Security Every Day July 17, 2012

Computer security seems to be a constant source of failure… I mean so many companies get it wrong. But it turns out that if every engineering participant (engineers, managers, product managers, etc.) makes security a part of process just like build and release processes, it's easy to get security right.

Here's a presentation I put together last year. It's a pretty simple concept: Isolate, Examine, Repeat.

• Isolate

  • Each system has a discrete function
  • Systems: min connections to function
  • MQ for Edge
  • MQ & DB for back-end systems
  • Check parameters/Test Access (random)

• Examine

  • What sensitive data is being handled?
  • What are the attack vectors?
  • Checklist against OWASP Top 10
  • “Not applicable” or “Defended by...”
  • Can we store/do less?

• Repeat

  • Part of every design document
  • Quick review by peers
  • Becomes part of culture: Unit Tests/QA

Enjoy.