Security Styles • Eleanor Saitta • GOTO 2022

This presentation was recorded at GOTO Amsterdam 2022. #GOTOcon #GOTOams http://gotoams.nl Eleanor Saitta - International Security Researcher & Co-founder of Open Source Tool Trike @eleanorsaitta4486 ORIGINAL TALK TITLE What Style of Security Do You Want? ABSTRACT There is a spectrum of styles for "doing security" that companies adopt. Eleanor Saitta works with a lot of teams who are just starting out on their security journeys, and folks working in a different style can be a real source of conflict, even when there's sufficient time and investment for security work and a non-antagonistic relationship between teams. In this talk, Eleanor will look at: • The contexts where each style crops up • The styles that she steers her clients toward • And what that implies technically The past few years have seen a significant increase in attack impact and rate worldwide, and the some styles of doing security are notably less effective in a modern attack environment, making it a loaded choice for a team trying to get started [...] TIMECODES 00:00 Intro 00:56 How do you stop phishing? 04:04 How do you work with other teams? 06:18 How do we defend a service? 07:54 How do you handle compliance? 11:27 How do you fix vulnerabilities? 13:42 How do you handle mistakes? 16:11 How do you make decisions? 17:29 Quick tips for starting from zero 20:33 What is a system? 22:35 Properties you care about 24:16 What is security? 26:34 What is resilience? 27:00 Designing for resilient security 27:24 Adversaries 28:28 Personas to examine 30:10 Component principles 30:32 State & logic 30:55 Immutability & ephemerality 32:02 Minimal canonical state 33:12 Unlikability 33:40 Process principles 33:47 Declare, don't program 34:53 Design for failure 35:25 Decentralize decision-making 36:11 Slack 37:35 Outro Download slides and read the full abstract here: https://gotoams.nl/2022/sessions/1917/what-style-of-security-do-you-want RECOMMENDED BOOKS Liz Rice • Container Security • https://amzn.to/3oU4iJe Liz Rice • Kubernetes Security • https://www.oreilly.com/library/view/kubernetes-security/9781492039075 Aaron Parecki • OAuth 2.0 Simplified • https://amzn.to/2A3IMOf Aaron Parecki • OAuth 2.0 Servers • https://amzn.to/3ecHEsz Aaron Parecki • The Little Book of OAuth 2.0 RFCs • https://amzn.to/3i7qnlC Erdal Ozkaya • Cybersecurity: The Beginner's Guide • https://amzn.to/2T6OIj3 Richer & Sanso • OAuth 2 in Action • https://amzn.to/3hXiAH6 Wilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 • https://amzn.to/2U8iLY2 https://twitter.com/GOTOcon https://www.linkedin.com/company/goto- https://www.facebook.com/GOTOConferences #Security #AppSec #Cybersecurity #CNCF #EleanorSaitta #Phishing #PhishingAttack #U2F #U2FToken #WAF #Compliance #Yubikey #SSO #Resilience #ResilientSecurity #Ephemerality #Immutability #OAuth #Programming #Privacy #eBPF Looking for a unique learning experience? Attend the next GOTO conference near you! Get your ticket at https://gotopia.tech Sign up for updates and specials at https://gotopia.tech/newsletter SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily. https://www.youtube.com/user/GotoConferences/?sub_confirmation=1