back

Writing secure software

using my blog as example

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:46:38
Language
English
Abstract
I have previously given talks about security principles and approaches like Least Privilege, TCB Minimization, and Self Sandboxing. The most frequent feedback has been "I don't know how to apply this in practice". So, in this talk, I will show how I applied those principles in a real-world software project: a CRUD web app. My blog.

I introduced dangerous attack surface on purpose so I could some day give a talk about how to apply these techniques to reduce risk. This is that talk.

I will also introduce the concept of append-only data storage.

The end goal of this talk is to show how much more security you can achieve if you don't take an existing architecture and try to sprinkle security over it, but you make architectural decisions with security in mind.

This is rarely done in practice because there is a fundamental disagreement between security and software engineering. Security is about limiting what can be done with the software, while software engineering is about not limiting what can be done with the software.

My goal with this talk is to show what kind of security gains are possible architecturally. You, too, can sleep soundly at night. Even if the software is written in C. Even if you have bad ACLs or a buffer overflow in the software.

Talk ID
11811
Event:
37c3
Day
3
Room
Saal Granville
Start
7:15 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Fefe
Other Artists
Talk Slug & media link
37c3-11811-writing_secure_software
English
0.0% Checking done0.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
100.0% Nothing done yet100.0%
  

Work on this video on Amara!

English: Transcribed until

Last revision: 10 months, 4 weeks ago