Adelina Simion & Artur Kondas - The shimmy to the left: why security is coming for engineers

Security is no longer an afterthought in software development. Learn how to write secure code, use tooling, and implement best practices to ensure the security of your software.

Key takeaways
  • Security is no longer an afterthought, it’s a fundamental aspect of software development.
  • DevOps and security are not mutually exclusive, they can and should be used together.
  • Writing secure code from the very start is easier than trying to fixes later on.
  • Use of tooling, such as request signing and JWT, can help monitor and release code securely.
  • Authentication and authorization are crucial for secure software development.
  • SQL injection is a significant security concern and should be avoided.
  • Using weak random number generators, such as math/rand, is a security risk and should be avoided.
  • Insecure defaults in coding practices can lead to vulnerabilities.
  • Continuous Integration and Continuous Delivery (CI/CD) pipelines can help ensure security.
  • Education and training are key to developing a culture of security in software development.
  • OWASP is an important resource for learning about security best practices.
  • Encryption, secure coding practices, and secure-by-design approaches can help ensure the security of software.
  • Fuzz testing can be used to test for security vulnerabilities.
  • Swagger and API documentation can be used to secure APIs.
  • Private keys should be kept private.
  • Public keys can be used for encryption and signature verification.
  • JWT can be used for authentication and authorization.
  • SecDevOps is a best practice that combines security and development.
  • Continuous monitoring and testing are essential for maintaining software security.
  • Vuln scanning, perf testing, and stress testing can also be used to test for security vulnerabilities.
  • Education and upskilling are key to developing a culture of security in software development.
  • CI/CD pipelines should be designed with security in mind.
  • Weak passwords are a security risk and should be avoided.
  • SSH keys should be used for authentication instead of passwords.
  • OWASP Top 10 is an important resource for learning about common web application security risks.
  • Full disclosure of security issues is important for security improvements.
  • Red teaming and blue teaming can be used to test security.
  • Secure coding practices can help prevent attacks.