Security Vulnerabilities Decomposition - Another Way to Look at Vulnerabilities

Explore a fresh perspective on security vulnerabilities in this 43-minute conference talk from NDC Conferences. Delve into the decomposition of vulnerabilities into familiar security controls, shifting focus from end-stage vulnerability measurement to integrating security measures throughout the software development cycle. Learn about CWEs, injection vulnerabilities, security logging, intrusion detection points, secure data handling, and fundamental security principles. Discover how to implement logging libraries, payment gateways, and single sign-on using design patterns. Gain insights on incorporating security controls from the design phase onwards, making security more developer-friendly and effective. Ideal for developers seeking to enhance the security of their software applications.

Intro
Katy Anton
Common Weakness Enumeration
CWEs in Injection Category
Decompose the Injection
Extract Security Controls
Security Controls: Security Logging
The 6 Best Types of Detection Points
Examples of Intrusion Detection Points
Secure Data Handling: Basic Workflow
Data at Rest: Design Vulnerability example
Tool for Publicly Disclosed Machine Keys
Encryption: Security Controls
Data in Transit: Security Controls
State of Software Security
Root Cause
What is Attack Surface?
Fundamental Security Principle
Components Examples
Implement Logging Library
Simple Wrapper
Implement a Payment Gateway
Adapter Design Pattern
Implement a Single Sign-On
Facade Design Pattern
Secure Software Starts from Design!
Rick Rescorla
Security Controls In Development Cycle
Final Takeaways
References