Lunch and Learn: The Art of Being Secure by Design
In this "lunch and learn" style webinar, presenter Lakshmia Ferba guides you through the realm of secure by design principles and equips you with the tools needed to fortify your digital assets against an evolving landscape of cyber threats.
[Heads Up: This transcription was autogenerated, so there may be errors.]
Introduction
Grace Farley: Thank you all for joining today's lunch and learn, “Mastering Security: The Art of Being Secure by Design”, where we will guide you through the realm of secure by design principles and equip you with the tools needed to fortify your digital assets against an evolving landscape of cyber threats. So after this Lunch and Learn, you'll receive an email with the recording of today's session. Feel free to reach out if you have any questions. And as mentioned before, this is very interactive. So please utilize the chat feature to drop any questions that you might have during today's session.
So our expert for today's Lunch and Learn is Lakshmia Ferba. Lakshmia is the product manager at Mayhem with over 10 years of experience in the tech industry. Her skill ranges from Product Marketing, user research and customer engagement throughout her career, and is the perfect person to speak on secure by design principles. This is due to her passion for leveraging technology to solve complex business problems in a concise manner. So thank you all for joining. And now I'm going to turn it over to Lakshmia.
Lakshmia Ferba: Hello, everyone. I'm obviously Lakshmia. I am the product manager here at Mayhem. And I'm very excited to do this for you guys. So as Grace has mentioned, I have been in the tech space for well over 10 years. And I've watched it grow, I've watched new industries come into play. You know, I've seen a lot of stuff. And I'm assuming if you're here, you probably have seen a lot of things as well. And so even in my personal time, I'm very passionate about tech. And that's why I'm very excited about doing this presentation. Because it was actually spurred from something that you guys can learn about later on in the presentation. So let's get some things started.
And so here's the agenda for our lunch and learn today. What is secure by design? You know, what does that look like to you? You know, and what it actually is, we're gonna identify and mitigate some common cybersecurity threats, implementing proactive security measures, a Q&A session, and, of course, the conclusion.
What is “Secure by Design”?
So, obviously, what is secure by design? So, first question, have you heard the concepts of secure by design before? And if so, what does that mean to you? Because when I've asked this question in the past, I thought everyone had the same answer. And it turns out, that's not true. So I really want to know what you think this is, in your opinion. And if you aren't even sure what it is, tell us in the chat. No judgment here. This is completely educational. So I want to know what your thoughts are. So I'll give you guys like two minutes. So put your answers in the chat. And we'll move forward from there.
I'm playing the—what’s the show? I think it's the Jeopardy music in my head.
Grace Farley: Oh, yeah. That's what I was thinking about.
Lakshmia Ferba: Yeah. Like, if I could figure out how to add that to this, I would, but I have no idea how to do that. And that's not a good use of my time. One day I'll learn, but I have no idea how to do that.
Grace Farley: It looks like people are going to learn what this concept is. I'm really excited.
Lakshmia Ferba: Yeah, me too. Because a lot of people think this is a new concept, and it is not. So secure by design is a set of principles and practices in software development. It’s a system architecture, aimed at ensuring that security is an integral and foundational aspect of a product or system, rather than being an afterthought or add-on. AKA, you're basically thinking about security from the jump. You're not trying to do it at the last minute before you go public. Before you take money for the product or service that you're offering. You're thinking about it literally from the start. So you're like, here's my idea, okay, how can we make it secure, that's literally what secure by design is.
And so secure by design products are those where the security of the customer is a core business requirement, not a technical feature. Being secure as a product may be digital otherwise is literally not a tech feature. That is not something that makes your customer go, Wow, I'm excited. They expect it. It is literally an expectation. So make sure you're thinking about your customer when you're doing this, especially if you have a very technical product, and your target audience is not that technical yet . So you need to think for them. And as well as bad actors, that may want to interfere with what you're doing.
Overall, a secure by design approach not only makes systems more resilient to attacks, but also contributes to cost savings, user trust and a smoother development process. It aligns with the proactive stance needed to navigate today's complex and evolving cybersecurity landscape, which is true, like you should be secure from the start as close to the beginning as possible. I cannot stress this enough. I am a product manager. So I'm very biased about this. But please, I can't stress this enough. Think about the security before you launch your next app, before you launch your next website. Before you launch your next product. I really want you to think about that. So that's my little soapbox moment.
