Security architecture
Secure architecture for mission-critical systems
Anastasiia Voitova, Head of Security Engineering at Cossack Labs, talked at the DOU Day offline conference about building secure architecture for mission-critical applications. Anastasiia focused on reinforcing the resilience of critical systems to make them secure and reliable.
Data is a new security boundary
As a keynote speaker of this flagship event by OWASP, Anastasiia explains how developers and companies use cutting-edge cryptography and data security approaches when no perimeters and trusted zones exist anymore. In this talk, she starts with data security 101 and gets you through peculiarities of application level encryption (ALE), end-to-end encryption (E2EE), searchable encryption, zero knowledge architectures and zero trust. She demonstrates real-world cases of integrating application level encryption and supporting traditional security controls to protect customers’ data. By the end of the talk, you can have a whole picture how “strong cryptography” becomes “real-world security boundary around sensitive data” and what it takes in different contexts.
React Native security: addressing typical mistakes
Can React Native apps be secure? Is it a leaky abstraction? Julia went in details of React Native architecture, platform usage, and its dependencies. This security talk is designed specially for developers, decision-makers, and tech leads interested in addressing and preventing typical mistakes related to this cross-platform solution from Facebook.
The art of secure architecture
Secure architecture is about decision making. Learn from Julia how it differs from secure coding and what you can do for your developer team to achieve better results while following SSDLC.
iOS vulnerabilities and how to fix them
In this talk, Julia invites app devs and architects to explore common iOS vulnerabilities, outlines popular requirements from OWASP MASVS, enlists examples and paths to make applications more secure.
Secure Authentication. Are you sure you do it right?
Julia unraveled security issues developers should keep in mind to implement SSDLC, gave clues to the secure authentication standards, and shared experience on how to avoid typical auth mistakes in iOS apps.
Use cryptography, don’t learn it
Anastasiia gave a small hardcore cryptographic session and covered usable cryptography and the scenarios which can help app developers to right up their ship in case of cryptography or data security tools misuse. Get in details why boring crypto is actually better than “fun” crypto.
Designing secure architectures the modern way, regardless of stack
Eugene talked about implementing sophisticated defences in constrained environments: ranging from protecting massive power grid SCADA networks to improving end-to-end encryption in small mobile applications. Technological stack doesn’t matter if you focus on the risk assets and design defences around asset lifecycle.
Protecting data in ICS, SCADA and industrial IoT: goals, problems, solutions
Eugene shared our experience and lessons learnt of building secure data aggregation systems with hardware-based encryption, time-series processing and end-to-end security. Learn about our solutions that are integrated into ICS/SCADA networks of industrial operators, extract sensitive data, encrypt it “on the fly” and process separately.
Security engineering: from encryption to software architecture patterns
Public training on security and cryptography engineering conducted jointly by Anastasiia and Jean-Philippe. We focused on solving practical security engineering challenges rather than academic cryptography. We talked about SSDLC and risk management, cryptography and typical cryptographic mistakes, using and misusing APIs, building defence-in-depth for distributed applications.
Designing secure architectures, the modern way
In this talk, Eugene tried to cross the bridge between modern DevOps/SRE practices, systems architecture design and traditional security/risk management. It is driven by lessons learnt from building systems the modern way in high-risk environments with high reliability and security demands, drawing from the experience of protecting governmental secrets, critical infrastructure and preventing banking fraud at scale..
Building SQL firewall: insights from developers
How SQL firewalls can help to protect databases from SQL injections: the main difference from web application firewalls (WAFs), common usage scenarios, pros, and cons. We implemented SQL firewall as part of data encryption proxy Acra, and we will share insights about security and development decisions. Expect a story about parsing SQL protocols, matching rules, hidden dangers of logging, best of configuration and usage patterns.
10 ways open source will hurt security and reliability
We all know how open source is useful. In this talk, Eugene describes the obvious and not very obvious risks that open source brings with it and what are the practical consequences. Learn what you need to pay attention to when selecting components for your new spacecraft to protect it from exploding during takeoff.
"Defense in depth": trench warfare principles for building secure distributed applications
“Defense in depth” is a security engineering pattern, that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During the talk, Anastasiia modeled threats and risks for the modern distributed application, and improved it by building multiple lines of defence. She gave an overview of high-level patterns and exact tools how to build defense in depth for your distributed web applications.
Encryption without magic, risk management without pain
An in-depth technical inquiry about cryptography in a wider context: how it helps to narrow more significant risks to controllable attack surfaces, enables efficient and elegant risk management, and how tools and algorithms sit in a broader context of managing infrastructure-wide risks associated with handling the sensitive data.
Zero-knowledge architectures for mobile applications
The talk focused on real-world problems that ZKA counters, typical cryptographic designs and progress in different spheres of ZKA. The talk also explained the practical approaches useful for mobile developers (implementing data sharing and user collaboration on data in a cloud in a way that makes a mobile app provably secure).
DevOps and security: from the trenches to command centers
DevOps movement emerged as an attempt to build the bridge between people who write code, people who maintain the infrastructure for running it, and people who make the business decisions. These changes have put the emphasis on the new set of techniques and values. These techniques and values can either be beneficial or problematic for the security posture.
End-to-end data turnover: building Zero-knowledge software
Our CTO’s talk on the evolution of end-to-end software, survival within the “everything will be broken” model with the help of employing proper cryptography and trust management, plus a disclosure of some ideas and concepts behind Hermes.
Everything will be broken
Our CTO’s talk about the classic and emerging threat models, a proper understanding of security risks, perception of technical infrastructures ranging from idealistic to realistic, and adopting stronger techniques in the face of the vanishing perimeter and the (sadly) lowering standards of security tools and overall quality of the produced software.