JSFoo 2018
JSFoo
JSFoo

JSFoo 2018

On JavaScript and Security

All submissions
This submission has been added to the schedule

Powered by VideoKen

Dominic Tarr

@dominictarr

The Audit Driven Approach to Security Design

Submitted Sep 12, 2018

Technical level: Intermediate

Secure Software is more important than ever, yet there is very little guidance available on how to go about producing secure software.
“Audit Driven Security” is a software engineering methodology, inspired by Test Driven Development, that you can learn to use to produce secure software.

Outline

Audit Driven Security
What drives a design?
having vs knowing (in Test Driven Development, we want correctness, but the way we know we have that is via testing. Having correctness is not as useful as knowing we have that. So, optimize the process for knowing that we have the thing we want to have. In TDD, that is testing - the development process is oriented around testing. In security design, we want to have security, and the way we know we have it is by auditing, theirfore, in Audit Driven Security, we orient the design process around the needs of auditing)
Analogy: Navigation Driven Shipping
Examples, things that make something easier to audit.
Properties that can be verified in the protocol, vs, verified in the implementation.
Avoiding security in the state model.
Properties which are easier to verify.

Speaker bio

Dominic Tarr works as a developer and protocol designer on secure-scuttlebutt and as a security auditor for least authority. He lives on a sailboat in New Zealand.

All submissions

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Register

Hosted by

JSFoo
JSFoo
JSFoo is a forum for discussing UI engineering; fullstack development; web applications engineering, performance, security and design; accessibility; and latest developments in #JavaScript. Follow JSFoo on Twitter more