SlideShare une entreprise Scribd logo

Is this okay!? DevSecCon ⚡ 2022

R
rouanw

You've got some code from a team member to review. You already know that security is important, but do you know how to review their code for security issues? In this session, Rouan will equip you to find common security issues before they're shipped to production. He’ll cover eight questions you should ask yourself whenever you’re reviewing code.

Logiciels
1  sur  19
Télécharger pour lire hors ligne
Is this okay!? Rouan Wilsenach Engineering Lead, Haven @rouanw Reviewing code for security issues
Too much pressure Code reviews are great for catching issues but they can’t be the only thing. - Build awareness 💬 - Threat modelling 🐉 - Pen testing 🔦
Where’s the input going? - Is there new input? - Have we changed the way input is handled? - Where it’s stored? - How it’s used later? 1 .
Are the right AAA checks in place? - Authentication - have we checked the actor is who they say they are? - Authorisation - have we checked they’re allowed to do this? - Auditing - have we made a note of what happened? 2 .
Have the assets changed? Are we storing any personal or special information? E.g. - Emails - Health info - Credit cards - Racial or ethnic origin - Political or religious info 3 .
Are you leaking data? - Is your API returning extra bits? - Are you logging stuff you shouldn’t? - Don’t keep anything you don’t need 4 .
Any new dependencies? Do some research on new dependencies. Are they: - Trusted - Popular - Well maintained - Do you really need it? 5 .
Has the config changed? - Misconfiguration is a super common cause of security issues - If your config isn’t code, you can’t review it! 6 .
Is anything being cached? - Don’t show one user’s sensitive info to another! - Everyone should understand the default cache behaviour - Good cache keys 7 .
Have you checked the borders? Handy trick if you’re short on time is to focus on where data enters and leaves your system - e.g. where a web request comes in and where we talk to a database. 8 .
A few tricks that helped me learn Find your security mentor Turn up at post mortems Smashing Security Podcast Offer help during pen tests Find a security course online
1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . Inputs AAA Asset type Data leaks Dependencies Boundaries Config Caching Reviewing code for security issues – Cheat Sheet @rouanw
Is this okay!? Rouan Wilsenach Engineering Lead, Haven @rouanw Reviewing code for security issues

Recommandé

NDC Security 2023
NDC Security 2023NDC Security 2023
NDC Security 2023rouanw
 
7 Pillars Of Data Strategy - High Five 2018
7 Pillars Of Data Strategy - High Five 20187 Pillars Of Data Strategy - High Five 2018
7 Pillars Of Data Strategy - High Five 2018Evan Levy
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleanerJohn Stauffacher
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buyVlad Styran
 
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...UISGCON
 
Its time to grow up by Eric C.
Its time to grow up by Eric C.Its time to grow up by Eric C.
Its time to grow up by Eric C.ISSA LA
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 

Recommandé

NDC Security 2023
NDC Security 2023NDC Security 2023
NDC Security 2023rouanw
 
7 Pillars Of Data Strategy - High Five 2018
7 Pillars Of Data Strategy - High Five 20187 Pillars Of Data Strategy - High Five 2018
7 Pillars Of Data Strategy - High Five 2018Evan Levy
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideCybercrime and the Developer: How to Start Defending Against the Darker Side
Cybercrime and the Developer: How to Start Defending Against the Darker SideSteve Poole
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleanerJohn Stauffacher
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buyVlad Styran
 
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...UISGCON
 
Its time to grow up by Eric C.
Its time to grow up by Eric C.Its time to grow up by Eric C.
Its time to grow up by Eric C.ISSA LA
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
Steve Weissman - 5 Keys to Managing Information as an Asset
Steve Weissman - 5 Keys to Managing Information as an Asset�Steve Weissman - 5 Keys to Managing Information as an Asset�
Steve Weissman - 5 Keys to Managing Information as an AssetARMA International
 
The Incident Response Decision Tree
The Incident Response Decision TreeThe Incident Response Decision Tree
The Incident Response Decision TreeMarc St-Pierre
 
SL_Long Beach_Creative Artists_12_04_2015
SL_Long Beach_Creative Artists_12_04_2015SL_Long Beach_Creative Artists_12_04_2015
SL_Long Beach_Creative Artists_12_04_2015Jon Papp
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007Jason Hong
 
Making use of online resourse for research
Making use of online resourse for researchMaking use of online resourse for research
Making use of online resourse for researchNila Shah
 
2016 ISACA NACACS - Audit Privacy Considerations
2016 ISACA NACACS - Audit Privacy Considerations2016 ISACA NACACS - Audit Privacy Considerations
2016 ISACA NACACS - Audit Privacy ConsiderationsNathan Anderson
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya
 
