SlideShare a Scribd company logo

Sec 101

Diego Pacheco
Diego Pacheco

Security 101, Sec, Vulnerabilities, TLS/mTLS, Encryption, Culture, Threat analysis, OWASP, and more.

Technology
1 of 20
Download to read offline
Sec 101 Diego Pacheco
@diego_pacheco ❏ Cat's Father ❏ Head of Software Architect ❏ Agile Coach ❏ SOA/Microservices Expert ❏ DevOps Practitioner ❏ Speaker ❏ Author diegopacheco http://diego-pacheco.blogspot.com.br/ About me... https://diegopacheco.github.io/
We are used to Security in the physical world
Software Security
Why should we care? ❏ Ethics ❏ Customer Experience ❏ Brand Integrity ❏ Compliance
Defense in depth ❏ NSA ❏ Layers ❏ All IT systems ❏ It’s all about redundancy ❏ AV, Auth, Encryption, MFA, Sandboxes, DMZ, VPN, Firewalls, etc...
Least Privilege Principle ❏ Minimum level of access and privilege. ❏ Avoid wide open permissions like * ❏ Avoid Attacker Surface ❏ Spots malware spread
Encryption ❏ Symmetric & Asymmetric ❏ Encoding Information ❏ AES Standard ❏ Key Diversity ❏ Envelope Encryption ❏ App vs Storage Encryption ❏ Rotations
TLS and mTLS ❏ Privacy and data integrity ❏ Secure Connections ❏ Asymmetric Encryption ❏ Email, Chats, VoIP, HTTPS ❏ mTLS - No Man in the Middle ❏ Rotations
Misconfiguration & Error Handler ❏ Unnecessary enable ports ❏ Stacks Traces ❏ Default Passwords ❏ Software Out of Date ❏ Missing Sec configs
Input Sanitization ❏ SQL Injection ❏ Prepared Statements ❏ Remote File Inclusion ❏ Paths / Sequences ❏ Always clean user inputs ❏ Use UUIDs
XSS (Cross Site Scripting) ❏ JavaScript Injection ❏ Storage (view by admin) ❏ Reflected (back to user) ❏ Latest Browser versions ❏ Requires Sanitization
Insecure Serialization/Deserialization ❏ XXE - External XML Entity SAML(SSO), < SOAP 1.2 ❏ XML Upload from untrusted sources ❏ Disable XML external entity and DTD processing ❏ Validate XML with XSD
Know Vulnerabilities ❏ OWASP top 10 ❏ CVE/CWE ❏ Code Analysis ❏ Keep Software up to date
Logging & Audit Trail ❏ Local / Unmonitored logs ❏ Audit trail on high-value transactions ❏ Monitoring on suspicious activities
Threat Analysis ❏ All models are wrong but some are useful for us ❏ Allow us to see the Threats ❏ Help figure out priorities ❏ Democratize security ❏ https://threagile.io/
Engineering Friction ❏ Tests, DevOps, ... ❏ Security might cripple engineering capabilities ❏ Security is a Refactoring enabler force ❏ Security is Everybody's jobs
Sec 101 Diego Pacheco

Recommended

Crypto the Go way
Crypto the Go wayCrypto the Go way
Crypto the Go wayEvan J Johnson (Not a CISSP)
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsMichael Man
 
Web security 101
Web security 101Web security 101
Web security 101Kristaps Kūlis
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser AliHackIT Ukraine
 
User And Physical Security
User And Physical SecurityUser And Physical Security
User And Physical Securityguest648519
 
Continuous Security in Pipelines
Continuous Security in PipelinesContinuous Security in Pipelines
Continuous Security in PipelinesThoughtworks
 
Microservices
MicroservicesMicroservices
MicroservicesDiego Pacheco
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 

Recommended

Crypto the Go way
Crypto the Go wayCrypto the Go way
Crypto the Go wayEvan J Johnson (Not a CISSP)
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsMichael Man
 
