Video description
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette (Leviathan Security) focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
Product information
- Title: Security engineering 101: When good design and security work together
- Author(s):
- Release date: January 2020
- Publisher(s): O'Reilly Media, Inc.
- ISBN: 0636920342946
You might also like
book
Threat Modeling: Designing for Security
Adam Shostack is responsible for security development lifecycle threat modeling at Microsoft and is one of …
video
The Complete Cybersecurity Bootcamp, 2nd Edition
26 Hours of Video Instruction 26 Hours of Detailed, Curated Video Training to Take You from …
video
CISSP, 3rd Edition
27+ Hours of Video Instruction Overview: CISSP Complete Video Course, 3rd Edition, is your full study …
book
97 Things Every Information Security Professional Should Know
Whether you're searching for new or additional opportunities, information security can be vast and overwhelming. In …