Computer security seems to be a constant source of failure… I mean so many companies get it wrong. But it turns out that if every engineering participant (engineers, managers, product managers, etc.) makes security a part of process just like build and release processes, it's easy to get security right.

Here's a presentation I put together last year. It's a pretty simple concept: Isolate, Examine, Repeat.

  • Isolate

    • Each system has a discrete function
    • Systems: min connections to function
    • MQ for Edge
    • MQ & DB for back-end systems
    • Check parameters/Test Access (random)
  • Examine

    • What sensitive data is being handled?
    • What are the attack vectors?
    • Checklist against OWASP Top 10
    • “Not applicable” or “Defended by...”
    • Can we store/do less?
  • Repeat

    • Part of every design document
    • Quick review by peers
    • Becomes part of culture: Unit Tests/QA