defense in depth in depth
play

Defense in Depth: In Depth Presented by: Chelsea H. Komlo About me - PowerPoint PPT Presentation

Jan 04, 2023 •229 likes •564 views

Defense in Depth: In Depth Presented by: Chelsea H. Komlo About me - Software engineer, privacy and security engineer - HashiCorp, ThoughtWorks, Tor - Worked in 5 countries and two languages About this talk - NOT how to do security -

  1. Defense in Depth: In Depth Presented by: Chelsea H. Komlo

  2. About me - Software engineer, privacy and security engineer - HashiCorp, ThoughtWorks, Tor - Worked in 5 countries and two languages

  3. About this talk - NOT how to do security - The purpose of this talk to discuss how to think defensively about your system at every level.

  4. What I often come across when talking about security

  5. You could have the most awesome encryption standard, but pressing the enter key could sidestep all authentication.

  6. One vulnerable third-party library leads to hundreds of millions of sensitive PII being stolen

  7. Security is holistic.

  8. Defense in depth is necessary for a secure system Goal: One vulnerability won’t result in compromising the entire system.

  9. We’ll look at defense in depth from a variety of viewpoints - Low level (code) - Mid level (teams) - High level (architecture) - Highest level (product strategy)

  10. Defense in depth: Code - Maintain code quality - Leverage automated tooling - Meaningful automated tests

  11. Defense in Depth: Maintain code quality - Antipattern: Making assumptions when writing code. - Pattern: Code should written defensively - Takeaway: Security vulnerabilities are bugs!

  12. Example: Brittle code // Should never be called with nil func sayName(p *Person) { fmt.Printf(“%s”, p.Name) }

  13. Defense in Depth: Leverage automated tooling - Antipattern: Minimal compile-time validation - Pattern: Enable language-specific compile-time checks - Takeaway: Humans fail! Leverage automated tooling where possible

  14. Example: Automated code analysis - Go Race Detector - ASAN - GCC: -Wall -Wextra

  15. Defense in Depth: Meaningful automated test cases - Antipattern: Adding a single test case for a function - Pattern: Having test cases that exercise your code with varying granularity. - Takeaway: Don’t be single-dimensional in your tests!

  16. Testing at multiple levels: - Unit - Integration - E2E - Soak - Time-based - Fuzzing

  17. Defense in depth: Teams - No more “rock stars” - No “throw over the wall” security requirements

  18. Defense in Depth: No more rock stars - Antipattern: Someone on the team pushing lots of code to master without a review. - Pattern: All code goes through thorough code review (from anyone on the team) - Takeaway: Security is a team sport!

  19. Defense in Depth: No “throw over the wall” security requirements - Antipattern: Long list of requirements from your security team. - Pattern: Development teams and security teams closely collaborating. - Takeaway: Collaborate.

  20. Defense in depth: Architecture - Managing evolution cleanly - Automate infrastructure

  21. Defense in Depth: Manage evolution cleanly - Anitipattern: Layers of “cruft” and deprecated features. - Pattern: Remove deprecated code paths, strive for minimal branching. - Takeaway: Your attacker will know your system better than you will!

  22. Example: OpenSSL versus OpenBSD’s LibreSSL Over 90,000 lines of code removed.

  23. Defense in depth: Automate infrastructure - Anitipattern: Bespoke, artisanal server management. - Pattern: Use automated tooling to manage your cluster. - Takeaway: The less manual effort, the fewer “forgotten holes.”

  24. Example: Cluster schedulers for Secops

  25. Defense in depth: Product Strategy - Privacy and security serve the same ends - Consider your users’ threat model

  26. Defense in Depth: Privacy and security serve the same ends - Antipattern: Collecting all possible data - Pattern: Collect only what is strictly necessary - Takeaway: Strive for privacy by design, as opposed to retroactive privacy.

