Security & Application DevelopmentAmod Malviya, CTO at Flipkart, Security freak@amodm

Statutory Warning I upset (some) people in my talks

The Illusion of security

So, what’s the illusion? I am secure

“Somebody” is taking care of security for me

A wave of a “magic wand” is sufficient

The “enemy” is outside

A “security first” cultureSecurity can never be an afterthought

A “security first” cultureStarts inside out (and top down), not the other

way around An integral part of the SDLC

Developers Writing secure code: Get them trained…

Continuously! Myth: “Backend” == not at risk When did you last block a release due to a security

issue?

A “security first” cultureGet me the Prime Minister !

A “security first” cultureProduction Management

Security issues rank higher than every single P0 Call out a dedicated team Intelligently mix security vendors

Internet hygiene Have a mechanism to report security issues

Interplay with 3P apps

Interplay with 3P appsUnderstand the details (design, architecture)

Assume vulnerability

Treat 3P as an attack vector

SOP for public internet Firewalling DMZ (for the 3P interacting components) Security Audits

Much higher risk on “backend” 3P systems

Tying it all together Tools

Don’t stop at the tools – an internal culture is necessary! Augment (multiplexed) vendors with in house staff

Have a hotline! And a well defined (and tight!) TAT for security issues

For in-house development Have developers trained on building secure code Build security testing/review into your SDLC

For 3P development/software Demand security audit results Evaluate if security is ingrained, or an afterthought Understand the design and architecture – identify risk zones

Thank YouReach me @amodm

Image Credits: Google Images