Key Principles of “Secure by Design”
And so here's some key principles about being secure by design. The less access, the better. Only give access as necessary. I mean, internally in your organization, and outside as well. So if you have contractors, employees and stuff, only give folks access to things that they actually need, not everything. Because if you give them access to everything, you're more inclined to accidentally or intentionally have some problems. And that's not what we want to do here.
In depth defense. Have security with layers. Like you know, we all hate when we're on a website, and they're like, create your password. And it's like, yeah, you gotta have numbers, a capital letter, a special character. That's part of that defense. So that it's a lot harder for someone to actually hack and get your information if you make it a little bit more complex.
Fail-safe defaults. Be secure, by default, in all of your systems. This literally ties into what I've been preaching about for the past two minutes, making sure everything is secure, passwords on things that need to have passwords, VPNs, etc. There's a ton of ways of doing it. Obviously, create a plan that works best for your organization and for your teams.
Economy of mechanism. Simplicity for security. Keep it simple in terms of implementation, but make it hard for folks to actually hack into your stuff.
Open design, no security through obscurity. Again, be as clear as possible as you can when you're doing the things that you're doing. Like being secure by design.
And complete mediation, control over every access attempt. You should have a couple of admins, in my opinion, depending on how big the org is. Y’all should have a couple of admins. You should never just have one admin that has access to everything. Because what if that person is ill, what if they leave the company, you know, various things that we don't want to think about, but we should plan for anyway. Make sure you have control. I cannot stress this enough. I've been in organizations where they had someone working there for 30 years. And that's the person that set everything up and then when they retired, they had no idea what to do next. That is not being secure by design, that's literally the opposite. So please don't do that.
Benefits of Being Secure by Design
So here are some benefits of being secure by design. Reduced vulnerabilities. Again, this simply means that you're less likely to actually have vulnerabilities exposed. It minimizes the risk of security breaches and attacks. And it makes it a lot easier for you. Like you can actually test things while in production to make sure that they're actually where they're supposed to be. You can even do a dry run, even, to make sure that it is doing what it's supposed to do, and is actually showing the way it's supposed to do, all that great stuff.
Stronger defense. A secure by design approach results in a more robust and layered defense strategy, making it harder for people to actually hack into your stuff. You want to make it as difficult as possible for them, the easiest to implement for you.
And sustainability. When you have a system that is built with security in mind, you're more likely to withstand the test of time. You're less likely to actually have all these issues that we're going to talk about later on in the presentation.
And legal and regulatory compliance. Depending on your industry, you already have some security by design principles in place, because your industry requires it. Automotive is one, if you work in the federal government space that's another. There's a ton of industries that actually have certain requirements that are set up by default. So you can add to that to make it even stronger and more secure for your organization.
And here—this is for my new folks—speed and scale. This literally helps with, you know, making sure that your development cycles are smoother. And that you can actually address things from the jump instead of right before, I don't know, your large launch on product hunt, because everybody loves a big old breach before they go on product hunt. So you want to make sure that you're covered. Don't you want to sit there and actually work on your product instead of having to worry about pushing out a patch every week. Because that's annoying. I'm sorry, I know, it's annoying. You don't need to do a patch every week, if you are, you know, more secure by design from the start.
Lower costs, aka saving you money. You want to be able to save money. So you can allocate that to better things in your organization, in your business, in your product. If you address those security concerns from the start, you're already lowering your costs, and you're already ahead of the game.
And it also creates a cultural mindset for your organization. So everybody knows, hey, before we start here, we have to make sure these five to ten things are checked off. It's already integrated. And it's already in the culture of the org so that you are already secure by design from the jump. Like that makes it so easy. So it may seem like it may be a little bit more work. But once you set it up initially, you probably don't have to do it all the time. And if you are, you may need to go back and revamp your process a little bit.
Identifying and Mitigating Common Cybersecurity Threats
Now, we're going into our next section, which is identifying mitigating common cybersecurity threats. Now, I want to see the chat light up with this because of the question that's coming up next. When you hear a “cybersecurity threat”, What are some things that come to mind? Look, it can be small, it can be big. I want to know what you think when you see “cybersecurity threat”. That could be in like a headline online, that can be a headline in a newspaper, that could be an email sent from your CISO. What do you think “cybersecurity threat” means to you?
