SlideShare a Scribd company logo

Make it Fixable (NDC Copenhagen 2018)

Patricia Aas
Patricia Aas

The document summarizes Patricia Aas' talk on making software secure and fixable. It discusses common security issues such as being unable to roll out fixes, lack of control over dependencies, teams leaving without documentation, bugs in code, and pressure from management to implement insecure features. It provides recommendations to address each issue, such as maintaining version control, auditing dependencies, bringing work back in-house, rigorous testing and reviews, and protecting developers and users. The document also covers designing security notifications and interfaces with a focus on usability over detailed technical explanations.

Software
1 of 51
Download to read offline
@pati_gallardo
Make it Fixable Living with Risk Patricia Aas NDC Copenhagen 2018 @pati_gallardo
Who am I? @pati_gallardo
Patricia Aas Programmer - mainly in C++ and Java Currently : Vivaldi Technologies Previously : Cisco Systems, Knowit, Opera Software Master in Computer Science Twitter : @pati_gallardo
Building A Browser @pati_gallardo
Security is Hard @pati_gallardo
Just Remember : - You live in the real world - Take one step at a time - Make a Plan @pati_gallardo
You Need A Security “Hotline” security@example.com Symbiotic relationship Be polite Be grateful Be professional Be efficient and transparent @pati_gallardo
- What is a System? - What is a vulnerability? - @pati_gallardo
1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
Unable to Roll Out Fixes @pati_gallardo 1
Unable to Roll out Fixes - Relying on User Updates - Unable to Build - Unable to Deploy - Regression Fear - No Issue Tracking - No Release Tags - No Source - Issue in infrastructure @pati_gallardo
Internet of Things Toys: My Friend Cayla, i-Que Intelligent Robots, Hello Barbie Mirai: Botnets created with IOT devices, users don’t update “Shelfware” No Maintenance contract Abandonware Closed source - no way to fix/fork @pati_gallardo Unable to Roll Out Fixes.
Fix : Ship It! Holy Grail : Auto Update Code - Get the Code - Use Version Control - Keep Build Environment - Write Integration Tests Configuration Management - Have Security Contact - Track issues - Make a Deployment Plan - Control Infrastructure @pati_gallardo Unable to Roll Out Fixes.
Internet of Things - Auto-update - Different default passwords - Unboxing security “Shelfware” - Get maintenance contract - Change supplier - Do in-house - Use only Open Source Software Fix : Ship It! @pati_gallardoUnable to Roll Out Fixes.
1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
No Control over Dependencies @pati_gallardo 2
No Control over Dependencies - Too Many Dependencies - Frameworks are Abandoned - Libraries Disappear - Insecure Platform APIs - Insecure Tooling - End-of-Life OS (Windows) - Licenses expire/change - Known Issues not Fixed - OS Not Updated (Android) @pati_gallardo
Stagefright Bugs in the multimedia library on Android Heartbleed Bug in openssl Left-Pad Developer unpublished a mini-Js library @pati_gallardo No Control over Dependencies
Fix: Control It! Goal : Dependency Control Be conservative - Is it needed? - Do you understand it? Be cautious - Audit your upstream - Avoid forking - Have an upgrade plan - Have someone responsible @pati_gallardo No Control over Dependencies
Stagefright Workaround in apps calling into stagefright Heartbleed Control over production environment Left-Pad Removing unnecessary dependency Fix: Control It! @pati_gallardoNo Control over Dependencies
1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
The Team is Gone @pati_gallardo 3
The Team Is Gone - Team were consultants - They were downsized - The job was outsourced - “Bus factor” - “Binary blob” - Abandonware @pati_gallardo
“Public Sector” - Leaves the code with subcontractor - No build environment - Third-party access to production environment Abandoned frameworks - Framework interdependency - Unable to upgrade - Known bugs The Team is Gone @pati_gallardo
