The following article was inspired by some of the best talks we had the opportunity to host during our offline conferences over the last few years. Together, they offer a broader view of the aspects related to Security.
We have committed ourselves to offer you more interesting talks like the followings in spite of that COVID-19 outbreak. Online conferences have become Codemotion’s new means of choice. If you are interested in organising your online event, have a read at this article on the best tools for planning and running a virtual conference.
What is security?
The notion of security-first and security by design are critical to the work of developers, especially when you consider the ubiquity of security vulnerabilities across all kinds of software, verticals, and industries.
People security to the forefront with intent means that security is first of mind for all developers, UX designers, documentation writers and engineers – not just the security member of staff (and their team). We take a look at some of the themes present in today’s security discourse.
You are the weakest link
According to Brian Vermeer, Developer Advocate at Synk, this also applies to the behaviour of team members – on and offline. He shares “It’s not that hard to find out where you work based on your email address. I mean normally, it’s first name dot last name at company name dot domain.”
He asked further “Who has confidential material on your laptop? I can follow you and get to know your routine. Who encrypts your hard drive? Who has access to your laptop? Who uses a password manager?
He further notes, that as developers – not just security staff – you probably have access to more secure materials than you realise:
“If you do DevOps, you probably have elevated privileges, for instance, to the database of your company. Who has credentials to enter the production server or the pipeline that can drop something into production? So can you imagine if we have that laptop of yours, and we abstract all that stuff from it, I can post on your git credentials, I can go to production, and I can even access the database“.
“Who of you has test data on their system locally? And it’s actually just a copy of the production data to test, for instance, reliability, speed and that kind of stuff? Do you have personally identifiable information on that? Is that anonymised? You are vulnerable. And the weakest link is not the system. It’s you. So why should I target the system? I just target you, it’s much easier.”
To make security effective, it’s not just about tick-a-box compliance. Rather, security must be backed into company values and delivered through company practices by all departments and individuals.
Security hits in unexpected places like API attacks
Each time you publish an API, you punch a hole in your enterprise perimeter. Through API attacks, a lot of critical data which used to be well-protected in enterprises data centres is now exposed directly to the Internet.
Whenever you create APIs, you have to make sure that you have done everything you could to validate data flows, properly authenticate users, authorise access to the data, keep an audit trail among other security tasks.
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.
One of their members, Isabelle Mauny shared with Codemotion that OWASP recently added under-protected APIs to its Top 10 list of app vulnerabilities, a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
It’s a recognition that API security is NOT web security. Rather APis have different attack vectors. They are data-centric, and there are lots of attacks coming from mishandling API data.
Each time you publish an API, you punch a hole in your enterprise perimeter. Through API attacks, a lot of critical data which used to be well-protected in enterprises data centres is now exposed directly to the Internet.
Whenever you create APIs, you have to make sure that you have done everything you could to validate data flows, properly authenticate users, authorise access to the data, keep an audit trail among other security tasks.
Zero trust means everything is on fire
A lot of these data breaches are made possible due to missteps and misconfigurations. Many security issues are introduced into website authentication mechanisms that further compound the security issues in addition to enforcing bad behaviour by the end-users.
Security debt is a real problem for the vast majority of organisations in the world today, and the attackers will utilise this to their advantage.
Cisco defines Zero trust is a comprehensive approach to securing all access across your networks, applications, and environment. This approach helps secure access from users, end-user devices, APIs, IoT, microservices, containers, and more. It protects your workforce, workloads, and workplace.
According to David Lewis, Global Advisory CISO -Duo Security, “the easiest way to describe zero trust is that everything is on fire.”
He contends: “We’re looking at going back to doing the fundamental things that we should have been doing right from the very beginning, network zone segmentation, user authentications, making sure that your asset inventories are up to date. If you are building out a new programme:
- Do you know the libraries that you are including?
- Do you know the libraries that you included in your own application?
- Have you verified that these third party codebases are legitimate?
You have to go through and trust but verify and then verify again, everything as it comes along.”
Interested in a career in cybersecurity?
At Codemotion we’re big fans of resourcing people thinking about changing their career, such as moving into a role in cybersecurity. Dr Melanie Rieback is the CEO/Co-founder of Radically Open Security, the world’s first nonprofit computer security consultancy company.
She is also a former Assistant Professor of Computer Science at the Free University of Amsterdam (VU) who performed RFID security research (RFID Virus and RFID Guardian), that attracted worldwide press coverage, and won several awards.
Radically Open Security is the world’s first not-for-profit computer security consultancy company. They are prototyping an innovative new business model – using a Dutch “Fiscaal Fondswervende Instelling” (Fiscal Fundraising Institution) to provide a commercial front-end.
This sends 90% of their profits tax-free to a backend foundation (Stichting NLnet) that has supported open-source, Internet research, and digital rights organisations for almost 20 years.
The other 10% has been cashflow buffer, that allows the company to survive. Additionally, due to low management/overhead costs, they can afford to pay competitive wages to their computer security consultants.
If you want to know more about how modern technologies and tools can support you for – and during – the organisation of a virtual event, don’t miss this article showcasing the best tools we used to host our online conferences since the COVID-19 outbreak.