  27. Example: Encrypted messaging applications

  28. Defense in Depth: Consider your users’ threat model - Antipattern: Planning for only your organization’s security needs - Pattern: Consider every user’s needs, including at-risk users in your threat model - Takeaway: Be aware of decisions that place users at greater risk

  29. Example: Sensitive data and third parties

  30. Example: Consider vulnerable users

  31. Security must be holistic! This means all roles, all people, working together thoughtfully. There is no partial credit in security!

  32. Thank you!

Recommend

GANT: A Defense in Depth Approach TF-MSP Wayne Routly Trondheim.no Security Manager

GANT: A Defense in Depth Approach TF-MSP Wayne Routly Trondheim.no Security Manager

GANT: A Defense in Depth Approach TF-MSP Wayne Routly Trondheim.no Security Manager September 2013 DANTE connect communicate collaborate Before . connect communicate collaborate Agenda Defence in Depth - A Layered

323 views • 9 slides
Tsinghua University Monocular Depth-Pose Prediction [R, t] Depth and Pose RGB PoseNet

Tsinghua University Monocular Depth-Pose Prediction [R, t] Depth and Pose RGB PoseNet

Wang Zhao, Shaohui Liu, Yezhi Shu, Yong-Jin Liu Tsinghua University Monocular Depth-Pose Prediction [R, t] Depth and Pose RGB PoseNet Fails to Generalize! All Drift ! Depth estimation in Indoor environments with Visual Odometry with

610 views • 15 slides
RGBD Tutorial 14210240041 Gu Pan Image RGB YUV Lab Depth Image RGB image Depth image Each pixel in

RGBD Tutorial 14210240041 Gu Pan Image RGB YUV Lab Depth Image RGB image Depth image Each pixel in

RGBD Tutorial 14210240041 Gu Pan Image RGB YUV Lab Depth Image RGB image Depth image Each pixel in depth image shows the distance to camera Device Kinect Kinect2 (we use) SoftKinetic Leapmotion Kinect Depth camera developed by

480 views • 29 slides
Depth from HDR: Depth Induction or Increased Realism? P. Vangorp 1 R. K. Mantiuk 2 B. Bazyluk 3

Depth from HDR: Depth Induction or Increased Realism? P. Vangorp 1 R. K. Mantiuk 2 B. Bazyluk 3

Depth from HDR: Depth Induction or Increased Realism? P. Vangorp 1 R. K. Mantiuk 2 B. Bazyluk 3 K. Myszkowski 1 R. Mantiuk 3 S. J. Watt 2 H.-P. Seidel 1 1 MPI Informatik 2 Bangor University 3 West Pomeranian 3 University of Technology Depth from

466 views • 34 slides
Depth & Complexity Framework - Understanding the pieces ELP Depth and Complexity Resource

Depth & Complexity Framework - Understanding the pieces ELP Depth and Complexity Resource

Depth & Complexity Framework - Understanding the pieces ELP Depth and Complexity Resource Page: https://www.jtayloreducation.com/tagtelp/ J Taylor Education, 2016 Depth & Complexity Framework Understanding the parts Think Like A

254 views • 22 slides
Learnings from Fukushima Dai-ichi Accident: - Defense-in-Depth, Human and Organizational aspects,

Learnings from Fukushima Dai-ichi Accident: - Defense-in-Depth, Human and Organizational aspects,

2016/3/30 Learnings from Fukushima Dai-ichi Accident: - Defense-in-Depth, Human and Organizational aspects, Safety approaches- Akira OMOTO, Professor, Tokyo Institute of Technology (omoto@nr.titech.ac.jp) Ou Outline Weakness in the application

650 views • 38 slides
How to use Encryption for Defense in Depth In Native and Browser Apps Isaac Potoczny-Jones

How to use Encryption for Defense in Depth In Native and Browser Apps Isaac Potoczny-Jones

How to use Encryption for Defense in Depth In Native and Browser Apps Isaac Potoczny-Jones ijones@tozny.com November 13, 2019 @SyntaxPolice https://tozny.com When we think of driving safety We address both the road and the car.