Fix : Own It! Goal : Regain Control Take it on yourselves - Build competence in-house - Fork, take control - “Barely Sufficient” Docs - Ship It and Control It Outsource - Maintenance Contract - Add Security Clause - Own deployment channel @pati_gallardo The Team Is Gone.
Fix : Own It! “Public Sector” - Backsourcing - Bring back work previously outsourced Abandoned frameworks - Replace with equivalent (OSS) - Remove dependency - Fork if you don’t have a choice @pati_gallardoThe Team Is Gone.
Use It! @pati_gallardo
1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
It’s in Our Code @pati_gallardo 4
It’s in Our Code - Injection - Exploited crash etc - Debug code in production - Server compromised - Outdated platform - Intercepted traffic - Mined local data - Good old fashioned BUG @pati_gallardo
REMA 1000 Æ App - Reporter: Hallvard Nygård (@hallny) - All user data could be retrieved - Badly handled report - “Bug” (Lack of security) in App BEST CASE SCENARIO @pati_gallardo It’s In Our Code
Fix : Live It! Goal : Prevent & Cure Prevent - Sanitize your input - Send crash reports - Code review + tests - Review server security - Encrypt all traffic - Review local storage - Sign and check Cure - Ship it! @pati_gallardo It’s In Our Code
Browsers are very experienced - And therefore boring ;) gitlab.com - “rm -rf” - Sysadmin maintenance - Cascading errors as backups fail - All logged Publicly in real time Transparency Fix : Live It! @pati_gallardo It’s In Our Code
1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
My Boss Made Me Do It @pati_gallardo 5
My Boss Made Me Do It The Feature is the Bug How? - Security Problem - Privacy Problem - Unethical - Illegal @pati_gallardo
Capcom's Street Fighter V - Installed a driver - “anti-crack solution” “...disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions..” - Reddit user extrwi My Boss Made Me Do It @pati_gallardo
Fix : Protect It! Goal : Protect your user Prevent : Protect your team - Workers rights - Build trust Cure : Protect your company - Find a Powerful Ally - Do Risk Analysis : Brand Reputation, Trust - Use the Law LAST RESORT : Whistleblowing & Quitting @pati_gallardo My Boss Made Me Do It
Statoil - Internal reports of security incidents after outsourcing - Only public after serious IRL incidents Nødnett - Transitive outsourcing - National Security These are often the Unsung Heroes (Last Resort : Edward Snowden) Fix : Protect It! @pati_gallardo My Boss Made Me Do It
@pati_gallardo Ship It, Control It, Own It, Live It & Protect It
- You need a Security Hotline - You Have to Ship - You Can’t do This Alone Recap @pati_gallardo
1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
Designing the User Experience of Security @pati_gallardo 6
@pati_gallardo
The Users Won’t Read Error blindness - Most users will mentally erase permanent error notifiers - they won’t read “Just click next” - Most users will accept the defaults - they won’t read “Make it go away” - The user will try to make the error dialog go away - they won’t read @pati_gallardo
Fix : Less is More Don’t leave it to the user - Just do the right thing, you don’t have to ask Have good defaults - Make sure that clicking next will leave the user in a good place Be very explicit when needed - If the user is in a “dangerous” situation - design carefully and if you have to explain : use language the user can understand @pati_gallardo
They Trust You With Personal information - They trust you to protect them from both hackers and governments With Data - They trust you to protect their pictures, documents, email … With Money - They trust you to protect their payment information and passwords @pati_gallardo
Fix : Be Trustworthy Only store what you have to - Try to use end-to-end encryption, so that even you don’t have access. Encrypt as much as you can Back up everything - Your users can’t afford to lose their baby pictures Use third party payment - Avoid having responsibility for their money @pati_gallardo
@pati_gallardo Ship It, Control It, Own It, Live It & Protect It Design For It
Make it Fixable Living with Risk Patricia Aas, Vivaldi Technologies @pati_gallardo Photos from pixabay.com - CC0 Creative Commons License

