Date post: | 08-Jun-2015 |
Category: |
Internet |
Upload: | amod-malviya |
View: | 95 times |
Download: | 0 times |
Security & Application DevelopmentAmod Malviya, CTO at Flipkart, Security freak@amodm
Statutory Warning I upset (some) people in my talks
The Illusion of security
So, what’s the illusion? I am secure
“Somebody” is taking care of security for me
A wave of a “magic wand” is sufficient
The “enemy” is outside
A “security first” cultureSecurity can never be an afterthought
A “security first” cultureStarts inside out (and top down), not the other
way around An integral part of the SDLC
Developers Writing secure code: Get them trained…
Continuously! Myth: “Backend” == not at risk When did you last block a release due to a security
issue?
A “security first” cultureGet me the Prime Minister !
A “security first” cultureProduction Management
Security issues rank higher than every single P0 Call out a dedicated team Intelligently mix security vendors
Internet hygiene Have a mechanism to report security issues
Interplay with 3P apps
Interplay with 3P appsUnderstand the details (design, architecture)
Assume vulnerability
Treat 3P as an attack vector
SOP for public internet Firewalling DMZ (for the 3P interacting components) Security Audits
Much higher risk on “backend” 3P systems
Tying it all together Tools
Don’t stop at the tools – an internal culture is necessary! Augment (multiplexed) vendors with in house staff
Have a hotline! And a well defined (and tight!) TAT for security issues
For in-house development Have developers trained on building secure code Build security testing/review into your SDLC
For 3P development/software Demand security audit results Evaluate if security is ingrained, or an afterthought Understand the design and architecture – identify risk zones
Thank YouReach me @amodm
Image Credits: Google Images