Web security 101
Web security 101Web security 101
Web security 101Kristaps Kūlis
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser AliHackIT Ukraine
 
User And Physical Security
User And Physical SecurityUser And Physical Security
User And Physical Securityguest648519
 
Continuous Security in Pipelines
Continuous Security in PipelinesContinuous Security in Pipelines
Continuous Security in PipelinesThoughtworks
 
Microservices
MicroservicesMicroservices
MicroservicesDiego Pacheco
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 
Architecture 101: Vision, Properties and Skills
Architecture 101: Vision, Properties and SkillsArchitecture 101: Vision, Properties and Skills
Architecture 101: Vision, Properties and SkillsDiego Pacheco
 
Encryption Primer por Cathy Nolan
Encryption Primer por Cathy NolanEncryption Primer por Cathy Nolan
Encryption Primer por Cathy NolanJoao Galdino Mello de Souza
 
SRE 101
SRE 101SRE 101
SRE 101Diego Pacheco
 
Rust
RustRust
RustDiego Pacheco
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data SecurityFrederik Questier
 
Cloud-Native Microservices
Cloud-Native MicroservicesCloud-Native Microservices
Cloud-Native MicroservicesDiego Pacheco
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHPEnrico Zimuel
 
Encryption by fastech
Encryption by fastechEncryption by fastech
Encryption by fastechAbdulafeez Fasasi
 
Websec
WebsecWebsec
WebsecKristaps Kūlis
 
cryptography-Final.pptx
cryptography-Final.pptxcryptography-Final.pptx
cryptography-Final.pptxkarthikvcyber
 
Developing a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityDeveloping a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityTechWell
 
Mbs r33 b
Mbs r33 bMbs r33 b
Mbs r33 bSelectedPresentations
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczPaula Januszkiewicz
 
Network Security
Network SecurityNetwork Security
Network SecurityJoe Baker
 
Information Security for startups
Information Security for startupsInformation Security for startups
Information Security for startupsStijn Vande Casteele
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and NowPhilippe De Ryck
 
CipherLoc_OverviewBrochure (1)
CipherLoc_OverviewBrochure (1)CipherLoc_OverviewBrochure (1)
CipherLoc_OverviewBrochure (1)Michael DeLaGarza
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
 
Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Amr Salah
 
Computer Security
Computer SecurityComputer Security
Computer SecurityFrederik Questier
 
Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!Diego Pacheco
 
Continuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdfContinuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdfDiego Pacheco
 

More Related Content

Similar to Sec 101

Architecture 101: Vision, Properties and Skills
Architecture 101: Vision, Properties and SkillsArchitecture 101: Vision, Properties and Skills
Architecture 101: Vision, Properties and SkillsDiego Pacheco
 
Cloud-Native Microservices
Cloud-Native MicroservicesCloud-Native Microservices
Cloud-Native MicroservicesDiego Pacheco
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHPEnrico Zimuel
 
cryptography-Final.pptx
cryptography-Final.pptxcryptography-Final.pptx
cryptography-Final.pptxkarthikvcyber
 
Developing a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityDeveloping a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityTechWell
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczPaula Januszkiewicz
 
Network Security
Network SecurityNetwork Security
Network SecurityJoe Baker
 
CipherLoc_OverviewBrochure (1)
CipherLoc_OverviewBrochure (1)CipherLoc_OverviewBrochure (1)
CipherLoc_OverviewBrochure (1)Michael DeLaGarza
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
 
Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Amr Salah
 

Similar to Sec 101 (20)

Architecture 101: Vision, Properties and Skills
Architecture 101: Vision, Properties and SkillsArchitecture 101: Vision, Properties and Skills
Architecture 101: Vision, Properties and Skills
 
Encryption Primer por Cathy Nolan
Encryption Primer por Cathy NolanEncryption Primer por Cathy Nolan
Encryption Primer por Cathy Nolan
 
SRE 101
SRE 101SRE 101
SRE 101
 
Rust
RustRust
Rust
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data Security
 
