Top 3 tips for security documentation
- 1. Top 3 Tips For Security Docs Michael Furman Security Architect Icons made by Appzgear and Freepik
- 2. What will we see today? • Why is security important? • Don’t be part of the problem • Do’s and Don’ts
- 3. About Me • 20+ years in software engineering • 10+ years in application security • 4+ years Lead Security Architect at Tufin • www.linkedin.com/in/furmanmichael/ • ultimatesecpro@gmail.com • Read my blog https://ultimatesecurity.pro/ • Follow me on twitter @ultimatesecpro • I like to travel, read books and listen to music.
- 4. About Tufin • Market Leader in Security Policy Orchestration for firewalls and cloud – New Tufin products integrate security into DevOps pipeline • Established in 2005 • Used in over 2,300 enterprises, including 40 Fortune 100 companies • We are constantly growing! www.tufin.com/careers/
- 5. Why is security important? • Google for “hacker stole credit cards”. • Google for “cybersecurity breaches”.
- 6. Sony PlayStation 2011 • Exposed personal information of 77 million users • Sony suspended PlayStation Network services – costs 155.4 million USD • Sony U.K. fined 395 million USD
- 7. Target Breach 2013 • 40 million of credit and debit cards are stolen • Reissuing 21.8 million cards – 200 million USD
- 8. Equifax 2017 • US consumer credit reporting agency • Unauthorized access to data – 145.5 million American customers – 15.2 million UK customers • Cost of the breach around 449 million USD
- 9. Where to start? • OWASP Top Ten Overview: https://ultimatesecurity.pro/post/top-ten-presentation/
- 10. Don’t be part of the problem • Run vulnerability scans • Do a Pen Test • Regularly upgrade a server • Regularly upgrade a tool
- 11. Vulnerability vs. security features • A vulnerability is a weakness which can be exploited by an attacker • Security features is enchantment of a product to meet a security requirement
- 12. Do’s and Don’ts - Vulnerability • Describe a vulnerability – not how to hack • Notify customers only – Public disclosure after the sufficient time Icons made by Smashicons
- 13. Do’s and Don’ts - Security Fixes • Public disclosure • Be preemptive – If it limits the existing functionality Icons made by Freepik
- 14. Take Aways • Engage with your IT team • Documenting vulnerabilities is different from documenting security fixes
- 15. Thank you! • Contact me – www.linkedin.com/in/furmanmichael/ – ultimatesecpro@gmail.com – https://ultimatesecurity.pro/ – @ultimatesecpro
Editor's Notes
- #2: <div>Icons made by <a href="https://www.flaticon.com/authors/appzgear" title="Appzgear">Appzgear</a> from <a href="https://www.flaticon.com/" title="Flaticon">www.flaticon.com</a> is licensed by <a href="http://creativecommons.org/licenses/by/3.0/" title="Creative Commons BY 3.0" target="_blank">CC 3.0 BY</a></div> <div>Icons made by <a href="https://www.freepik.com/" title="Freepik">Freepik</a> from <a href="https://www.flaticon.com/" title="Flaticon">www.flaticon.com</a> is licensed by <a href="http://creativecommons.org/licenses/by/3.0/" title="Creative Commons BY 3.0" target="_blank">CC 3.0 BY</a></div>
- #3: Hi everyone, Thank you for joining the last lecture for today. What will we see today? I will start by giving you an overview of OpenID Connect. I will describe the OpenID Connect protocol, and will show you how it compares to other protocols. Then, we will review some of OpenID Connect Implementations. Finally, I will show you one of the best OpenID Connect implementations: Keycloak.
- #4: Before we begin, a couple of words about me and the company I work for - Tufin. I have many years of experience in software development. Like most of you here today, I particularly like application security. I started to work in this area more than 10 years ago, and enjoy each day I work on it. For the last few years, I am responsible for the application security of all Tufin products. Recently I have started to write a blog – you are more then welcomed to read it. Something personal: I like traveling, reading books and listening to music. I particularly enjoy listen to jazz.
- #5: And now, a couple of words about Tufin. Tufin is a great company. It is already over 13 years old. We have a lot of customers. Our customers are all around the world: in Israel, USA, Europe, Asia. Some are huge companies, others are much smaller. We have customers in many industries. For example: AT&T, BMW and Visa. Recently we have started to develop products that integrate security into DevOps pipeline. You are more then welcomed to visit our booth. Tufin is always growing. When I joined the company about 5 years ago, it took up only one and half floors. Now it takes up almost 4 floors and that is only in Israel. We have also expanded abroad. We recently opened up a new main office in Boston. We are always looking for good people. We are looking for Java, C++, DevOps people. We are looking for Docker and Kubernetes gurus. You can visit our site to see our open positions in RnD, Sales, Marketing and additional areas.
- #7: http://www.pcworld.com/article/226802/playstation_network_hack_timeline.html http://www.bloomberg.com/news/2013-01-24/sony-fined-394-000-over-2011-hacker-attack-on-playstation-data.html
- #9: The immediate cost of the breach, including security upgrades, legal fees, and free identity theft services for consumers totaled around $449 million
- #11: Run vulnerability scans Do a Pen Test if you can budget for it, or see if you can piggyback on a PenTest that is run on your product Ensure that IT regularly upgrades the server hosting your KC If you use a tool for creating documentation (e.g. Madcap Flare, Adobe FrameMaker, AuthorIt, etc.), ask the vendor for details about what they’ve done to ensure the output they produce is secured Upgrade to the latest version, as needed
- #13: <div>Icons made by <a href="https://www.flaticon.com/authors/smashicons" title="Smashicons">Smashicons</a> from <a href="https://www.flaticon.com/" title="Flaticon">www.flaticon.com</a> is licensed by <a href="http://creativecommons.org/licenses/by/3.0/" title="Creative Commons BY 3.0" target="_blank">CC 3.0 BY</a></div> How to document security-related issues Vulnerability vs. security features – have different documentation requirements Vulnerability – Notifications to customers only, not the entire world If you must notify everyone, then give customers sufficient time to implement your fix Describe the vulnerability, not how to hack in using the vulnerability
- #14: <div>Icons made by <a href="https://www.freepik.com/" title="Freepik">Freepik</a> from <a href="https://www.flaticon.com/" title="Flaticon">www.flaticon.com</a> is licensed by <a href="http://creativecommons.org/licenses/by/3.0/" title="Creative Commons BY 3.0" target="_blank">CC 3.0 BY</a></div> Security Fixes Can be made public Be preemptive – tell them of upcoming changes Describe what the customers sees or it may impact them, so they can prepare for it
- #15: You know how to document security-related issues
- #16: Thank you for participating in my lecture! Please contact me if you need any additional information, or if you want to send me your resume.