And so while you guys are doing that, I'll tell you what it kind of, what I think, like what I used to think what it meant, when I would hear cybersecurity threat. In a previous organization that I worked in, usually it would be two things. Either it would be someone forgot their password and got locked out. And we had to call downtown for the IT person to unlock it. And they're like, well, now no one's gonna be able to access this stuff. And you're sitting there like that's not a cybersecurity threat. That's you misplacing your password. So not that, or I hear something, someone got into something that they were supposed to get into whatever that looks like, that could be somebody's bank information was revealed on the dark web, that could be someone hacked into your bank account, and took money out that they weren't supposed to have access to. It's a couple of different things to me. So I'm not feeding you guys any answers. I'm just telling you what my thoughts are on the process. So that's what I think. I'm curious about your thoughts.
Because I don't think there's like a one size fits all answer to this question. Because it truly depends on what industry you're in, your experience, what part of the world you're in, you know, a lot of different things. So, we're gonna go on, move on to the next part. Most people they're thinking malware or ransomware, especially ransomware right now, because in a lot of cybersecurity headlines, you're going to see stuff about ransomware. Like, that's what's making the most news right now. I see alerts about it all the time. It used to be malware before people got hip to ransomware. I remember seeing, you know, there'll be bugs and stuff out. And I'm like, dang, every week it will be something new. And this is even before I actually started working in tech, I saw this when I was in high school. Like Grace, you may be able to attest to this too because you are a little younger, but I mean, did you see anything about malware? They're like, Oh, something had some bugs just got released?
Grace Farley: Yes, yes, I've definitely seen stuff and had to make sure to get briefed on what to do if that happens and things like that. So I know what you're discussing.
Lakshmia Ferba: Like I would, and the funny thing is, I didn't actually fully know what it was initially, because that's all I saw in the headlines was just malware. They didn't really describe it. But once I learned what it was I was like, okay, this is a problem, this shouldn't be happening.
Phishing and social engineering. Phishing is still a huge problem, if you're not familiar with what that is, its basically someone getting into a system and pretending to be someone that you know. This happens a lot with C level executives. It also happens with the older population, because they don't always think to click on the like, you know, where it tells you what the email address is to see if it's the same. Sometimes phishing scams are really elaborate to the point that you have no idea until it's too late. And so social engineering, in my opinion, is a little bit newer on the horizon. But I still think it's a huge problem that we need to address. And if you're not fully familiar with that, social engineering, essentially, it's the same thing but like social media, like someone, disguising, pretending to be someone else. But like on social media.
Insider threats, this is also a very common one. And it's sometimes it's by accident, sometimes it's unintentional. But it's still an issue no matter which way comes out. This is usually from like a contractor or an employee accidentally or intentionally giving away information that they shouldn't have given away. You also hear this sometimes in finance, with like insider trading. So similar, but also different at the same time. The DDoS attacks, this is another one that we see quite a bit, especially now in the headlines. And there are ways that, in my opinion, we can actually mitigate this risk a little bit more. But the more that we actually learn about these, the better, I believe we will be able to be prepared as a world, essentially, because this is a global thing. And between this and the ransomware, I see these headlines all the time.
And then the zero day exploits. This one is a sneaky one, it's a little more sneaky than you want to actually admit. But here at Mayhem, we actually focus on making sure that you don't have false zero days coming up. Because that's bad, it's a waste of time, it's waste of money. And you don't want to have to deal with that.
How to Mitigate These Threats
So how to mitigate these threats. Kind of simple honestly, you can use anti virus anti malware software, you can train your teams around phishing awareness, which, in my opinion, the second one, you should do that all the time, at least once a quarter if you have a big enough team, because the type of phishing that we're experiencing in this day and age is bigger than I've seen in a long time.
Also leveraging access controls and monitoring, monitoring for insider threats, making sure people are not you know, spilling secrets may be intentional or not, you got to kind of check that out. Analyze your traffic and implement DDoS protection, because again, you need to make sure you know what's coming to you and your servers. And make sure you update and patch your software, or your hardware as needed. You know, a lot of us hate updating our computers. But updating the computers actually literally helps so much. So if you are just like me, who also forgot to update their computer, after this lunch and learn you should probably do that. Probably do that. That’s something simple you can do right now.
