Another good Gotocon video, although the first few minutes are a bit bumpy until the speaker gets into the main part of the talk.
The key points for me:
- Think about what security and risk mean for your system
- Add nasty strings from Fuzz DB to your existing tests
- Read OWASP
- Prepare for attacks and other problems
- Get to know your system’s normal behaviour, so you can spot when something suspicious is happening (rather than having to wait for something bad to have happened)
- Build a culture where it’s OK for a DBA to kill off a unusual and dodgy looking query – in his example it could have been a weird year-end financial report query, but actually it was an attacker.
- Can you match up all the logs end-to-end for a request and its reponse, and do you know what the logs means? By end-to-end that means firewalls, routers, applications etc.
- Log success and failure cases, e.g. logins. A run of 1,000,000 failed login attempts suddenly gets worse if it’s followed by 1 successful login.