security from head to toe security at the application level damon hart-davis principal consultant...
TRANSCRIPT
![Page 1: Security from Head to Toe Security At The Application Level Damon Hart-Davis Principal Consultant Code Red](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ddc5503460f94ad30df/html5/thumbnails/1.jpg)
Security from Head to Toe
Security At The Application Level
Damon Hart-Davis
Principal Consultant
Code Red
![Page 2: Security from Head to Toe Security At The Application Level Damon Hart-Davis Principal Consultant Code Red](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ddc5503460f94ad30df/html5/thumbnails/2.jpg)
Security from Head to Toe
the application level
• Your application’s ability to resist accident and malice• From use of passwords to survival of building fire• Maintenance and upgrade needs thought too
Q: Can your contractors edit your warehouse book and which of your competitors will they work for next?
What is ``Application Level’’?
![Page 3: Security from Head to Toe Security At The Application Level Damon Hart-Davis Principal Consultant Code Red](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ddc5503460f94ad30df/html5/thumbnails/3.jpg)
Security from Head to Toe
the application level
No, we need to interlock with several other components:• Physical• Operating System• Border and interdepartmental• Legal• Operational
Q: How much do you pay the person who handles all your backup tapes?
Is ``Application Level’’ Enough?
![Page 4: Security from Head to Toe Security At The Application Level Damon Hart-Davis Principal Consultant Code Red](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ddc5503460f94ad30df/html5/thumbnails/4.jpg)
Security from Head to Toe
the application level
• Position database is globally read-write• Back office uses comment field for complex trades• Quants and traders keep vital data in their desks• The CEO says: ``We want our high-net-worth
individuals to update their portfolio over the Net.’’
Q: Do your insurers and auditors sleep well at night?
A Typical Investment Banking System?
![Page 5: Security from Head to Toe Security At The Application Level Damon Hart-Davis Principal Consultant Code Red](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ddc5503460f94ad30df/html5/thumbnails/5.jpg)
Security from Head to Toe
the application level
Systems often end up this way, so what do we need to address at the application level?
• Operational risk, eg files being deleted• Malice, internal or external• Physical disaster: loss of access to vital data
Q: Can you truthfully declare your system safe and robust on your annual returns?
The Risks and Costs?
![Page 6: Security from Head to Toe Security At The Application Level Damon Hart-Davis Principal Consultant Code Red](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ddc5503460f94ad30df/html5/thumbnails/6.jpg)
Security from Head to Toe
the application level
Wisdom from The Hitchhiker's Guide To The Galaxy.• Not all of your code/data needs to be equally secure• Analyse what needs to be secure and how much• Partition systems for ``need-to-know’’
Q: Could a programming slip in your JSP lose a trade?
Don’t Panic!
![Page 7: Security from Head to Toe Security At The Application Level Damon Hart-Davis Principal Consultant Code Red](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ddc5503460f94ad30df/html5/thumbnails/7.jpg)
Security from Head to Toe
the application level
• Some data can be safely accessed anonymously• Some access must be secure, eg over HTTPS• Some solutions are off-the-shelf and some will be
roll-your-own
Q: How do you originate outgoing HTTPS in code?
Secure Interactions
![Page 8: Security from Head to Toe Security At The Application Level Damon Hart-Davis Principal Consultant Code Red](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ddc5503460f94ad30df/html5/thumbnails/8.jpg)
Security from Head to Toe
the application level
Secure interactions imply key management.• You have to expect systems to get broken into• What if you are served with a RIP Section 49 notice?• What are the pros and cons of hardware keys?
Q: What validity period should your keys have and where do you store keys and their backups?
Key Management
![Page 9: Security from Head to Toe Security At The Application Level Damon Hart-Davis Principal Consultant Code Red](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ddc5503460f94ad30df/html5/thumbnails/9.jpg)
Security from Head to Toe
the application level
• CORBA/RMI/etc tunnels expose your entire system• Don’t be lazy; design, write and test narrow interfaces• Remote/home access has much the same effect
Q: Are you thinking ``Need-to-know’’?
Tunnelling and Remote Access
![Page 10: Security from Head to Toe Security At The Application Level Damon Hart-Davis Principal Consultant Code Red](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ddc5503460f94ad30df/html5/thumbnails/10.jpg)
Security from Head to Toe
the application level
Any significant exposed app should be regularly tested:• For performance• For correct/safe response to all inputs
Tests should be performed:• At the unit level• At integration and release• 24x7 with paging to ops in case of any failure
Q: Do you monitor your system for success and failure?
Testing and Monitoring
![Page 11: Security from Head to Toe Security At The Application Level Damon Hart-Davis Principal Consultant Code Red](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ddc5503460f94ad30df/html5/thumbnails/11.jpg)
Security from Head to Toe
the application level
Discipline is vital when maintaining and upgrading.• Make sure that a design audit is done before release• Make sure security and other testing is done regularly• Don’t get lazy and ``open this up a bit’’ to save time
Q: Do you do each release as carefully as the first?
Maintenance: Barnacles that Sink the Ship?
![Page 12: Security from Head to Toe Security At The Application Level Damon Hart-Davis Principal Consultant Code Red](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649ddc5503460f94ad30df/html5/thumbnails/12.jpg)
Security from Head to Toe
the application level
• Application security is vital but not whole story• Don’t panic; focus technical and business time• Design your system to allow for failures, break-ins• Security at the application level is 24x7
Q: Are you thinking ``Head to Toe?’’
Summary