Digital Analytics and Listening Tools
Digital Analytics and Listening ToolsDigital Analytics and Listening Tools
Digital Analytics and Listening ToolsSkot Waldron
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...
One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...
One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...Forcepoint LLC
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...Jason Hong
 
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardSeattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardLERNER Consulting
 
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardSeattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardLERNER Consulting
 
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionInsider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionCase IQ
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and YouMary Kelly Rich
 
Healing healthcare security
Healing healthcare securityHealing healthcare security
Healing healthcare securityBarry Caplin
 
Big Data - Harisfazillah Jamel - Startup and Developer 4th Meetup 5th Novembe...
Big Data - Harisfazillah Jamel - Startup and Developer 4th Meetup 5th Novembe...Big Data - Harisfazillah Jamel - Startup and Developer 4th Meetup 5th Novembe...
Big Data - Harisfazillah Jamel - Startup and Developer 4th Meetup 5th Novembe...Linuxmalaysia Malaysia
 
Fostering an Ecosystem for Smartphone Privacy
Fostering an Ecosystem for Smartphone PrivacyFostering an Ecosystem for Smartphone Privacy
Fostering an Ecosystem for Smartphone PrivacyJason Hong
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
Dull, Difficult, and Essential: Managing Public Records
Dull, Difficult, and Essential: Managing Public RecordsDull, Difficult, and Essential: Managing Public Records
Dull, Difficult, and Essential: Managing Public RecordsPaul W. Taylor
 
Fail better with QA in Production
Fail better with QA in ProductionFail better with QA in Production
Fail better with QA in Productionrouanw
 
Qa in production singular 2019
Qa in production singular 2019Qa in production singular 2019
Qa in production singular 2019rouanw
 

Contenu connexe

Similaire à Is this okay!? DevSecCon ⚡ 2022

Steve Weissman - 5 Keys to Managing Information as an Asset
Steve Weissman - 5 Keys to Managing Information as an Asset�Steve Weissman - 5 Keys to Managing Information as an Asset�
Steve Weissman - 5 Keys to Managing Information as an AssetARMA International
 
The Incident Response Decision Tree
The Incident Response Decision TreeThe Incident Response Decision Tree
The Incident Response Decision TreeMarc St-Pierre
 
SL_Long Beach_Creative Artists_12_04_2015
SL_Long Beach_Creative Artists_12_04_2015SL_Long Beach_Creative Artists_12_04_2015
SL_Long Beach_Creative Artists_12_04_2015Jon Papp
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007Jason Hong
 
Making use of online resourse for research
Making use of online resourse for researchMaking use of online resourse for research
Making use of online resourse for researchNila Shah
 
2016 ISACA NACACS - Audit Privacy Considerations
2016 ISACA NACACS - Audit Privacy Considerations2016 ISACA NACACS - Audit Privacy Considerations
2016 ISACA NACACS - Audit Privacy ConsiderationsNathan Anderson
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya
 
Digital Analytics and Listening Tools
Digital Analytics and Listening ToolsDigital Analytics and Listening Tools
Digital Analytics and Listening ToolsSkot Waldron
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...
One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...
One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...Forcepoint LLC
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...Jason Hong
 
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardSeattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardLERNER Consulting
 
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardSeattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardLERNER Consulting
 
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionInsider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionCase IQ
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and YouMary Kelly Rich
 
Healing healthcare security
Healing healthcare securityHealing healthcare security
Healing healthcare securityBarry Caplin
 
Big Data - Harisfazillah Jamel - Startup and Developer 4th Meetup 5th Novembe...
Big Data - Harisfazillah Jamel - Startup and Developer 4th Meetup 5th Novembe...Big Data - Harisfazillah Jamel - Startup and Developer 4th Meetup 5th Novembe...
Big Data - Harisfazillah Jamel - Startup and Developer 4th Meetup 5th Novembe...Linuxmalaysia Malaysia
 
Fostering an Ecosystem for Smartphone Privacy
Fostering an Ecosystem for Smartphone PrivacyFostering an Ecosystem for Smartphone Privacy
Fostering an Ecosystem for Smartphone PrivacyJason Hong
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
Dull, Difficult, and Essential: Managing Public Records
Dull, Difficult, and Essential: Managing Public RecordsDull, Difficult, and Essential: Managing Public Records
Dull, Difficult, and Essential: Managing Public RecordsPaul W. Taylor
 

Similaire à Is this okay!? DevSecCon ⚡ 2022 (20)

Steve Weissman - 5 Keys to Managing Information as an Asset
Steve Weissman - 5 Keys to Managing Information as an Asset�Steve Weissman - 5 Keys to Managing Information as an Asset�
Steve Weissman - 5 Keys to Managing Information as an Asset
 
