31st JULY - 4th AUGUST 2015

Pullman Brisbane - King George Square

Create Account
  • Mini-Conferences
    July 31
  • Presentations
    August 1-2
  • Sprints
    August 3-4

<-- Back to schedule

Playing to lose: making sensible security decisions by assuming the worst

The unfortunate truth about networked applications is that an attacker only needs to know one thing you didn't know to get past your defenses. You need to know everything, they don't.

The odds aren't in your favour. You're eventually going to get hacked.

That's the bad news. But if you stop thinking about a security compromise as that thing you close your eyes and hope never happens", and instead start thinking about it as an inevitability, then you can start making better security decisions.

"If they compromise my web servers, how do I protect my application servers?"

"If they break my application server code, how can I prevent them from gaining a foothold on my infrastructure?"

"If they poison my web-site with cross-site scripting, how do I find out before my users get hurt?"

In short: "If I’m going to get hacked, how do I make it hurt less?"

This is a talk about defense in depth.

Building a secure system isn’t about luck, it’s about planning.

Tom Eastman

Tom Eastman is a developer, sysadmin, and teacher. He is a lead consultant for SafeStack Limited, a specialist security company that weaves secure best-practices into agile and fast growing organisations. Prior to that he was a technical lead and architect for Catalyst, New Zealand's largest company specialising in open source technology.