Cloud-Native Microservices
Cloud-Native MicroservicesCloud-Native Microservices
Cloud-Native Microservices
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHP
 
Encryption by fastech
Encryption by fastechEncryption by fastech
Encryption by fastech
 
Websec
WebsecWebsec
Websec
 
cryptography-Final.pptx
cryptography-Final.pptxcryptography-Final.pptx
cryptography-Final.pptx
 
Developing a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityDeveloping a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud Security
 
Mbs r33 b
Mbs r33 bMbs r33 b
Mbs r33 b
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewicz
 
Network Security
Network SecurityNetwork Security
Network Security
 
Information Security for startups
Information Security for startupsInformation Security for startups
Information Security for startups
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
 
CipherLoc_OverviewBrochure (1)
CipherLoc_OverviewBrochure (1)CipherLoc_OverviewBrochure (1)
CipherLoc_OverviewBrochure (1)
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
 
Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)Introduction to Security (Hardware, Software, Data & Policies)
Introduction to Security (Hardware, Software, Data & Policies)
 
Computer Security
Computer SecurityComputer Security
Computer Security
 

More from Diego Pacheco

Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!Diego Pacheco
 
Continuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdfContinuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdfDiego Pacheco
 
Thoughts about Shape Up
Thoughts about Shape UpThoughts about Shape Up
Thoughts about Shape UpDiego Pacheco
 
Encryption Deep Dive
Encryption Deep DiveEncryption Deep Dive
Encryption Deep DiveDiego Pacheco
 
Management: Doing the non-obvious! III
Management: Doing the non-obvious! IIIManagement: Doing the non-obvious! III
Management: Doing the non-obvious! IIIDiego Pacheco
 
Design is not Subjective
Design is not SubjectiveDesign is not Subjective
Design is not SubjectiveDiego Pacheco
 
Architecture & Engineering : Doing the non-obvious!
Architecture & Engineering : Doing the non-obvious!Architecture & Engineering : Doing the non-obvious!
Architecture & Engineering : Doing the non-obvious!Diego Pacheco
 
Management doing the non-obvious II
Management doing the non-obvious II Management doing the non-obvious II
Management doing the non-obvious II Diego Pacheco
 
Testing in production
Testing in productionTesting in production
Testing in productionDiego Pacheco
 
Nine lies about work
Nine lies about workNine lies about work
Nine lies about workDiego Pacheco
 
Management: doing the nonobvious!
Management: doing the nonobvious!Management: doing the nonobvious!
Management: doing the nonobvious!Diego Pacheco
 
Dealing with dependencies
Dealing with dependenciesDealing with dependencies
Dealing with dependenciesDiego Pacheco
 
Dealing with dependencies in tests
Dealing with dependencies in testsDealing with dependencies in tests
Dealing with dependencies in testsDiego Pacheco
 

More from Diego Pacheco (20)

Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!Naming Things Book : Simple Book Review!
Naming Things Book : Simple Book Review!
 
Continuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdfContinuous Discovery Habits Book Review.pdf
Continuous Discovery Habits Book Review.pdf
 
Thoughts about Shape Up
Thoughts about Shape UpThoughts about Shape Up
Thoughts about Shape Up
 
Holacracy
HolacracyHolacracy
Holacracy
 
AWS IAM
AWS IAMAWS IAM
AWS IAM
 
CDKs
CDKsCDKs
CDKs
 
Encryption Deep Dive
Encryption Deep DiveEncryption Deep Dive
Encryption Deep Dive
 
Reflections on SCM
Reflections on SCMReflections on SCM
Reflections on SCM
 
Management: Doing the non-obvious! III
Management: Doing the non-obvious! IIIManagement: Doing the non-obvious! III
Management: Doing the non-obvious! III
 
Design is not Subjective
Design is not SubjectiveDesign is not Subjective
Design is not Subjective
 
Architecture & Engineering : Doing the non-obvious!
Architecture & Engineering : Doing the non-obvious!Architecture & Engineering : Doing the non-obvious!
Architecture & Engineering : Doing the non-obvious!
 
