Friday 29th January, 2016
2:30pm to 4:30pm
The first thing that comes to mind when talking about application security is probably a scenario where LulzSec takes over some server and gains root-privileges shell access (the gold standard of “pwned”). As interesting as these technical attacks on infrastructure might be, they only tell a small part of the tale.
The other interesting part is the business attacks. Attacks worked in the dark, so sophisticated and powerful that no alarm is triggered. Why? Because they attack the domain and prey on weaknesses of how the business is modelled and realised by the systems and their integration. This is far more serious than technical attacks. We don’t have the data, but we suspect there are lots of exploitable systems out there; many perhaps being exploited continuously without anyone being aware of it.
During this session, we’ll make a state-of-the-art tour of Domain-Driven Security, looking both at technical and business attacks; both at attacks targeting a single system and attacks exploiting weaknesses in integration. Noteworthy, the latter is becoming more interesting day-by-day as micro-service architectures grow in popularity.
An obvious example would be tricking a site to pay out money. A more extreme example could be a certificate authority (PKI CA) who’s micro-service architecture contains subtle misunderstandings in the integration, making it possible to obtain a high-class certificate without fulfilling the required authentications. Imagine who would want such a thing.
Finally, the purpose of this session is twofold: partly we want to present and water-test the ideas of the field as of today; partly we want the reflections and input from highly experienced DDD:ers to move the field of Domain Driven Security forward. We hope you want to join that discussion.
Secure Domain Philosopher
Agile aficionado; Domain Driven Design enthusiast; code quality craftsman, with a long time interest in security. The combination made Dan use quality practices from DDD to address application security issues - thus coining "Domain Driven Security" together with John Wilander around 2009.
Coder and Quality defender; fights security trolls on a daily basis using Domain Driven Design and a security mindset. Daniel's extensive experience ranges from patient critical pacemaker systems to high performant software in the gaming industry. Combining this with his passion for DDD and his interest in security has made him a strong advocate of Domain Driven Security.
Sign in to add slides, notes or videos to this session