Security Every Day July 17, 2012
Computer security seems to be a constant source of failure… I mean so many companies get it wrong. But it turns out that if every engineering participant (engineers, managers, product managers, etc.) makes security a part of process just like build and release processes, it's easy to get security right.
Here's a presentation I put together last year. It's a pretty simple concept: Isolate, Examine, Repeat.
- Each system has a discrete function
- Systems: min connections to function
- MQ for Edge
- MQ & DB for back-end systems
- Check parameters/Test Access (random)
- What sensitive data is being handled?
- What are the attack vectors?
- Checklist against OWASP Top 10
- “Not applicable” or “Defended by...”
- Can we store/do less?
- Part of every design document
- Quick review by peers
- Becomes part of culture: Unit Tests/QA