Modern software architectures: security testing, pitfalls and controls

Frazer Lewis

Information Security Specialist, Affiliate of IRM - an Altran Group Company

Today's programmers are empowered. They don't need to procure specialist hardware, they don't need to build physical networks, and they don't need to understand the low-level details of the problem at hand. You see, today's programmers use someone else's hardware, someone else's network, and someone else's software framework. Everything beneath the surface layer of abstraction is someone else's responsibility. The barrier to entry has never been lower, and it is a fantastic time to be involved in technology. Unfortunately, it is easy as a programmer to forget that this great power comes with great responsibility.

Security is not yet a problem that can be abstracted away. Whilst modern platforms help to prevent certain vulnerabilities on a micro scale, they are often combined in a way that results in a sprawling web of interconnected technologies. This building-block approach to software development can produce systems with dauntingly large attack surfaces. The software monolith has become a distributed array of services, each possessing its own technology stack, trust boundaries, and risks.

Traditional security testing is unable to quantify the resilience of this type of software. There are too many entry points, too many edge-cases, and too many "black-boxes" provided by third parties. This is compounded by the now widely adopted "release early, release often" philosophy. An expensive, externally-conducted security "snapshot" soon becomes worthless. It is therefore imperative for security processes to be tightly integrated within the software development process itself.

This presentation will discuss common security pitfalls in modern software development, and the often-overlooked mitigating controls that identify or prevent these weaknesses before they become an exploitable threat.

About Frazer Lewis

Frazer Lewis is an accomplished information security specialist who designs, fortifies, and authoritatively critiques the critical systems depended on by thousands of individuals and businesses alike. He has analysed a broad spectrum of technologies, from hyper-scale distributed databases to autonomous vehicles, and has done so for an equally broad array of multinational corporations.Frazer shapes security strategy for companies looking to adopt emerging technologies, advising the board and relevant heads of departments. He oversees the development of secure software development life cycles, security policy, training, and the architecture of large multi-technology platforms. He maximises the value of technology whilst minimising its associated risks.Frazer is also a Lead assessor for the NCSC accredited CHECK Team Leader Penetration Testing technical examination operated by the Cyber Scheme.

Sponsored by