The Incident Response Decision Tree
The Incident Response Decision TreeThe Incident Response Decision Tree
The Incident Response Decision Tree
 
SL_Long Beach_Creative Artists_12_04_2015
SL_Long Beach_Creative Artists_12_04_2015SL_Long Beach_Creative Artists_12_04_2015
SL_Long Beach_Creative Artists_12_04_2015
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
 
Making use of online resourse for research
Making use of online resourse for researchMaking use of online resourse for research
Making use of online resourse for research
 
2016 ISACA NACACS - Audit Privacy Considerations
2016 ISACA NACACS - Audit Privacy Considerations2016 ISACA NACACS - Audit Privacy Considerations
2016 ISACA NACACS - Audit Privacy Considerations
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky Breaches
 
Digital Analytics and Listening Tools
Digital Analytics and Listening ToolsDigital Analytics and Listening Tools
Digital Analytics and Listening Tools
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
 
One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...
One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...
One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data...
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
 
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardSeattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
 
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardSeattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
 
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionInsider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and You
 
Healing healthcare security
Healing healthcare securityHealing healthcare security
Healing healthcare security
 
Big Data - Harisfazillah Jamel - Startup and Developer 4th Meetup 5th Novembe...
Big Data - Harisfazillah Jamel - Startup and Developer 4th Meetup 5th Novembe...Big Data - Harisfazillah Jamel - Startup and Developer 4th Meetup 5th Novembe...
Big Data - Harisfazillah Jamel - Startup and Developer 4th Meetup 5th Novembe...
 
Fostering an Ecosystem for Smartphone Privacy
Fostering an Ecosystem for Smartphone PrivacyFostering an Ecosystem for Smartphone Privacy
Fostering an Ecosystem for Smartphone Privacy
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
Dull, Difficult, and Essential: Managing Public Records
Dull, Difficult, and Essential: Managing Public RecordsDull, Difficult, and Essential: Managing Public Records
Dull, Difficult, and Essential: Managing Public Records
 

Plus de rouanw

Fail better with QA in Production
Fail better with QA in ProductionFail better with QA in Production
Fail better with QA in Productionrouanw
 
Qa in production singular 2019
Qa in production singular 2019Qa in production singular 2019
Qa in production singular 2019rouanw
 
How to review a pull request
How to review a pull requestHow to review a pull request
How to review a pull requestrouanw
 
Rouan's design principles
Rouan's design principlesRouan's design principles
Rouan's design principlesrouanw
 
The curious case of the production incident
The curious case of the production incidentThe curious case of the production incident
The curious case of the production incidentrouanw
 
QA in Production: The tests we never wrote and the production monitoring we u...
QA in Production: The tests we never wrote and the production monitoring we u...QA in Production: The tests we never wrote and the production monitoring we u...
QA in Production: The tests we never wrote and the production monitoring we u...rouanw
 
Organised chaos: real-world JavaScript microservices
Organised chaos: real-world JavaScript microservicesOrganised chaos: real-world JavaScript microservices
Organised chaos: real-world JavaScript microservicesrouanw
 
Contributing to open source is easier than you think
Contributing to open source is easier than you thinkContributing to open source is easier than you think
Contributing to open source is easier than you thinkrouanw
 
How to write a blog post
How to write a blog postHow to write a blog post
How to write a blog postrouanw
 
QA in Production
QA in ProductionQA in Production
QA in Productionrouanw
 
Dashboards: Using data to find out what's really going on
Dashboards: Using data to find out what's really going onDashboards: Using data to find out what's really going on
Dashboards: Using data to find out what's really going onrouanw
 
Tech lead tips
Tech lead tipsTech lead tips
Tech lead tipsrouanw
 
DevOps Culture
DevOps CultureDevOps Culture
DevOps Culturerouanw
 
Techniques for stress free software releases
Techniques for stress free software releasesTechniques for stress free software releases
Techniques for stress free software releasesrouanw
 
Be a polyglot programmer
Be a polyglot programmerBe a polyglot programmer
Be a polyglot programmerrouanw
 
Emergent design - PHP Jo'burg 2015
Emergent design - PHP Jo'burg 2015Emergent design - PHP Jo'burg 2015
Emergent design - PHP Jo'burg 2015rouanw
 
Infrastructure as code
Infrastructure as codeInfrastructure as code
Infrastructure as coderouanw
 
ThoughtWorks Tech radar Jan 2014
ThoughtWorks Tech radar Jan 2014ThoughtWorks Tech radar Jan 2014
ThoughtWorks Tech radar Jan 2014rouanw
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integrationrouanw
 
May 2013 ThoughtWorks Tech radar
May 2013 ThoughtWorks Tech radar May 2013 ThoughtWorks Tech radar
May 2013 ThoughtWorks Tech radar rouanw
 

