profile picture

instantiator.dev

tech, volunteers, public safety, collective intelligence, articles, tools, code and ideas

© Lewis Westbury 2024

Software Self Defence 101


Software Self Defence security infosec talk

Software Self-Defence 101

The first time I met Glyn Wintle, I embarrassed myself.

I don’t remember exactly what I said, but it was one of those sentences that starts with “But surely…”

Glyn was explaining (with glee, I might add!) how what sounded like a simple attack on a system could evade detection. It all seemed so straightforward to mitigate, but of course I was wrong to assume that meant the right protections were actually in place!

I am serious, and don’t call me Shirley

Software and Systems Security is a field where your best assumptions can be turned on their head… It’s hard to do well, and nobody knows that better than the people who attack your systems. Glyn is a penetration tester, and one of the most competent people I know.

If you think someone won’t attack you because it might require a lot of effort, you may have underestimated how easily things can be automated.

If you think you’re not a target because you don’t stand out, you may have forgotten how quick and easy it is to find thousands of victims on the internet.

If you think it’s too expensive to attack you, think again about the potential returns, how many others could be vulnerable to the same attack, and the ways an attacker could use your own resources or people against you!

Security is unlikely to stop growing in importance any time soon and, despite some misconceptions still floating around, it can’t exist in isolation. Too many projects in both government and industry treat “the security review” as an extra step, done once, which leads to a certification. Acting in this way creates risks for your project.

So what can you do to keep your users and data safe?

Secure coding should be integrated with development from the start of every piece of work, and before if there’s a commitment to a design.

Instead of waiting for a security review, software developers should be considering how everything they compose could be attacked, and how to mitigate those new risks… from SQL injection attacks against sensitive databases, to attacks on unconstrained input fields.

Give your developers goals around security that are measurable, to continuously minimise feedback on vulnerabilities in the project’s code base.

All software has bugs and vulnerabilities, and you’ll never find them all — but by raising awareness of security throughout the development cycle, your software stands a chance of becoming a tough target.

Police Rewired are hosting Glyn Wintle’s talk “Software Self-Defence 101” at Newspeak House on Wednesday 18 April 2018.

Come and hear from an expert about how you can protect your users, and some spectacular bloopers you can avoid!

If you’re a developer, designer, software architect, maker, and you’re ready to take the first step towards learning how to keep your users safe, this is for you!

Software Self Defence 101