Secure by Design

Posted on Thursday, Apr 9, 2020
Jessica chats with Dan Bergh Johnsson, Daniel Deogun, Daniel Sawano - authors of the book Secure by Design

Show Notes

Secure By Design

Guests Dan Bergh Johnsson, Daniel Deogun, and Daniel Sawano join host Jessica Kerr to discuss their book Secure by Design.

Daniel: “There’s a lot of good designs which come naturally to us as programmers but which has the interesting side effect that they also prevent security-related bugs.”

Domain Primitives

The panel discusses domain primitives as an example of coding practices that naturally provide security through good design.

Dan Bergh: “It’s a good starting point to understand that using domain-driven design not only makes your code more expressive, solves more domain problems. Even though these designs were not crafted to address security to start with, they’ve also had that as a side effect.”

Jessica: “I love that what you’re recommending in this part is to think harder about what you do want in the system, express that in the code, and suddenly a bunch of things that you don’t want in the system just aren’t.”

Testing

The panel talks about the ways in which testing contributes to secure design.

Daniel Sawano: “It tends to be so much easier and more robust if you start defining your own domain types.”

Immutability

The panel discusses the benefits of immutability.

Dan Berg: “It’s possible to…configure and mutate them until they are kind of safe-ish.” Jessica: “Kind of safe-ish?” Dan Berg: “Well, we are on a DevOps podcast.”

Logging

The panel talks about the security implications of logging practices.

Daniel Deogan: “One thing that’s very important is that if you log input directly into your logs, it becomes an attack surface for second-order injection attacks.”

Dan Bergh: “It’s a perfect launchpad for doing a really, really hard attack inside your system.”

Daniel Deogan: “The common mistake that many developers do is that they more or less dump inputs blindly.”

Jessica: “We have this illusion that logging is simple, but it isn’t.”

Cloud Thinking

The panel discusses the chapter on cloud thinking.

Dan Bergh: “In a way, we’re instructing the system to become more intelligent.”

Symmathesy!

The book is available online in its entirety.

Guests

Daniel Deogun

Daniel Deogun

Dan Bergh Johnsson, Daniel Deogun, and Daniel Sawano are authors of the book Secure by Design and have collectively been working with security and development for several decades. They are developers at heart and understand that security is often a side-concern. They’ve also evolved work habits that enable them to develop systems in a way that promotes security while focusing on high-quality design habits – something that’s easier for developers to keep in mind during their daily work. All are established international speakers and often present at conferences on topics regarding high-quality development and security.

Dan Bergh Johnsson

Dan Bergh Johnsson

Dan Bergh Johnsson, Daniel Deogun, and Daniel Sawano are authors of the book Secure by Design and have collectively been working with security and development for several decades. They are developers at heart and understand that security is often a side-concern. They’ve also evolved work habits that enable them to develop systems in a way that promotes security while focusing on high-quality design habits – something that’s easier for developers to keep in mind during their daily work. All are established international speakers and often present at conferences on topics regarding high-quality development and security.

Daniel Sawano

Daniel Sawano

Dan Bergh Johnsson, Daniel Deogun, and Daniel Sawano are authors of the book Secure by Design and have collectively been working with security and development for several decades. They are developers at heart and understand that security is often a side-concern. They’ve also evolved work habits that enable them to develop systems in a way that promotes security while focusing on high-quality design habits – something that’s easier for developers to keep in mind during their daily work. All are established international speakers and often present at conferences on topics regarding high-quality development and security.

Hosts

Jessica Kerr

Jessica Kerr

Jessitron is a consultant as Jessitron, LLC. You can hire her to symmathesize with your team. She is into resilience engineering, domain-driven design, and of course DevOps – all the systems-thinky things. She works remotely from St. Louis, MO, where she raises two daughters. Find her also on >Code, and at conferences around the world.


circleci

logzio

sdt