SlideShare a Scribd company logo

Sec 101

Diego Pacheco
Diego Pacheco

Security 101, Sec, Vulnerabilities, TLS/mTLS, Encryption, Culture, Threat analysis, OWASP, and more.

Technology
1 of 20
Download to read offline
Sec 101 Diego Pacheco
@diego_pacheco ❏ Cat's Father ❏ Head of Software Architect ❏ Agile Coach ❏ SOA/Microservices Expert ❏ DevOps Practitioner ❏ Speaker ❏ Author diegopacheco http://diego-pacheco.blogspot.com.br/ About me... https://diegopacheco.github.io/
We are used to Security in the physical world
Software Security
Why should we care? ❏ Ethics ❏ Customer Experience ❏ Brand Integrity ❏ Compliance
Defense in depth ❏ NSA ❏ Layers ❏ All IT systems ❏ It’s all about redundancy ❏ AV, Auth, Encryption, MFA, Sandboxes, DMZ, VPN, Firewalls, etc...
Least Privilege Principle ❏ Minimum level of access and privilege. ❏ Avoid wide open permissions like * ❏ Avoid Attacker Surface ❏ Spots malware spread
Encryption ❏ Symmetric & Asymmetric ❏ Encoding Information ❏ AES Standard ❏ Key Diversity ❏ Envelope Encryption ❏ App vs Storage Encryption ❏ Rotations
TLS and mTLS ❏ Privacy and data integrity ❏ Secure Connections ❏ Asymmetric Encryption ❏ Email, Chats, VoIP, HTTPS ❏ mTLS - No Man in the Middle ❏ Rotations
Misconfiguration & Error Handler ❏ Unnecessary enable ports ❏ Stacks Traces ❏ Default Passwords ❏ Software Out of Date ❏ Missing Sec configs
Input Sanitization ❏ SQL Injection ❏ Prepared Statements ❏ Remote File Inclusion ❏ Paths / Sequences ❏ Always clean user inputs ❏ Use UUIDs
XSS (Cross Site Scripting) ❏ JavaScript Injection ❏ Storage (view by admin) ❏ Reflected (back to user) ❏ Latest Browser versions ❏ Requires Sanitization
Insecure Serialization/Deserialization ❏ XXE - External XML Entity SAML(SSO), < SOAP 1.2 ❏ XML Upload from untrusted sources ❏ Disable XML external entity and DTD processing ❏ Validate XML with XSD
Know Vulnerabilities ❏ OWASP top 10 ❏ CVE/CWE ❏ Code Analysis ❏ Keep Software up to date
Logging & Audit Trail ❏ Local / Unmonitored logs ❏ Audit trail on high-value transactions ❏ Monitoring on suspicious activities
Threat Analysis ❏ All models are wrong but some are useful for us ❏ Allow us to see the Threats ❏ Help figure out priorities ❏ Democratize security ❏ https://threagile.io/
Engineering Friction ❏ Tests, DevOps, ... ❏ Security might cripple engineering capabilities ❏ Security is a Refactoring enabler force ❏ Security is Everybody's jobs
Sec 101 Diego Pacheco

Recommended

Crypto the Go way
Crypto the Go wayCrypto the Go way
Crypto the Go wayEvan J Johnson (Not a CISSP)
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsMichael Man
 
Web security 101
Web security 101Web security 101
Web security 101Kristaps Kūlis
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser AliHackIT Ukraine
 
User And Physical Security
User And Physical SecurityUser And Physical Security
User And Physical Securityguest648519
 
Continuous Security in Pipelines
Continuous Security in PipelinesContinuous Security in Pipelines
Continuous Security in PipelinesThoughtworks
 
Microservices
MicroservicesMicroservices
MicroservicesDiego Pacheco
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 

Recommended

Crypto the Go way
Crypto the Go wayCrypto the Go way
Crypto the Go wayEvan J Johnson (Not a CISSP)
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsMichael Man
 
