Secure by Design

55:38
 
Share
 

Manage episode 258434608 series 2448877
By Matt Stratton, Trevor Hess, Jessica Kerr, and Bridget Kromhout. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

Secure By Design

Guests Dan Bergh Johnsson, Daniel Deogun, and Daniel Sawano join host Jessica Kerr to discuss their book Secure by Design.

Daniel: “There’s a lot of good designs which come naturally to us as programmers but which has the interesting side effect that they also prevent security-related bugs.”

Domain Primitives

The panel discusses domain primitives as an example of coding practices that naturally provide security through good design.

Dan Bergh: “It’s a good starting point to understand that using domain-driven design not only makes your code more expressive, solves more domain problems. Even though these designs were not crafted to address security to start with, they’ve also had that as a side effect.”

Jessica: “I love that what you’re recommending in this part is to think harder about what you do want in the system, express that in the code, and suddenly a bunch of things that you don’t want in the system just aren’t.”

Testing

The panel talks about the ways in which testing contributes to secure design.

Daniel Sawano: “It tends to be so much easier and more robust if you start defining your own domain types.”

Immutability

The panel discusses the benefits of immutability.

Dan Berg: “It’s possible to…configure and mutate them until they are kind of safe-ish.” Jessica: “Kind of safe-ish?” Dan Berg: “Well, we are on a DevOps podcast.”

Logging

The panel talks about the security implications of logging practices.

Daniel Deogan: “One thing that’s very important is that if you log input directly into your logs, it becomes an attack surface for second-order injection attacks.”

Dan Bergh: “It’s a perfect launchpad for doing a really, really hard attack inside your system.”

Daniel Deogan: “The common mistake that many developers do is that they more or less dump inputs blindly.”

Jessica: “We have this illusion that logging is simple, but it isn’t.”

Cloud Thinking

The panel discusses the chapter on cloud thinking.

Dan Bergh: “In a way, we’re instructing the system to become more intelligent.”

Symmathesy!

The book is available online in its entirety.

184 episodes