ajit - immune it: moving from security to immunity - clubhack2008
TRANSCRIPT
Immune ITMoving from Security to Immunity...
-Ajit Hatti
ClubHack 2008 Presentation
Contents - I
Security : What is it?
Security : Why we need it?
Security : How we see it?
Security : What does it cost?
Security : Do we own it?
Security : How much is adequate?
Contents II
Immunity : What is it?
Immunity : How much does it cost?
Immunity : Who is responsible?
Immunity : How to get it?
Contents III
Requirement Gathering & Analysis
Designing a Solution
Coding & Reviews
Testing
Documentation/User Guide
Deployment
Maintenance
Security : What is it?
Security: Why do we need it?
Security: How we see it?
Security : What does it cost?
An average annual Security Overheads incurred at prime organizations
Expense incurred on security system - 20%
Computational resources engaged in security operations - 15%
Each person spending time on securing personal assets - 21%
Latency introduced due to security operations per connection - 2 sec / MB.
Data transfer only for security updates - 17 %
And these figures are bound to increase. (http://www.itbusinessedge.com/blogs/top/?p=207)
Security : Do we own it?
Security: How much is adequate?
Immunity: What is it?
Immunity: How much does it costs?
Immunity: Who is Responsible?
Immunity: How to achieve it?
Embedding Security in each and every steps of our engineering process.
Practice Security; integrate it in all operations.
Greater awareness.
Requirement Gathering & Analysis
Implicit Security ConsiderationsExplicit Security Considerations
Designing a Solution
Confidentiality Enforcing access privileges. Encryption & Leakage prevention.
Integrity Defining the limits Backup and Recovery
Availability Business Continuity Plan. Troubleshooting & Failure recovery support
Coding and Reviews
Code Should be : Less Clear Secure
Review for : Validations Possible memory corruptions Initializations
Testing
Sanity Checks Challenging Access control Fuzzing Vulnerability and Pen-Testing Dog fooding
Documentation/User Guides
Enforcing access control & encryption. Changing the default configurations, settings
and passwords. Methods of backup and recovery etc. Advisory on best practices, do’s and don’ts. Known issues and workarounds.
Deployment & Maintanance
Deploy the solutions with feasibly best & secure configuration.
Follow best practices. Apply security updates, patches provided by
vendors. Conduct security audits for the system
Security is defined by CIA. Addressing CIA at each phases of engineering
results in Immunity. Security must be integrated in our thoughts,
process and operations. Immunity comes through ownership of security.
Conclusion