Web security 101
Web security 101Web security 101
Web security 101Kristaps Kūlis
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser AliHackIT Ukraine
 
User And Physical Security
User And Physical SecurityUser And Physical Security
User And Physical Securityguest648519
 
Continuous Security in Pipelines
Continuous Security in PipelinesContinuous Security in Pipelines
Continuous Security in PipelinesThoughtworks
 
Microservices
MicroservicesMicroservices
MicroservicesDiego Pacheco
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 
Architecture 101: Vision, Properties and Skills
Architecture 101: Vision, Properties and SkillsArchitecture 101: Vision, Properties and Skills
Architecture 101: Vision, Properties and SkillsDiego Pacheco
 
Encryption Primer por Cathy Nolan
Encryption Primer por Cathy NolanEncryption Primer por Cathy Nolan
Encryption Primer por Cathy NolanJoao Galdino Mello de Souza
 
SRE 101
SRE 101SRE 101
SRE 101Diego Pacheco
 
Rust
RustRust
RustDiego Pacheco
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data SecurityFrederik Questier
 
Cloud-Native Microservices
Cloud-Native MicroservicesCloud-Native Microservices
Cloud-Native MicroservicesDiego Pacheco
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHPEnrico Zimuel
 
Encryption by fastech
Encryption by fastechEncryption by fastech
Encryption by fastechAbdulafeez Fasasi
 
Websec
WebsecWebsec
WebsecKristaps Kūlis
 
cryptography-Final.pptx
cryptography-Final.pptxcryptography-Final.pptx
cryptography-Final.pptxkarthikvcyber
 
Developing a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityDeveloping a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityTechWell
 
Mbs r33 b
Mbs r33 bMbs r33 b
Mbs r33 bSelectedPresentations
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczPaula Januszkiewicz
 
Network Security
Network SecurityNetwork Security
Network SecurityJoe Baker
 
Information Security for startups
Information Security for startupsInformation Security for startups
Information Security for startupsStijn Vande Casteele
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and NowPhilippe De Ryck
 
CipherLoc_OverviewBrochure (1)
CipherLoc_OverviewBrochure (1)CipherLoc_OverviewBrochure (1)
CipherLoc_OverviewBrochure (1)Michael DeLaGarza
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
 
Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Amr Salah
 
Computer Security
Computer SecurityComputer Security
Computer SecurityFrederik Questier
 
Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!Diego Pacheco
 
Continuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdfContinuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdfDiego Pacheco
 

More Related Content

Similar to Sec 101

Architecture 101: Vision, Properties and Skills
Architecture 101: Vision, Properties and SkillsArchitecture 101: Vision, Properties and Skills
Architecture 101: Vision, Properties and SkillsDiego Pacheco
 
Cloud-Native Microservices
Cloud-Native MicroservicesCloud-Native Microservices
Cloud-Native MicroservicesDiego Pacheco
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHPEnrico Zimuel
 
cryptography-Final.pptx
cryptography-Final.pptxcryptography-Final.pptx
cryptography-Final.pptxkarthikvcyber
 
Developing a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityDeveloping a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityTechWell
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczPaula Januszkiewicz
 
Network Security
Network SecurityNetwork Security
Network SecurityJoe Baker
 
CipherLoc_OverviewBrochure (1)
CipherLoc_OverviewBrochure (1)CipherLoc_OverviewBrochure (1)
CipherLoc_OverviewBrochure (1)Michael DeLaGarza
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
 
Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Amr Salah
 

Similar to Sec 101 (20)

Architecture 101: Vision, Properties and Skills
Architecture 101: Vision, Properties and SkillsArchitecture 101: Vision, Properties and Skills
Architecture 101: Vision, Properties and Skills
 
Encryption Primer por Cathy Nolan
Encryption Primer por Cathy NolanEncryption Primer por Cathy Nolan
Encryption Primer por Cathy Nolan
 