Implementing Proactive Security Measures
And so we're going into the next section, which is implementing proactive security measures. And I believe in literally being proactive about handling not just security, but things in general. And I think if you take the proactive approach, you're more inclined to actually have that success and build that awareness and cultural mindset and that muscle so that you can actually mitigate a lot of these risks. And so, in your opinion, what does practice security mean to you? And why is it important in today's digital landscape?
Again, I'm playing the Jeopardy music in my head.
Grace Farley: That’s a good soundtrack, we need to we need to figure out how to add it
Lakshmia Ferba: We really do, like I really want to figure out how to do that. Because it would be so perfect for moments like this, that or Wheel of Fortune or the price is right. But I really like the Jeopardy music for this. So those are my top three options that I would choose.
And so if you're not sure what this means to you, or why it is important, we're about to tell you. So, essentially, it's important because if you come from a proactive approach, you don't have to scramble to prepare a plan once something happens, because of course you don't want to think about the future of something like this happening to you or impacting your company or your business. But in this day and age, if you're doing anything digitally, you need to plan for it. If you're using you know the internet at all you have to plan for this type of thing because its an expectation from your customers is an expectation that is probably for your industry, and you want to make sure that is very hard for people who are not good, aka, bad actors to notactually get into your systems, like you want to make it difficult to, like, you know what, I don't feel like doing this and the more I'm gonna move on, you want to give them that type of energy.
So here's some ways that you can do that—threat modeling, you can actually identify those potential risks from the start. You can also establish secure coding practices, validate your inputs and avoid injection attacks. Because injection attacks are also not the best thing you want to deal with. Regular security assessments, that's penetration testing, and code reviews, or just simply reviewing making sure that things are up to date. You know, if things are not up to date, this also can give hackers or bad actors a chance to get into your systems. Encryption and data protection, secure your data at rest and transit at all times. Even more so if you're using third party stuff. Make sure everything is encrypted and secured and your data is protected, as well as your users. So use authentication, authentication and authorization. Implement that strong access control, just like I mentioned, before you do on the inside of your company and inside of your, your business. Do it on the other side of your customers. Again, I mentioned the password thing when it's like you know, you have a capital letter, a special character, numbers, things can't be, you know, in an order. It may seem like it's hard work or like annoying, but it's done for your protection in mind. It is literally for your protection for both you and your consumers.
And so I just wanted to share this quote, because this is from director Jen Easterly at the CISA. Consumer safety must be front and center in all phases of the technology product lifecycle, with security designed in from the beginning. I really wholeheartedly believe in this, because we've experienced, it's like, um, just as humans, we've experienced companies that kind of were just like, actually, we didn't think about that. Or, you know, it didn't seem like a big deal. And like your information just floating out there, or your bank account has been hacked, and various things like that. You must think about your consumer, just as much as like, you know, you're protecting your business, you gotta protect your consumers, because they need to be secure, and actually using your products, your services, and doing business with you.
Q&A
So do we have any questions? I haven't been paying attention to the chat, because I don't I don't want to get distracted.
Grace Farley: I've answered some of the questions in the chat. But I do have some questions that I've seen come through privately. But feel free if anyone else has any questions to drop them to the chat or feel free to ask me them directly. But one of them is “Do you think it's hard to become secure by design?”
Lakshmia Ferba: No. And I say that because it's easier to actually implement those proactive measures than to have to go back and like double, triple or quadruple back to fix stuff after the fact. Like if you're already, you know, rolling out, if you're rolling out patches, for example, every single week, that is not good. Like you need to go back to the drawing board and figure out why you are shipping product that isn't secure. And like has breaches to the point or like you know, vulnerabilities to the point that you have to release a patch every week. That is not realistic. It shouldn't be that often honestly. So if you are, you know, thinking about implementing best secure by design principles from the start, it'll be fewer and far between and you'll still have a strong product in my opinion.
Grace Farley: That's interesting, well then going off of the vulnerability aspect. Another question I was asked was, “What are some common misconceptions about proactive security and how can we address them?”
Lakshmia Ferba: So number one, one I've heard the most is that it's expensive. It's extremely pricey. And it's not, and I say that because, think about it like this, I'm going to use an example of a breach that’s in real life that’s happened several times, but I won't name the company. There is a retailer that has had a breach almost every single year and I mean literally almost every single year for like the past 10 years. And it's the same type of breach and it's always involving their customers' payment information.