Recommended

Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Patricia Aas
 
Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Patricia Aas
 
Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Patricia Aas
 
Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Patricia Aas
 
Make it Fixable (CppCon 2018)
Make it Fixable (CppCon 2018)Make it Fixable (CppCon 2018)
Make it Fixable (CppCon 2018)Patricia Aas
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013Ben Ten (0xA)
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 

Recommended

Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Make It Fixable, Living with Risk (NDC London 2018)
Make It Fixable, Living with Risk (NDC London 2018)Patricia Aas
 
Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Make It Fixable (Sikkert NOK 2017)
Make It Fixable (Sikkert NOK 2017)Patricia Aas
 
Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Patricia Aas
 
Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Make it Fixable (Security Divas 2017)
Make it Fixable (Security Divas 2017)Patricia Aas
 
Make it Fixable (CppCon 2018)
Make it Fixable (CppCon 2018)Make it Fixable (CppCon 2018)
Make it Fixable (CppCon 2018)Patricia Aas
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013Ben Ten (0xA)
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsJoe McCray
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howJoe McCray
 
A Research Study into DevOps Bottlenecks as presented at Codemash 2018
A Research Study into DevOps Bottlenecks as presented at Codemash 2018A Research Study into DevOps Bottlenecks as presented at Codemash 2018
A Research Study into DevOps Bottlenecks as presented at Codemash 2018Baruch Sadogursky
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack labJoe McCray
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!Ammar WK
 
Erlang - Because s**t Happens by Mahesh Paolini-Subramanya
Erlang - Because s**t Happens by Mahesh Paolini-SubramanyaErlang - Because s**t Happens by Mahesh Paolini-Subramanya
Erlang - Because s**t Happens by Mahesh Paolini-SubramanyaHakka Labs
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For MoneyShubham Gupta
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
 
Purple View
Purple ViewPurple View
Purple ViewHaydn Johnson
 
Common Physical Security Mistakes
Common Physical Security MistakesCommon Physical Security Mistakes
Common Physical Security MistakesJon Nakapalau, CHSO, CPO
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane LackeyYandex
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programsDan Vasile
 
CIA For WordPress Developers
CIA For WordPress DevelopersCIA For WordPress Developers
CIA For WordPress DevelopersDavid Brumbaugh
 
Про YAPC::TV
Про YAPC::TVПро YAPC::TV
Про YAPC::TVAndrew Shitov
 
Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 

More Related Content

What's hot

Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsJoe McCray
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howJoe McCray
 
A Research Study into DevOps Bottlenecks as presented at Codemash 2018
A Research Study into DevOps Bottlenecks as presented at Codemash 2018A Research Study into DevOps Bottlenecks as presented at Codemash 2018
A Research Study into DevOps Bottlenecks as presented at Codemash 2018Baruch Sadogursky
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack labJoe McCray
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!Ammar WK
 
Erlang - Because s**t Happens by Mahesh Paolini-Subramanya
Erlang - Because s**t Happens by Mahesh Paolini-SubramanyaErlang - Because s**t Happens by Mahesh Paolini-Subramanya
Erlang - Because s**t Happens by Mahesh Paolini-SubramanyaHakka Labs
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For MoneyShubham Gupta
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane LackeyYandex
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programsDan Vasile
 
CIA For WordPress Developers
CIA For WordPress DevelopersCIA For WordPress Developers
CIA For WordPress DevelopersDavid Brumbaugh
 

What's hot (19)

Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you how
 
A Research Study into DevOps Bottlenecks as presented at Codemash 2018
A Research Study into DevOps Bottlenecks as presented at Codemash 2018A Research Study into DevOps Bottlenecks as presented at Codemash 2018
A Research Study into DevOps Bottlenecks as presented at Codemash 2018
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEP
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack lab
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!
 
Erlang - Because s**t Happens by Mahesh Paolini-Subramanya
Erlang - Because s**t Happens by Mahesh Paolini-SubramanyaErlang - Because s**t Happens by Mahesh Paolini-Subramanya
Erlang - Because s**t Happens by Mahesh Paolini-Subramanya
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
 
Purple View
Purple ViewPurple View
Purple View
 
Common Physical Security Mistakes
Common Physical Security MistakesCommon Physical Security Mistakes
Common Physical Security Mistakes
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programs
 
CIA For WordPress Developers
CIA For WordPress DevelopersCIA For WordPress Developers
CIA For WordPress Developers
 
Про YAPC::TV
Про YAPC::TVПро YAPC::TV
Про YAPC::TV
 

Similar to Make it Fixable (NDC Copenhagen 2018)

Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)Patricia Aas
 
Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Patricia Aas
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013nanderoo
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Patricia Aas
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?Francois Marier
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networksjaymemcree
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuSplunk
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
Operating Docker
Operating DockerOperating Docker
Operating DockerJen Andre
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERPScan
 
Simple SAP Security Breach !!
Simple SAP Security Breach !!Simple SAP Security Breach !!
Simple SAP Security Breach !!SAPYard
 

Similar to Make it Fixable (NDC Copenhagen 2018) (20)

Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)Reading Other Peoples Code (Web Rebels 2018)
Reading Other Peoples Code (Web Rebels 2018)
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)Reading Other Peoples Code (NDC Sydney 2018)
Reading Other Peoples Code (NDC Sydney 2018)
 
Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsu
 
0 bugs policy
0 bugs policy0 bugs policy
0 bugs policy
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
 
Operating Docker
Operating DockerOperating Docker
Operating Docker
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
Simple SAP Security Breach !!
Simple SAP Security Breach !!Simple SAP Security Breach !!
Simple SAP Security Breach !!
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 

More from Patricia Aas

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfPatricia Aas
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introductionPatricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)Patricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Patricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfPatricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Patricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguagePatricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Patricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Patricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Patricia Aas
 

More from Patricia Aas (20)

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
 
Telling a story
Telling a storyTelling a story
Telling a story
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
 

Recently uploaded

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentVictorSzoltysek
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 

Recently uploaded (20)

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 

Make it Fixable (NDC Copenhagen 2018)

  • 2. Make it Fixable Living with Risk Patricia Aas NDC Copenhagen 2018 @pati_gallardo
  • 3. Who am I? @pati_gallardo
  • 4. Patricia Aas Programmer - mainly in C++ and Java Currently : Vivaldi Technologies Previously : Cisco Systems, Knowit, Opera Software Master in Computer Science Twitter : @pati_gallardo
  • 6. Security is Hard @pati_gallardo
  • 7. Just Remember : - You live in the real world - Take one step at a time - Make a Plan @pati_gallardo
  • 8. You Need A Security “Hotline” security@example.com Symbiotic relationship Be polite Be grateful Be professional Be efficient and transparent @pati_gallardo
  • 9. - What is a System? - What is a vulnerability? - @pati_gallardo
  • 10. 1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
  • 11. Unable to Roll Out Fixes @pati_gallardo 1
  • 12. Unable to Roll out Fixes - Relying on User Updates - Unable to Build - Unable to Deploy - Regression Fear - No Issue Tracking - No Release Tags - No Source - Issue in infrastructure @pati_gallardo
  • 13. Internet of Things Toys: My Friend Cayla, i-Que Intelligent Robots, Hello Barbie Mirai: Botnets created with IOT devices, users don’t update “Shelfware” No Maintenance contract Abandonware Closed source - no way to fix/fork @pati_gallardo Unable to Roll Out Fixes.
  • 14. Fix : Ship It! Holy Grail : Auto Update Code - Get the Code - Use Version Control - Keep Build Environment - Write Integration Tests Configuration Management - Have Security Contact - Track issues - Make a Deployment Plan - Control Infrastructure @pati_gallardo Unable to Roll Out Fixes.
  • 15. Internet of Things - Auto-update - Different default passwords - Unboxing security “Shelfware” - Get maintenance contract - Change supplier - Do in-house - Use only Open Source Software Fix : Ship It! @pati_gallardoUnable to Roll Out Fixes.
  • 16. 1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
  • 17. No Control over Dependencies @pati_gallardo 2
  • 18. No Control over Dependencies - Too Many Dependencies - Frameworks are Abandoned - Libraries Disappear - Insecure Platform APIs - Insecure Tooling - End-of-Life OS (Windows) - Licenses expire/change - Known Issues not Fixed - OS Not Updated (Android) @pati_gallardo
  • 19. Stagefright Bugs in the multimedia library on Android Heartbleed Bug in openssl Left-Pad Developer unpublished a mini-Js library @pati_gallardo No Control over Dependencies
  • 20. Fix: Control It! Goal : Dependency Control Be conservative - Is it needed? - Do you understand it? Be cautious - Audit your upstream - Avoid forking - Have an upgrade plan - Have someone responsible @pati_gallardo No Control over Dependencies
  • 21. Stagefright Workaround in apps calling into stagefright Heartbleed Control over production environment Left-Pad Removing unnecessary dependency Fix: Control It! @pati_gallardoNo Control over Dependencies
  • 22. 1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