SRE 101
SRE 101SRE 101
SRE 101
 
Rust
RustRust
Rust
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data Security
 
Cloud-Native Microservices
Cloud-Native MicroservicesCloud-Native Microservices
Cloud-Native Microservices
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHP
 
Encryption by fastech
Encryption by fastechEncryption by fastech
Encryption by fastech
 
Websec
WebsecWebsec
Websec
 
cryptography-Final.pptx
cryptography-Final.pptxcryptography-Final.pptx
cryptography-Final.pptx
 
Developing a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityDeveloping a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud Security
 
Mbs r33 b
Mbs r33 bMbs r33 b
Mbs r33 b
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewicz
 
Network Security
Network SecurityNetwork Security
Network Security
 
Information Security for startups
Information Security for startupsInformation Security for startups
Information Security for startups
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
 
CipherLoc_OverviewBrochure (1)
CipherLoc_OverviewBrochure (1)CipherLoc_OverviewBrochure (1)
CipherLoc_OverviewBrochure (1)
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
 
Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)
 
Computer Security
Computer SecurityComputer Security
Computer Security
 

More from Diego Pacheco

Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!Diego Pacheco
 
Continuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdfContinuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdfDiego Pacheco
 
Thoughts about Shape Up
Thoughts about Shape UpThoughts about Shape Up
Thoughts about Shape UpDiego Pacheco
 
Encryption Deep Dive
Encryption Deep DiveEncryption Deep Dive
Encryption Deep DiveDiego Pacheco
 
Management: Doing the non-obvious! III
Management: Doing the non-obvious! IIIManagement: Doing the non-obvious! III
Management: Doing the non-obvious! IIIDiego Pacheco
 
Design is not Subjective
Design is not SubjectiveDesign is not Subjective
Design is not SubjectiveDiego Pacheco
 
Architecture & Engineering : Doing the non-obvious!
Architecture & Engineering : Doing the non-obvious!Architecture & Engineering : Doing the non-obvious!
Architecture & Engineering : Doing the non-obvious!Diego Pacheco
 
Management doing the non-obvious II
Management doing the non-obvious II Management doing the non-obvious II
Management doing the non-obvious II Diego Pacheco
 
Testing in production
Testing in productionTesting in production
Testing in productionDiego Pacheco
 
Nine lies about work
Nine lies about workNine lies about work
Nine lies about workDiego Pacheco
 
Management: doing the nonobvious!
Management: doing the nonobvious!Management: doing the nonobvious!
Management: doing the nonobvious!Diego Pacheco
 
Dealing with dependencies
Dealing with dependenciesDealing with dependencies
Dealing with dependenciesDiego Pacheco
 
Dealing with dependencies in tests
Dealing with dependencies in testsDealing with dependencies in tests
Dealing with dependencies in testsDiego Pacheco
 

More from Diego Pacheco (20)

Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!
 
Continuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdfContinuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdf
 
Thoughts about Shape Up
Thoughts about Shape UpThoughts about Shape Up
Thoughts about Shape Up
 
Holacracy
HolacracyHolacracy
Holacracy
 
AWS IAM
AWS IAMAWS IAM
AWS IAM
 
CDKs
CDKsCDKs
CDKs
 
Encryption Deep Dive
Encryption Deep DiveEncryption Deep Dive
Encryption Deep Dive
 
Reflections on SCM
Reflections on SCMReflections on SCM
Reflections on SCM
 
Management: Doing the non-obvious! III
Management: Doing the non-obvious! IIIManagement: Doing the non-obvious! III
Management: Doing the non-obvious! III
 
Design is not Subjective
Design is not SubjectiveDesign is not Subjective
Design is not Subjective
 
Architecture & Engineering : Doing the non-obvious!
Architecture & Engineering : Doing the non-obvious!Architecture & Engineering : Doing the non-obvious!
Architecture & Engineering : Doing the non-obvious!
 