446 views • 42 slides
Tillage Depth Control (TDC) Benefits of Tillage Depth Control Is the definition of precision

Tillage Depth Control (TDC) Benefits of Tillage Depth Control Is the definition of precision

Tillage Depth Control (TDC) Benefits of Tillage Depth Control Is the definition of precision agriculture! Increased efficiency Automating time consuming tasks Enables less skilled workers to perform the task better Accurate

353 views • 11 slides
WHAT DEPTH ? Drillers Depth Determination Harald Bolt 1 45 th General Meeting March 17 th ,

WHAT DEPTH ? Drillers Depth Determination Harald Bolt 1 45 th General Meeting March 17 th ,

WHAT DEPTH ? Drillers Depth Determination Harald Bolt 1 45 th General Meeting March 17 th , 2017 The Hague, The Netherlands Wellbore Positioning Technical Section Speaker Information Harald Bolt What Depth ? March 17, 2017

266 views • 24 slides
Unsupervised Monocular Depth Estimation CNN Robust to Training Data Diversity Valery

Unsupervised Monocular Depth Estimation CNN Robust to Training Data Diversity Valery

Unsupervised Monocular Depth Estimation CNN Robust to Training Data Diversity Valery Anisimovskiy, Andrey Shcherbinin, 15 May, 2020 Sergey Turko and Ilya Kurilin Problem Statement: Depth Sensors limitations IR depth sensor Stereo camera

670 views • 21 slides
A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer

A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer

A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer Science and Engineering Department, Indian Institute of Technology, Bombay, (IITB) India. Joint work with Suryajith Chillara, Christian Engels,

2.53k views • 191 slides
Depth Sensing and Deep Learning: Grasping and Segmenting 3D Objects from Real Depth Images using

Depth Sensing and Deep Learning: Grasping and Segmenting 3D Objects from Real Depth Images using

Depth Sensing and Deep Learning: Grasping and Segmenting 3D Objects from Real Depth Images using Synthetic Data Mike D e Dan aniel elczuk uk, Jeffrey Mahler, Matthew Matl, Saurabh Gupta, Andrew Lee, Andrew Li, Vishal Satish, Bill DeRose,

774 views • 73 slides
MineSweeper: An In-depth Look into Drive-by Mining and its Defense Veelasha Moonsamy Utrecht

MineSweeper: An In-depth Look into Drive-by Mining and its Defense Veelasha Moonsamy Utrecht

MineSweeper: An In-depth Look into Drive-by Mining and its Defense Veelasha Moonsamy Utrecht University, The Netherlands 28 August 2018 University of Adelaide, Australia Utrecht University, The Netherlands 2 Acknowledgment Joint

874 views • 61 slides
Information Security Offense and Defense HIMSS Heart of America Chapter February 2015 Depth

Information Security Offense and Defense HIMSS Heart of America Chapter February 2015 Depth

Information Security Offense and Defense HIMSS Heart of America Chapter February 2015 Depth Security Who we are Boutique Information Security Firm Founded in 2006 Based in Kansas City, Missouri Your organizations best

253 views • 12 slides
3D Modeling with Depth Sensors Andreas Geiger, Torsten Sattler Spring 2017

3D Modeling with Depth Sensors Andreas Geiger, Torsten Sattler Spring 2017

3D Modeling with Depth Sensors Andreas Geiger, Torsten Sattler Spring 2017 http://www.cvg.ethz.ch/teaching/3dvision/ 3D Modeling with Depth Sensors Todays class Obtaining depth maps / range images unstructured light

617 views • 47 slides
Week 5 Kullmann Analysing BFS Depth-first search Depth-first search Analysing DFS

Week 5 Kullmann Analysing BFS Depth-first search Depth-first search Analysing DFS

CS 270 Algorithms Oliver Week 5 Kullmann Analysing BFS Depth-first search Depth-first search Analysing DFS Analysing BFS Dags and 1 topological sorting Detecting Depth-first search 2 cycles Analysing DFS 3 Dags and topological

482 views • 23 slides
Aron Yu Nov 2, 2012 1 Depth Image Body Parts 3D Joint Est. 2 Image Credit: Shotton et al.

