10. Stuxnet
June 2010, worm against SCADA systems
Four (4) critical vulns on Windows XP
Zequi V´azquez @RabbitLair Security for Human Beigns
11. Sony Pictures Entertainment
November 2014, worm against SMB
More than 100 TB of condifential info
Zequi V´azquez @RabbitLair Security for Human Beigns
12. El Corte Ingl´es
February 2016, SQL Injection on login
Extracted financial info 2011 to 2016
Zequi V´azquez @RabbitLair Security for Human Beigns
13. Philippines
March 2016, unknown vulnerabilities
55 million voters data, fingerprints!
Zequi V´azquez @RabbitLair Security for Human Beigns
14. Panama Papers
April 2016, Drupal 7 and Wordpress
2.6 TB confidential information, +40 years
Zequi V´azquez @RabbitLair Security for Human Beigns
15. Turkey
April 2016, hardcoded password on code
Personal data of 49,611,709 voters (6.9 GB)
Zequi V´azquez @RabbitLair Security for Human Beigns
16. IPS Community Suite
April 2016, Thanatos, trojan to zombify
Infrastructure attack - Warner, LiveNation
Zequi V´azquez @RabbitLair Security for Human Beigns
17. LastPass
March 2017, vulns on browser extensions
Passwords leakage
Zequi V´azquez @RabbitLair Security for Human Beigns
19. But not everything is lost
Zequi V´azquez @RabbitLair Security for Human Beigns
20.
21. What is a project?
More than put some code on a server
Security must be present on all phases
Zequi V´azquez @RabbitLair Security for Human Beigns
22. From minute zero
Security should be reflected on requirements
Balance between security and budget
Zequi V´azquez @RabbitLair Security for Human Beigns
23. Setting the plans
Design application with security on mind
Paranoid is a virtue
Zequi V´azquez @RabbitLair Security for Human Beigns
24. While developing. . .
We are responsible of our product
Bad guys do not create holes - we do
Zequi V´azquez @RabbitLair Security for Human Beigns
25. While developing. . .
Do you know security best practices?
Programmers are human, humans are lazy
Zequi V´azquez @RabbitLair Security for Human Beigns
26. What can we do?
Defensive programming, error handling!
Try to think as an attacker when coding
Zequi V´azquez @RabbitLair Security for Human Beigns
27. Take care of not only code
Are development envs & repo closed?
Be careful with questions on StackOverflow
Zequi V´azquez @RabbitLair Security for Human Beigns
29. Infrastructure
Project is much more than code
Fail tolerance, high availability, settings
Zequi V´azquez @RabbitLair Security for Human Beigns
30. Testing
Full security audit before deploying
Ideally, automate security testing
Zequi V´azquez @RabbitLair Security for Human Beigns
31. Information is Power
Monitorize all the things!
Keep up to date about updates
Zequi V´azquez @RabbitLair Security for Human Beigns
32. Sh*t happens
Emergency recovery plan, forensics
Untested backups are NO backups
Zequi V´azquez @RabbitLair Security for Human Beigns
33. Some other stuff
Technical debt & McFly theorem
Maintenance, patches and other drugs
Post-mortem report
Zequi V´azquez @RabbitLair Security for Human Beigns
34.
35. In Summary
Investment, not waste
Try to involve everyone
Security is a process
Education!
Zequi V´azquez @RabbitLair Security for Human Beigns