Making Security Usable: Product Engineer Perspective
1 like168 views
The document discusses the challenges and strategies involved in making security user-friendly within software product engineering. It highlights the importance of usability in security products, emphasizing that poor usability can lead to bad security practices. Additionally, it covers deployment strategies, integration testing, and the significance of clear documentation for developers.
Making Security Usable: Product Engineer Perspective
- 1. Making Security Usable: Tales of Product Engineering …in a Security Company @vixentael
- 2. InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ database-encryption-detection-tools
- 3. Presented at QCon New York www.qconnewyork.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
- 5. @vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :)
- 7. A long time ago in a galaxy far, far away… @vixentael
- 8. @vixentael
- 10. @vixentael
- 11. @vixentael
- 12. @vixentael
- 13. @vixentael
- 14. @vixentael
- 16. @vixentael
- 18. @vixentael
- 23. @vixentael
- 25. @vixentael postgresql encryption options cybertec-postgresql.com/en/postgresql-instance-level-encryption/ export PGENCRYPTIONKEY=db-enc-key initdb -k -K pgcrypto /data/dbencrypt/
- 26. @vixentael 🙄"
- 28. No data security expertise? – Find one. @vixentael
- 30. @vixentael ? ..but how it should work ..and will it really be secure now? we want one tool that solves all problems..
- 31. @vixentael key lifecycle trusted code execution environment side channel resistance risk echelonization
- 32. @vixentael ?
- 33. @vixentael ?
- 34. @vixentael
- 36. @vixentael client app writer proxy database database encryption proxy
- 37. @vixentael client app writer proxy server database keygen zones IDS
- 38. @vixentael
- 41. @vixentael
- 45. Listen to customers. It improves everything... even security! @vixentael
- 49. @vixentael – real time analytics (user actions) – servers load – error logs – user testing / user research – open tickets / issues
- 50. @vixentael – real time analytics (user actions) – user testing / user research – servers load – open tickets / issues – error logs
- 51. @vixentael ?
- 52. @vixentael ?
- 54. @vixentael
- 55. Data Security Assistance Program @vixentael business model / regulations risks to data threat model / attack vectors data security scheme
- 57. Analyze use-cases @vixentael Hard to deploy Hard to support Easy to misuse Hard to verify
- 58. @vixentael
- 60. @vixentael Deployment code Multiple channels of distribution
- 61. @vixentael Deployment code Multiple channels of distribution
- 62. @vixentael Deployment code built packages (.pkg) Multiple channels of distribution
- 63. @vixentael Deployment Multiple channels of distribution code built packages (.pkg) docker images VM imageschef configuration docker compose
- 65. @vixentael Deployment 1. Download, build, install every component 2. Generate keys / tokens for each component 3. Put keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys)
- 66. 2. Generate keys / tokens for each component @vixentael Deployment 1. Download, build, install every component 3. Put keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys) script
- 67. @vixentael Deployment 1. Download, build, install every component 3. Put keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys) 2. Generate keys / tokens for each component script
- 68. @vixentael Deployment 1. Download, build, install every component 3. Put keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys)defaults 2. Generate keys / tokens for each component script
- 69. @vixentael Deployment 1. Download, build, install every component 3. Put keys into right folders (PK exchange) 5. Run components using correct config 4. Configure each component (port, keys) one command! 2. Generate keys / tokens for each component
- 70. @vixentael Deployment Pre-baked configurations docker-compose -f <compose_file>.yml up
- 71. @vixentael Deployment Pre-baked configurations mysql-ssl-server-ssl.yml MySQL <-SSL-> AServer <-SSL-> client
- 72. @vixentael Deployment Pre-baked configurations mysql-ssl-server-ssl.yml MySQL <-SSL-> AServer <-SSL-> client pgsql-nossl-server-ssession-connector.yml PostgreSQL <-> AServer <-SecureSession-> AConnector <---> client ‘-> AWebconfig
- 74. @vixentael Deployment Integration tests everywhere 🙄 – run on 12 OSs – run on empty environments – provide testing scripts for users
- 75. @vixentael Integration – logging formats (plaintext, json, CEF) – infrastructure as a code (configs everywhere) – event formats (unique event codes) Good products do not exist in a vacuum
- 76. @vixentael
- 78. @vixentael default strict parameters pre-defined configuration files make accidental changes unlikely Secure by default
- 79. API design
- 80. API design from pythemis.scell import SCellSeal scell = SCellSeal(key) encrypted_message = scell.encrypt(message, context) message = scell.decrypt(encrypted_message, context) github.com/cossacklabs @vixentael
- 81. easy to use @vixentael API design unambiguous to use 2017.hack.lu/archive/2017/hacklu-crypto-api.pdf &&
- 84. db proxyclient app @vixentael Naming writer proxy server database
- 85. db proxyclient app @vixentael Naming writer connector server database
- 86. @vixentael Naming https://circleci.com/blog/why-did-builds-become-jobs-in-the-ui/
- 88. @vixentael
- 89. @vixentael Docs no docs tons of docs👌
- 90. @vixentael Docs for developers integration scenarios security recommendations simple explanations benchmarks security model threat vectors schemes & formulas for security ppl
- 91. @vixentael Playgrounds who reads docs if you can play with simulator?
- 95. There is no absolute security @vixentael develop test deploy repeat
- 96. Short feedback cycle is a key @vixentael
- 97. IV. Where it got us? @vixentael
- 98. @vixentael Secure defaults Unambiguous APIs Easy deployment Shipped scripts / libs Playgrounds
- 99. @vixentael Secure defaults Unambiguous APIs Easy deployment Shipped scripts / libs Playgrounds
- 100. @vixentael adopt faster become less frustrated make less mistakes
- 101. @vixentael make user-facing decisions iterate faster plan better become less frustrated
- 103. @vixentael
- 104. Home reading? https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27 Security as a Product https://github.com/forter/security-101-for-saas-startups/blob/english/security.md Organization security for startups https://2017.hack.lu/archive/2017/hacklu-crypto-api.pdf API design for cryptography https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Boring crypto, Daniel J. Bernstein
- 105. My other security slides github.com/vixentael/ my-talks
- 106. @vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :)
- 107. Image credits www.flaticon.com freepik, linector, switficons, pixelperfect, smashicons, icon pond, dinosoftlabs Authors:
- 108. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ database-encryption-detection-tools