Management doing the non-obvious II
Management doing the non-obvious II Management doing the non-obvious II
Management doing the non-obvious II
 
Testing in production
Testing in productionTesting in production
Testing in production
 
Nine lies about work
Nine lies about workNine lies about work
Nine lies about work
 
Management: doing the nonobvious!
Management: doing the nonobvious!Management: doing the nonobvious!
Management: doing the nonobvious!
 
AI and the Future
AI and the FutureAI and the Future
AI and the Future
 
Dealing with dependencies
Dealing with dependenciesDealing with dependencies
Dealing with dependencies
 
Dealing with dependencies in tests
Dealing with dependencies in testsDealing with dependencies in tests
Dealing with dependencies in tests
 
Kanban 2020
Kanban 2020Kanban 2020
Kanban 2020
 
Lean 2020
Lean 2020Lean 2020
Lean 2020
 

Recently uploaded

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Recently uploaded (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Sec 101

  • 2. @diego_pacheco ❏ Cat's Father ❏ Head of Software Architect ❏ Agile Coach ❏ SOA/Microservices Expert ❏ DevOps Practitioner ❏ Speaker ❏ Author diegopacheco http://diego-pacheco.blogspot.com.br/ About me... https://diegopacheco.github.io/
  • 3. We are used to Security in the physical world
  • 5. Why should we care? ❏ Ethics ❏ Customer Experience ❏ Brand Integrity ❏ Compliance
  • 6. Defense in depth ❏ NSA ❏ Layers ❏ All IT systems ❏ It’s all about redundancy ❏ AV, Auth, Encryption, MFA, Sandboxes, DMZ, VPN, Firewalls, etc...
  • 7. Least Privilege Principle ❏ Minimum level of access and privilege. ❏ Avoid wide open permissions like * ❏ Avoid Attacker Surface ❏ Spots malware spread
  • 8. Encryption ❏ Symmetric & Asymmetric ❏ Encoding Information ❏ AES Standard ❏ Key Diversity ❏ Envelope Encryption ❏ App vs Storage Encryption ❏ Rotations
  • 9. TLS and mTLS ❏ Privacy and data integrity ❏ Secure Connections ❏ Asymmetric Encryption ❏ Email, Chats, VoIP, HTTPS ❏ mTLS - No Man in the Middle ❏ Rotations
  • 10.
  • 11.
  • 12. Misconfiguration & Error Handler ❏ Unnecessary enable ports ❏ Stacks Traces ❏ Default Passwords ❏ Software Out of Date ❏ Missing Sec configs
  • 13. Input Sanitization ❏ SQL Injection ❏ Prepared Statements ❏ Remote File Inclusion ❏ Paths / Sequences ❏ Always clean user inputs ❏ Use UUIDs
  • 14. XSS (Cross Site Scripting) ❏ JavaScript Injection ❏ Storage (view by admin) ❏ Reflected (back to user) ❏ Latest Browser versions ❏ Requires Sanitization
  • 15. Insecure Serialization/Deserialization ❏ XXE - External XML Entity SAML(SSO), < SOAP 1.2 ❏ XML Upload from untrusted sources ❏ Disable XML external entity and DTD processing ❏ Validate XML with XSD
  • 16. Know Vulnerabilities ❏ OWASP top 10 ❏ CVE/CWE ❏ Code Analysis ❏ Keep Software up to date
  • 17. Logging & Audit Trail ❏ Local / Unmonitored logs ❏ Audit trail on high-value transactions ❏ Monitoring on suspicious activities
  • 18. Threat Analysis ❏ All models are wrong but some are useful for us ❏ Allow us to see the Threats ❏ Help figure out priorities ❏ Democratize security ❏ https://threagile.io/
  • 19. Engineering Friction ❏ Tests, DevOps, ... ❏ Security might cripple engineering capabilities ❏ Security is a Refactoring enabler force ❏ Security is Everybody's jobs