KEMBAR78
Sec 101 | PDF
Diego Pacheco, profile picture
Uploaded byDiego Pacheco
PDF, PPTX263 views

Sec 101

This document profiles Diego Pacheco and provides an overview of key software security principles including defense in depth, the least privilege principle, encryption, TLS and mTLS, misconfiguration and error handling, input sanitization, cross-site scripting (XSS), insecure serialization/deserialization, known vulnerabilities, logging and audit trails, threat analysis, and engineering friction. The document emphasizes applying security best practices to protect customer experience, brand integrity, and compliance while avoiding friction for engineering teams.

Download as PDF, PPTX
Sec 101 Diego Pacheco
@diego_pacheco ❏ Cat's Father ❏ Head of Software Architect ❏ Agile Coach ❏ SOA/Microservices Expert ❏ DevOps Practitioner ❏ Speaker ❏ Author diegopacheco http://diego-pacheco.blogspot.com.br/ About me... https://diegopacheco.github.io/
We are used to Security in the physical world
Software Security
Why should we care? ❏ Ethics ❏ Customer Experience ❏ Brand Integrity ❏ Compliance
Defense in depth ❏ NSA ❏ Layers ❏ All IT systems ❏ It’s all about redundancy ❏ AV, Auth, Encryption, MFA, Sandboxes, DMZ, VPN, Firewalls, etc...
Least Privilege Principle ❏ Minimum level of access and privilege. ❏ Avoid wide open permissions like * ❏ Avoid Attacker Surface ❏ Spots malware spread
Encryption ❏ Symmetric & Asymmetric ❏ Encoding Information ❏ AES Standard ❏ Key Diversity ❏ Envelope Encryption ❏ App vs Storage Encryption ❏ Rotations
TLS and mTLS ❏ Privacy and data integrity ❏ Secure Connections ❏ Asymmetric Encryption ❏ Email, Chats, VoIP, HTTPS ❏ mTLS - No Man in the Middle ❏ Rotations
Misconfiguration & Error Handler ❏ Unnecessary enable ports ❏ Stacks Traces ❏ Default Passwords ❏ Software Out of Date ❏ Missing Sec configs
Input Sanitization ❏ SQL Injection ❏ Prepared Statements ❏ Remote File Inclusion ❏ Paths / Sequences ❏ Always clean user inputs ❏ Use UUIDs
XSS (Cross Site Scripting) ❏ JavaScript Injection ❏ Storage (view by admin) ❏ Reflected (back to user) ❏ Latest Browser versions ❏ Requires Sanitization
Insecure Serialization/Deserialization ❏ XXE - External XML Entity SAML(SSO), < SOAP 1.2 ❏ XML Upload from untrusted sources ❏ Disable XML external entity and DTD processing ❏ Validate XML with XSD
Know Vulnerabilities ❏ OWASP top 10 ❏ CVE/CWE ❏ Code Analysis ❏ Keep Software up to date
Logging & Audit Trail ❏ Local / Unmonitored logs ❏ Audit trail on high-value transactions ❏ Monitoring on suspicious activities
Threat Analysis ❏ All models are wrong but some are useful for us ❏ Allow us to see the Threats ❏ Help figure out priorities ❏ Democratize security ❏ https://threagile.io/
Engineering Friction ❏ Tests, DevOps, ... ❏ Security might cripple engineering capabilities ❏ Security is a Refactoring enabler force ❏ Security is Everybody's jobs
Sec 101 Diego Pacheco

More Related Content

PPTX
Crypto the Go way
byEvan J Johnson (Not a CISSP)
 
PDF
Secret Management Journey - Here Be Dragons aka Secret Dragons
byMichael Man
 
PDF
Web security 101
byKristaps Kūlis
 
PPTX
"Introduction to Bug Hunting", Yasser Ali
byHackIT Ukraine
 
PDF
User And Physical Security
byguest648519
 
PDF
Continuous Security in Pipelines
byThoughtworks
 
PDF
Mobile Inception - Web API Security
byMobileInception
 
PDF
TUD CS4105 | 2015 | Lecture 1
byEelco Visser
 
Crypto the Go way
byEvan J Johnson (Not a CISSP)
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
byMichael Man
 
Web security 101
byKristaps Kūlis
 
"Introduction to Bug Hunting", Yasser Ali
byHackIT Ukraine
 
User And Physical Security
byguest648519
 
Continuous Security in Pipelines
byThoughtworks
 
Mobile Inception - Web API Security
byMobileInception
 
TUD CS4105 | 2015 | Lecture 1
byEelco Visser
 

Similar to Sec 101

PPTX
Security Design Principles for developing secure application .pptx
byazida3
 
PPTX
Security Compensation - How to Invest in Start-Up Security
byChristopher Grayson
 