Plus de rouanw (20)

Fail better with QA in Production
Fail better with QA in ProductionFail better with QA in Production
Fail better with QA in Production
 
Qa in production singular 2019
Qa in production singular 2019Qa in production singular 2019
Qa in production singular 2019
 
How to review a pull request
How to review a pull requestHow to review a pull request
How to review a pull request
 
Rouan's design principles
Rouan's design principlesRouan's design principles
Rouan's design principles
 
The curious case of the production incident
The curious case of the production incidentThe curious case of the production incident
The curious case of the production incident
 
QA in Production: The tests we never wrote and the production monitoring we u...
QA in Production: The tests we never wrote and the production monitoring we u...QA in Production: The tests we never wrote and the production monitoring we u...
QA in Production: The tests we never wrote and the production monitoring we u...
 
Organised chaos: real-world JavaScript microservices
Organised chaos: real-world JavaScript microservicesOrganised chaos: real-world JavaScript microservices
Organised chaos: real-world JavaScript microservices
 
Contributing to open source is easier than you think
Contributing to open source is easier than you thinkContributing to open source is easier than you think
Contributing to open source is easier than you think
 
How to write a blog post
How to write a blog postHow to write a blog post
How to write a blog post
 
QA in Production
QA in ProductionQA in Production
QA in Production
 
Dashboards: Using data to find out what's really going on
Dashboards: Using data to find out what's really going onDashboards: Using data to find out what's really going on
Dashboards: Using data to find out what's really going on
 
Tech lead tips
Tech lead tipsTech lead tips
Tech lead tips
 
DevOps Culture
DevOps CultureDevOps Culture
DevOps Culture
 
Techniques for stress free software releases
Techniques for stress free software releasesTechniques for stress free software releases
Techniques for stress free software releases
 
Be a polyglot programmer
Be a polyglot programmerBe a polyglot programmer
Be a polyglot programmer
 
Emergent design - PHP Jo'burg 2015
Emergent design - PHP Jo'burg 2015Emergent design - PHP Jo'burg 2015
Emergent design - PHP Jo'burg 2015
 
Infrastructure as code
Infrastructure as codeInfrastructure as code
Infrastructure as code
 
ThoughtWorks Tech radar Jan 2014
ThoughtWorks Tech radar Jan 2014ThoughtWorks Tech radar Jan 2014
ThoughtWorks Tech radar Jan 2014
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
May 2013 ThoughtWorks Tech radar
May 2013 ThoughtWorks Tech radar May 2013 ThoughtWorks Tech radar
May 2013 ThoughtWorks Tech radar
 

Dernier

Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 

Dernier (20)

Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 

Is this okay!? DevSecCon ⚡ 2022

  • 1. Is this okay!? Rouan Wilsenach Engineering Lead, Haven @rouanw Reviewing code for security issues
  • 2. Too much pressure Code reviews are great for catching issues but they can’t be the only thing. - Build awareness 💬 - Threat modelling 🐉 - Pen testing 🔦
  • 3. Where’s the input going? - Is there new input? - Have we changed the way input is handled? - Where it’s stored? - How it’s used later? 1 .
  • 4.
  • 5. Are the right AAA checks in place? - Authentication - have we checked the actor is who they say they are? - Authorisation - have we checked they’re allowed to do this? - Auditing - have we made a note of what happened? 2 .
  • 6.
  • 7. Have the assets changed? Are we storing any personal or special information? E.g. - Emails - Health info - Credit cards - Racial or ethnic origin - Political or religious info 3 .
  • 8.
  • 9. Are you leaking data? - Is your API returning extra bits? - Are you logging stuff you shouldn’t? - Don’t keep anything you don’t need 4 .
  • 10.
  • 11. Any new dependencies? Do some research on new dependencies. Are they: - Trusted - Popular - Well maintained - Do you really need it? 5 .
  • 12.
  • 13. Has the config changed? - Misconfiguration is a super common cause of security issues - If your config isn’t code, you can’t review it! 6 .
  • 14.
  • 15. Is anything being cached? - Don’t show one user’s sensitive info to another! - Everyone should understand the default cache behaviour - Good cache keys 7 .
  • 16. Have you checked the borders? Handy trick if you’re short on time is to focus on where data enters and leaves your system - e.g. where a web request comes in and where we talk to a database. 8 .
  • 17. A few tricks that helped me learn Find your security mentor Turn up at post mortems Smashing Security Podcast Offer help during pen tests Find a security course online
  • 18. 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . Inputs AAA Asset type Data leaks Dependencies Boundaries Config Caching Reviewing code for security issues – Cheat Sheet @rouanw
  • 19. Is this okay!? Rouan Wilsenach Engineering Lead, Haven @rouanw Reviewing code for security issues