SCENARIO @pati_gallardo 26
  • 27. Keeper Password Manager - Reporter: Tavis Ormandy (@taviso) - “allowing any website to steal any password” - Browser plugin preinstalled on Windows - Badly handled report: Sues news reporter Dan Goodin It’s In Our Code 27 @pati_gallardo
  • 28. gitlab.com - “rm -rf” - Sysadmin maintenance - Cascading errors as backups fail - All logged Publicly in real time Transparency Breeds Trust That is how you recover Fix : Live It! It’s In Our Code 28 @pati_gallardo
  • 29. Fix : Live It! Goal : Prevent & Cure Prevention is great, but the Cure is to Ship It’s In Our Code 29 @pati_gallardo
  • 30. My Boss Made Me Do It 5 @pati_gallardo 30
  • 31. My Boss Made Me Do It The Feature is the Bug How? - Security Problem - Privacy Problem - Unethical - Illegal @pati_gallardo 31
  • 32. Capcom's Street Fighter V - Installed a driver - “anti-crack solution” “...disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions..” - Reddit user extrwi My Boss Made Me Do It 32 @pati_gallardo
  • 33. KrebsOnSecurity: "For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records" @pati_gallardo 33
  • 34. Fix : Protect It! Goal : Protect your user Prevent : Protect your team - Workers rights - Team can diffuse blame Cure : Protect your company - Find a Powerful Ally - Do Risk Analysis : Brand Reputation, Trust - Use the Law LAST RESORT : Whistleblowing & Quitting My Boss Made Me Do It 34 @pati_gallardo
  • 35. Google: DragonFly - "A plan to launch a censored search engine in China" - Employee authors a memo - Internal protests Maersk: NotPetya - Ransomware spreads globally, insufficient network segmentation - “IT executives had pushed for a preemptive security redesign” These are often the Unsung Heroes (Last Resort : Edward Snowden) Fix : Protect It! My Boss Made Me Do It 35 @pati_gallardo
  • 36. Ship It, Control It, Own It, Live It & Protect It @pati_gallardo 36
  • 37. - You need a Security Hotline - You Have to Ship Recap @pati_gallardo 37
  • 38. Designing the User Experience of Security 6 @pati_gallardo 38
  • 40. The Users Won’t Read Error blindness “Just click next” “Make it go away” 40 @pati_gallardo
  • 41. Fix : Less is More Don’t leave it to the user Have good defaults Be very explicit when needed 41 @pati_gallardo
  • 42. They Trust You With Personal Information With Data With Money 42 @pati_gallardo
  • 43. Fix : Be Trustworthy Only store what you have to Back up everything Use third party payment Be loyal to your end user 43 @pati_gallardo
  • 44. Ship It, Control It, Own It, Live It & Protect It Design For It @pati_gallardo 44
  • 45. T S P f . Patricia Aas, T S @pati_gallardo