PPT
network security for mobile and others types
byAbdullahOmar704132
 
PDF
Oracle ADF Architecture TV - Design - Designing for Security
byChris Muir
 
PDF
Websec
byKristaps Kūlis
 
PPTX
Enterprise Cloud Security - Concepts Mash-up
byDileep Kalidindi
 
PPTX
How to write secure code
byFlaskdata.io
 
PPT
3.Secure Design Principles And Process
byphanleson
 
ODP
PLMCE - Security and why you need to review yours
byDavid Busby, CISSP
 
PDF
Manage your privacy and security online
byChristopherTalib
 
PDF
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
bySBA Research
 
PPTX
Chapter 2 System Security.pptx
byRushikeshChikane2
 
PDF
The SSL Problem and How to Deploy SHA2 Certificates
byGabriella Davis
 
PPTX
Keeping Secrets on the Internet of Things - Mobile Web Application Security
byKelly Robertson
 
PDF
What Every Software Engineer Should Know About Security and Encryption
byAll Things Open
 
PPTX
Managing Technical Debt .pptx
bymageerauldnzsti
 
PPT
1 security goals
bydrewz lin
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
Eat Your Vegetables - Data Security for Data Scientists
byWilliam Voorhees
 
PDF
20071015 Architecting Enterprise Security
byDavid Chou
 
Security Design Principles for developing secure application .pptx
byazida3
 
Security Compensation - How to Invest in Start-Up Security
byChristopher Grayson
 
network security for mobile and others types
byAbdullahOmar704132
 
Oracle ADF Architecture TV - Design - Designing for Security
byChris Muir
 
Websec
byKristaps Kūlis
 
Enterprise Cloud Security - Concepts Mash-up
byDileep Kalidindi
 
How to write secure code
byFlaskdata.io
 
3.Secure Design Principles And Process
byphanleson
 
PLMCE - Security and why you need to review yours
byDavid Busby, CISSP
 
Manage your privacy and security online
byChristopherTalib
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
bySBA Research
 
Chapter 2 System Security.pptx
byRushikeshChikane2
 
The SSL Problem and How to Deploy SHA2 Certificates
byGabriella Davis
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
byKelly Robertson
 
What Every Software Engineer Should Know About Security and Encryption
byAll Things Open
 
Managing Technical Debt .pptx
bymageerauldnzsti
 
1 security goals
bydrewz lin
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Eat Your Vegetables - Data Security for Data Scientists
byWilliam Voorhees
 
20071015 Architecting Enterprise Security
byDavid Chou
 

More from Diego Pacheco

PDF
Naming Things Book : Simple Book Review!
byDiego Pacheco
 
PDF
Continuous Discovery Habits Book Review.pdf
byDiego Pacheco
 
PDF
Thoughts about Shape Up
byDiego Pacheco
 
PDF
Holacracy
byDiego Pacheco
 
PDF
AWS IAM
byDiego Pacheco
 
PDF
CDKs
byDiego Pacheco
 
PDF
Encryption Deep Dive
byDiego Pacheco
 
PDF
Reflections on SCM
byDiego Pacheco
 
PDF
Management: Doing the non-obvious! III
byDiego Pacheco
 
PDF
Design is not Subjective
byDiego Pacheco
 
PDF
Architecture & Engineering : Doing the non-obvious!
byDiego Pacheco
 
PDF
Management doing the non-obvious II
byDiego Pacheco
 
PDF
Testing in production
byDiego Pacheco
 
PDF
Nine lies about work
byDiego Pacheco
 
PDF
Management: doing the nonobvious!
byDiego Pacheco
 
PDF
AI and the Future
byDiego Pacheco
 
PDF
Dealing with dependencies
byDiego Pacheco
 
PDF
Dealing with dependencies in tests
byDiego Pacheco
 
PDF
Kanban 2020
byDiego Pacheco
 
PDF
Lean 2020
byDiego Pacheco
 
Naming Things Book : Simple Book Review!
byDiego Pacheco
 
Continuous Discovery Habits Book Review.pdf
byDiego Pacheco
 
Thoughts about Shape Up
byDiego Pacheco
 
Holacracy
byDiego Pacheco
 
AWS IAM
byDiego Pacheco
 
CDKs
byDiego Pacheco
 
Encryption Deep Dive
byDiego Pacheco
 
Reflections on SCM
byDiego Pacheco
 
Management: Doing the non-obvious! III
byDiego Pacheco
 
Design is not Subjective
byDiego Pacheco
 
Architecture & Engineering : Doing the non-obvious!
byDiego Pacheco
 
Management doing the non-obvious II
byDiego Pacheco
 
Testing in production
byDiego Pacheco
 
Nine lies about work
byDiego Pacheco
 
Management: doing the nonobvious!
byDiego Pacheco
 
AI and the Future
byDiego Pacheco
 
Dealing with dependencies
byDiego Pacheco
 
Dealing with dependencies in tests
byDiego Pacheco
 
Kanban 2020
byDiego Pacheco
 
Lean 2020
byDiego Pacheco
 

Recently uploaded

PDF
Bridging epoll and io_uring in Async Rust by Tzu Gwo
byScyllaDB
 
PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PDF
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
PPTX
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 
PDF
Netflix's Scalable Page Construction with Real-Time Impression History by Sau...
byScyllaDB
 
PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
PDF
NDP Act GAID Simplified: From Confusion to Compliance
byMuiz Adeleke
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PPTX
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PDF
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
PDF
“Depth Estimation from Monocular Images Using Geometric Foundation Models,” a...
byEdge AI and Vision Alliance
 
PDF
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
PPTX
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
PDF
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PDF
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Bridging epoll and io_uring in Async Rust by Tzu Gwo
byScyllaDB
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 
Netflix's Scalable Page Construction with Real-Time Impression History by Sau...
byScyllaDB
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
NDP Act GAID Simplified: From Confusion to Compliance
byMuiz Adeleke
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
“Depth Estimation from Monocular Images Using Geometric Foundation Models,” a...
byEdge AI and Vision Alliance
 
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 

Sec 101

  • 1.
  • 2.
    @diego_pacheco ❏ Cat's Father ❏Head of Software Architect ❏ Agile Coach ❏ SOA/Microservices Expert ❏ DevOps Practitioner ❏ Speaker ❏ Author diegopacheco http://diego-pacheco.blogspot.com.br/ About me... https://diegopacheco.github.io/
  • 3.
    We are usedto Security in the physical world
  • 4.
  • 5.
    Why should wecare? ❏ Ethics ❏ Customer Experience ❏ Brand Integrity ❏ Compliance
  • 6.
    Defense in depth ❏NSA ❏ Layers ❏ All IT systems ❏ It’s all about redundancy ❏ AV, Auth, Encryption, MFA, Sandboxes, DMZ, VPN, Firewalls, etc...
  • 7.
    Least Privilege Principle ❏Minimum level of access and privilege. ❏ Avoid wide open permissions like * ❏ Avoid Attacker Surface ❏ Spots malware spread
  • 8.
    Encryption ❏ Symmetric &Asymmetric ❏ Encoding Information ❏ AES Standard ❏ Key Diversity ❏ Envelope Encryption ❏ App vs Storage Encryption ❏ Rotations
  • 9.
    TLS and mTLS ❏Privacy and data integrity ❏ Secure Connections ❏ Asymmetric Encryption ❏ Email, Chats, VoIP, HTTPS ❏ mTLS - No Man in the Middle ❏ Rotations
  • 12.
    Misconfiguration & ErrorHandler ❏ Unnecessary enable ports ❏ Stacks Traces ❏ Default Passwords ❏ Software Out of Date ❏ Missing Sec configs
  • 13.
    Input Sanitization ❏ SQLInjection ❏ Prepared Statements ❏ Remote File Inclusion ❏ Paths / Sequences ❏ Always clean user inputs ❏ Use UUIDs
  • 14.
    XSS (Cross SiteScripting) ❏ JavaScript Injection ❏ Storage (view by admin) ❏ Reflected (back to user) ❏ Latest Browser versions ❏ Requires Sanitization
  • 15.
    Insecure Serialization/Deserialization ❏ XXE- External XML Entity SAML(SSO), < SOAP 1.2 ❏ XML Upload from untrusted sources ❏ Disable XML external entity and DTD processing ❏ Validate XML with XSD
  • 16.
    Know Vulnerabilities ❏ OWASPtop 10 ❏ CVE/CWE ❏ Code Analysis ❏ Keep Software up to date
  • 17.
    Logging & AuditTrail ❏ Local / Unmonitored logs ❏ Audit trail on high-value transactions ❏ Monitoring on suspicious activities
  • 18.
    Threat Analysis ❏ Allmodels are wrong but some are useful for us ❏ Allow us to see the Threats ❏ Help figure out priorities ❏ Democratize security ❏ https://threagile.io/
  • 19.
    Engineering Friction ❏ Tests,DevOps, ... ❏ Security might cripple engineering capabilities ❏ Security is a Refactoring enabler force ❏ Security is Everybody's jobs
  • 20.