Modern software architectures: security testing, pitfalls and controls
Information Security Specialist, Affiliate of IRM - an Altran Group Company
Today's programmers are empowered. They don't need to procure specialist hardware, they don't need to build physical networks, and they don't need to understand the low-level details of the problem at hand. You see, today's programmers use someone else's hardware, someone else's network, and someone else's software framework. Everything beneath the surface layer of abstraction is someone else's responsibility. The barrier to entry has never been lower, and it is a fantastic time to be involved in technology. Unfortunately, it is easy as a programmer to forget that this great power comes with great responsibility.
Security is not yet a problem that can be abstracted away. Whilst modern platforms help to prevent certain vulnerabilities on a micro scale, they are often combined in a way that results in a sprawling web of interconnected technologies. This building-block approach to software development can produce systems with dauntingly large attack surfaces. The software monolith has become a distributed array of services, each possessing its own technology stack, trust boundaries, and risks.
Traditional security testing is unable to quantify the resilience of this type of software. There are too many entry points, too many edge-cases, and too many "black-boxes" provided by third parties. This is compounded by the now widely adopted "release early, release often" philosophy. An expensive, externally-conducted security "snapshot" soon becomes worthless. It is therefore imperative for security processes to be tightly integrated within the software development process itself.
This presentation will discuss common security pitfalls in modern software development, and the often-overlooked mitigating controls that identify or prevent these weaknesses before they become an exploitable threat.