  • 23. The Team is Gone @pati_gallardo 3
  • 24. The Team Is Gone - Team were consultants - They were downsized - The job was outsourced - “Bus factor” - “Binary blob” - Abandonware @pati_gallardo
  • 25. “Public Sector” - Leaves the code with subcontractor - No build environment - Third-party access to production environment Abandoned frameworks - Framework interdependency - Unable to upgrade - Known bugs The Team is Gone @pati_gallardo
  • 26. Fix : Own It! Goal : Regain Control Take it on yourselves - Build competence in-house - Fork, take control - “Barely Sufficient” Docs - Ship It and Control It Outsource - Maintenance Contract - Add Security Clause - Own deployment channel @pati_gallardo The Team Is Gone.
  • 27. Fix : Own It! “Public Sector” - Backsourcing - Bring back work previously outsourced Abandoned frameworks - Replace with equivalent (OSS) - Remove dependency - Fork if you don’t have a choice @pati_gallardoThe Team Is Gone.
  • 29. 1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
  • 30. It’s in Our Code @pati_gallardo 4
  • 31. It’s in Our Code - Injection - Exploited crash etc - Debug code in production - Server compromised - Outdated platform - Intercepted traffic - Mined local data - Good old fashioned BUG @pati_gallardo
  • 32. REMA 1000 Æ App - Reporter: Hallvard Nygård (@hallny) - All user data could be retrieved - Badly handled report - “Bug” (Lack of security) in App BEST CASE SCENARIO @pati_gallardo It’s In Our Code
  • 33. Fix : Live It! Goal : Prevent & Cure Prevent - Sanitize your input - Send crash reports - Code review + tests - Review server security - Encrypt all traffic - Review local storage - Sign and check Cure - Ship it! @pati_gallardo It’s In Our Code
  • 34. Browsers are very experienced - And therefore boring ;) gitlab.com - “rm -rf” - Sysadmin maintenance - Cascading errors as backups fail - All logged Publicly in real time Transparency Fix : Live It! @pati_gallardo It’s In Our Code
  • 35. 1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
  • 36. My Boss Made Me Do It @pati_gallardo 5
  • 37. My Boss Made Me Do It The Feature is the Bug How? - Security Problem - Privacy Problem - Unethical - Illegal @pati_gallardo
  • 38. Capcom's Street Fighter V - Installed a driver - “anti-crack solution” “...disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions..” - Reddit user extrwi My Boss Made Me Do It @pati_gallardo
  • 39. Fix : Protect It! Goal : Protect your user Prevent : Protect your team - Workers rights - Build trust Cure : Protect your company - Find a Powerful Ally - Do Risk Analysis : Brand Reputation, Trust - Use the Law LAST RESORT : Whistleblowing & Quitting @pati_gallardo My Boss Made Me Do It
  • 40. Statoil - Internal reports of security incidents after outsourcing - Only public after serious IRL incidents Nødnett - Transitive outsourcing - National Security These are often the Unsung Heroes (Last Resort : Edward Snowden) Fix : Protect It! @pati_gallardo My Boss Made Me Do It
  • 41. @pati_gallardo Ship It, Control It, Own It, Live It & Protect It
  • 42. - You need a Security Hotline - You Have to Ship - You Can’t do This Alone Recap @pati_gallardo
  • 43. 1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
  • 44. Designing the User Experience of Security @pati_gallardo 6
  • 46. The Users Won’t Read Error blindness - Most users will mentally erase permanent error notifiers - they won’t read “Just click next” - Most users will accept the defaults - they won’t read “Make it go away” - The user will try to make the error dialog go away - they won’t read @pati_gallardo
  • 47. Fix : Less is More Don’t leave it to the user - Just do the right thing, you don’t have to ask Have good defaults - Make sure that clicking next will leave the user in a good place Be very explicit when needed - If the user is in a “dangerous” situation - design carefully and if you have to explain : use language the user can understand @pati_gallardo
  • 48. They Trust You With Personal information - They trust you to protect them from both hackers and governments With Data - They trust you to protect their pictures, documents, email … With Money - They trust you to protect their payment information and passwords @pati_gallardo
  • 49. Fix : Be Trustworthy Only store what you have to - Try to use end-to-end encryption, so that even you don’t have access. Encrypt as much as you can Back up everything - Your users can’t afford to lose their baby pictures Use third party payment - Avoid having responsibility for their money @pati_gallardo
  • 50. @pati_gallardo Ship It, Control It, Own It, Live It & Protect It Design For It
  • 51. Make it Fixable Living with Risk Patricia Aas, Vivaldi Technologies @pati_gallardo Photos from pixabay.com - CC0 Creative Commons License