Guests Dan Bergh Johnsson, Daniel Deogun, and Daniel Sawano join host Jessica Kerr to discuss their book Secure by Design.
Daniel: “There’s a lot of good designs which come naturally to us as programmers but which has the interesting side effect that they also prevent security-related bugs.”
The panel discusses domain primitives as an example of coding practices that naturally provide security through good design.
Dan Bergh: “It’s a good starting point to understand that using domain-driven design not only makes your code more expressive, solves more domain problems. Even though these designs were not crafted to address security to start with, they’ve also had that as a side effect.”
Jessica: “I love that what you’re recommending in this part is to think harder about what you do want in the system, express that in the code, and suddenly a bunch of things that you don’t want in the system just aren’t.”
The panel talks about the ways in which testing contributes to secure design.
Daniel Sawano: “It tends to be so much easier and more robust if you start defining your own domain types.”
The panel discusses the benefits of immutability.
Dan Berg: “It’s possible to…configure and mutate them until they are kind of safe-ish.” Jessica: “Kind of safe-ish?” Dan Berg: “Well, we are on a DevOps podcast.”
The panel talks about the security implications of logging practices.
Daniel Deogan: “One thing that’s very important is that if you log input directly into your logs, it becomes an attack surface for second-order injection attacks.”
Dan Bergh: “It’s a perfect launchpad for doing a really, really hard attack inside your system.”
Daniel Deogan: “The common mistake that many developers do is that they more or less dump inputs blindly.”
Jessica: “We have this illusion that logging is simple, but it isn’t.”
The panel discusses the chapter on cloud thinking.
Dan Bergh: “In a way, we’re instructing the system to become more intelligent.”
The book is available online in its entirety.
Dan Bergh Johnsson, Daniel Deogun, and Daniel Sawano are authors of the book Secure by Design and have collectively been working with security and development for several decades. They are developers at heart and understand that security is often a side-concern. They’ve also evolved work habits that enable them to develop systems in a way that promotes security while focusing on high-quality design habits – something that’s easier for developers to keep in mind during their daily work. All are established international speakers and often present at conferences on topics regarding high-quality development and security.
Dan Bergh Johnsson, Daniel Deogun, and Daniel Sawano are authors of the book Secure by Design and have collectively been working with security and development for several decades. They are developers at heart and understand that security is often a side-concern. They’ve also evolved work habits that enable them to develop systems in a way that promotes security while focusing on high-quality design habits – something that’s easier for developers to keep in mind during their daily work. All are established international speakers and often present at conferences on topics regarding high-quality development and security.
Dan Bergh Johnsson, Daniel Deogun, and Daniel Sawano are authors of the book Secure by Design and have collectively been working with security and development for several decades. They are developers at heart and understand that security is often a side-concern. They’ve also evolved work habits that enable them to develop systems in a way that promotes security while focusing on high-quality design habits – something that’s easier for developers to keep in mind during their daily work. All are established international speakers and often present at conferences on topics regarding high-quality development and security.
Jessitron is a symmathecist in the medium of code. She works at Honeycomb in developer relations. She writes about software and system on her blog at Jessitron.com. She teaches workshops on Systems Thinking, and makes courses on Graceful.dev. She is into resilience engineering, domain-driven design, and of course DevOps – all the systems-thinky things. She lives in St. Louis, MO, where she raises two children and their cats. Find her also on >Code, and at conferences around the world.