And the reason someone like actually asked them why does this keep happening? And they're like well its really expensive to implement infrastructure that actually covers this. Now mind you this retailer has lost billions of dollars, with a B, billions of dollars from these attacks and also has lost some recognition from their customers and they've also had a dwindling customer, a dwindling customer base from this. And I'm sitting here thinking like, if you fixed it the first time, it wouldn't happen almost every year. Literally, it should not be happening, especially since you are a large organization, it shouldn't be happening because you have the money to do it. And so if you allocate your money in the correct way, in my opinion, to actually implement just simple security things, like making sure that, you know, if you use an outside API that they're secure, you know, simple things like that, it will be cheaper, or do you really want to end up in a ransomware? Attack? No. Like, that's expensive. That is so pricey, like, so when you say like, you know, oh no its expensive, I'm like, It's not. Peace of mind is never expensive to me. So that's one aspect of it.
Another aspect of that is I feel like, people are like, Well, it's time consuming. No, not not, if you actually have a regular schedule, and you develop a plan, it shouldn't be time consuming. Everyone should know what the deal is, and how it runs. It shouldn't be, it shouldn't be that way. It's just like you, if you actually establish the process, I feel like in my opinion, that it won't be as time consuming, because everybody knows what the roles are in all of that.
Grace Farley: That actually makes a lot of sense. I have another direct one. But everyone feel free to use the community chat or direct message me, whatever works. But you mentioned the time consuming and establishing the process, which I think leads great into the third and final question that I've received, which is, what is a hack and breach that you think could have been handled better?
Lakshmia Ferba: Again, I'm not gonna name the company. But you'll probably know who I'm talking about. There is a large and I do mean large gaming company that had a huge breach that actually revealed some of their source code, and their customers payments, because apparently they had them at the same place. And I'm sitting here, like, why would you store your customer's payment information, and your source code in the similar fashion for someone to be able to figure out the two. And when this was discovered, they actually kept it hidden for like 18 months, which is not good, you shouldn't do that, like, you know, be open to your mistakes, or whatever has happened to you. So you can actually come up with a solution that makes everyone happy. And they actually blame the customers. They blame their consumers for the ha k. And it turns out the consumers were not the people that actually hacked into the system.
So I think that could have been handled better by one, making sure they were shipping off secure code. Two, not storing the customer information in the same way. Or maybe they just don't have that at all, because there are different ways of handling that. And three, not blaming their customers. Like, that's something that like, those are like top three, like, don't blame them, like, figure out a better way to store stuff, and admit your mistakes or admit what happens to you. So that was one that was just like, bad. I was just like, I stopped actually playing the game. Like I stopped. I yeah, a lot of people left that community, because the company was just like, it's your fault this happened. Had you guys did this, this and this, this wouldn't have happened. And we're like, Y'all are the company. Y’all own the infrastructure. This is you. And so they lost hundreds of millions of dollars. And I'm not even sure if they fully recovered from that.
Grace Farley: Wow. So that really states the importance of just making sure that you're securing your platforms through design and everything else that you spoke on today.
Lakshmia Ferba: Yes, yes. Especially like I said, like our gamers, our automotive folks are like, if you have websites, and you're taking payment, make sure your stuff is secure, y'all, like you don't want all that stuff floating out in the internet. Like just all willy nilly. You really want that to be secure and you want that locked down. You want it so no one has access to that. Like I cannot stress that enough.
Grace Farley: Well, those are all the questions that I received. If anyone has any additional ones, please leave them in the chat. Again, we'll be sending a recording of today's session. But I want to thank you all for taking the time to join and I'll just turn it over to Lakshmia for any closing notes that she might have.
Lakshmia Ferba: So like I said, we work here at Mayhem. If you are not familiar with the Mayhem platform, I strongly suggest you check us out at mayhem.security to learn more about what we're doing, especially when it comes to security, especially our folks that are you know, trying to secure their code or their APIs
And if you want to connect with me, I'm always open to connecting and networking. Here's my LinkedIn. It’s literally my name. I am the only person on the platform with that name, so you will not get it mixed up with anyone else, I promise. So I appreciate you guys spending time with us during his lunch and learn, having lunch or breakfast or whatever you're doing with us, and we'll see you next time, guys. Bye.
{{code-cta}}
Add Mayhem to Your DevSecOps for Free.
Get a full-featured 30 day free trial.