Management doing the non-obvious II
Management doing the non-obvious II Management doing the non-obvious II
Management doing the non-obvious II
 
Testing in production
Testing in productionTesting in production
Testing in production
 
Nine lies about work
Nine lies about workNine lies about work
Nine lies about work
 
Management: doing the nonobvious!
Management: doing the nonobvious!Management: doing the nonobvious!
Management: doing the nonobvious!
 
AI and the Future
AI and the FutureAI and the Future
AI and the Future
 
Dealing with dependencies
Dealing with dependenciesDealing with dependencies
Dealing with dependencies
 
Dealing with dependencies in tests
Dealing with dependencies in testsDealing with dependencies in tests
Dealing with dependencies in tests
 
Kanban 2020
Kanban 2020Kanban 2020
Kanban 2020
 
Lean 2020
Lean 2020Lean 2020
Lean 2020
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Sec 101

  • 2. @diego_pacheco ❏ Cat's Father ❏ Head of Software Architect ❏ Agile Coach ❏ SOA/Microservices Expert ❏ DevOps Practitioner ❏ Speaker ❏ Author diegopacheco http://diego-pacheco.blogspot.com.br/ About me... https://diegopacheco.github.io/
  • 3. We are used to Security in the physical world
  • 5. Why should we care? ❏ Ethics ❏ Customer Experience ❏ Brand Integrity ❏ Compliance
  • 6. Defense in depth ❏ NSA ❏ Layers ❏ All IT systems ❏ It’s all about redundancy ❏ AV, Auth, Encryption, MFA, Sandboxes, DMZ, VPN, Firewalls, etc...
  • 7. Least Privilege Principle ❏ Minimum level of access and privilege. ❏ Avoid wide open permissions like * ❏ Avoid Attacker Surface ❏ Spots malware spread
  • 8. Encryption ❏ Symmetric & Asymmetric ❏ Encoding Information ❏ AES Standard ❏ Key Diversity ❏ Envelope Encryption ❏ App vs Storage Encryption ❏ Rotations
  • 9. TLS and mTLS ❏ Privacy and data integrity ❏ Secure Connections ❏ Asymmetric Encryption ❏ Email, Chats, VoIP, HTTPS ❏ mTLS - No Man in the Middle ❏ Rotations
  • 10.
  • 11.
  • 12. Misconfiguration & Error Handler ❏ Unnecessary enable ports ❏ Stacks Traces ❏ Default Passwords ❏ Software Out of Date ❏ Missing Sec configs
  • 13. Input Sanitization ❏ SQL Injection ❏ Prepared Statements ❏ Remote File Inclusion ❏ Paths / Sequences ❏ Always clean user inputs ❏ Use UUIDs
  • 14. XSS (Cross Site Scripting) ❏ JavaScript Injection ❏ Storage (view by admin) ❏ Reflected (back to user) ❏ Latest Browser versions ❏ Requires Sanitization
  • 15. Insecure Serialization/Deserialization ❏ XXE - External XML Entity SAML(SSO), < SOAP 1.2 ❏ XML Upload from untrusted sources ❏ Disable XML external entity and DTD processing ❏ Validate XML with XSD
  • 16. Know Vulnerabilities ❏ OWASP top 10 ❏ CVE/CWE ❏ Code Analysis ❏ Keep Software up to date
  • 17. Logging & Audit Trail ❏ Local / Unmonitored logs ❏ Audit trail on high-value transactions ❏ Monitoring on suspicious activities
  • 18. Threat Analysis ❏ All models are wrong but some are useful for us ❏ Allow us to see the Threats ❏ Help figure out priorities ❏ Democratize security ❏ https://threagile.io/
  • 19. Engineering Friction ❏ Tests, DevOps, ... ❏ Security might cripple engineering capabilities ❏ Security is a Refactoring enabler force ❏ Security is Everybody's jobs