Aron Yu Nov 2, 2012 1 Depth Image Body Parts 3D Joint Est. 2 Image Credit: Shotton et al.

Aron Yu Nov 2, 2012 1 Depth Image Body Parts 3D Joint Est. 2 Image Credit: Shotton et al. Real-Time Human Pose Recognition in Parts from Single Depth Images Released: Nov 4, 2010 Color: 640 x 480@ 32 bits Depth: 640 x 480 @

880 views • 36 slides
LEP400 Etch Depth Monitor Real-time, in-situ plasma etch depth monitoring and end point control

LEP400 Etch Depth Monitor Real-time, in-situ plasma etch depth monitoring and end point control

LEP400 Etch Depth Monitor Real-time, in-situ plasma etch depth monitoring and end point control plus co-linear wafer vision system Base Configuration Etch Depth Monitoring LEP400 Recessed Window Laser Spot on Plasma Plasma Patterned Wafer

266 views • 22 slides
LEP500 Etch Depth Monitor Real-time, in-situ plasma etch depth monitoring and end point control

LEP500 Etch Depth Monitor Real-time, in-situ plasma etch depth monitoring and end point control

LEP500 Etch Depth Monitor Real-time, in-situ plasma etch depth monitoring and end point control plus co-linear wafer vision system Base Configuration Etch Depth Monitoring LEP500 Recessed Window Laser Spot on Plasma Plasma Patterned Wafer

299 views • 25 slides
TLS Record Protocol: Security Analysis and Defense-in-depth Countermeasures for HTTPS Olivier

TLS Record Protocol: Security Analysis and Defense-in-depth Countermeasures for HTTPS Olivier

TLS Record Protocol: Security Analysis and Defense-in-depth Countermeasures for HTTPS Olivier Levillain, Baptiste Gourdin, Herv Debar ANSSI, Sekoia, Tlcom SudParis ASIACCS 2015 Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol

793 views • 62 slides
Understand the principles behind Webbs Depth of Knowledge criteria Know how these

Understand the principles behind Webbs Depth of Knowledge criteria Know how these

Learning Targets Understand the principles behind Webbs Depth of Knowledge criteria Know how these principles can be applied to improve the alignment and rigor of instruction and assessment with the standards Realize how Depth of

475 views • 23 slides
Depth from Stereo Sanja Fidler CSC420: Intro to Image Understanding 1 / 12 Depth from Two

Depth from Stereo Sanja Fidler CSC420: Intro to Image Understanding 1 / 12 Depth from Two

Depth from Stereo Sanja Fidler CSC420: Intro to Image Understanding 1 / 12 Depth from Two Views: Stereo All points on projective line to P map to p Figure: One camera Sanja Fidler CSC420: Intro to Image Understanding 2 / 12 Depth from Two

968 views • 43 slides
Learning Lear ning Center Centers s In In-Depth Depth : Building Policy Around

Learning Lear ning Center Centers s In In-Depth Depth : Building Policy Around

Cincinnatis Community Learning Lear ning Center Centers s In In-Depth Depth : Building Policy Around Cincinnatis Community School Initiative Annie e Bogensc nschut utz, Director of Training and Development, Community Learning

465 views • 17 slides
Our Moral Origins Part 1/3 Objects Number Depth Geometry Objects Number Depth Geometry

Our Moral Origins Part 1/3 Objects Number Depth Geometry Objects Number Depth Geometry

Our Moral Origins Part 1/3 Objects Number Depth Geometry Objects Number Depth Geometry Other Minds? Knowledge Intention Morality Theory of Mind Egocentricism Three Mountains Task Mean Monkey Task False Belief Task

507 views • 22 slides

More recommend