Playing to lose: making sensible security decisions by assuming the worst

Presented at, Geelong, Australia, on February 5, 2016

The unfortunate truth about networked applications is that an attacker only needs to know one thing you didn’t know to get past your defenses. You need to know everything, they don’t.

The odds are not in your favour. You’re eventually going to get hacked.

That’s the bad news. But if you stop thinking about a security compromise as that thing you close your eyes and hope never happens”, and instead start thinking about it as an inevitability, then you can start making better security decisions.

“If they compromise my web servers, how do I protect my application servers?”

“If they break my application server code, how can I prevent them from gaining a foothold on my infrastructure?”

“If they poison my web-site with cross-site scripting, how do I find out before my users get hurt?”

In short: “If I’m going to get hacked, how do I make it hurt less?”

This is a talk about defense in depth.

Building a secure system isn’t about luck, it’s about planning.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: