You are viewing content from a past/completed QCon

Presentation: Small Is Beautiful: How to Improve Security by Maintaining Less Code

Track: Trust, Safety & Security

Location: Pacific DEKJ

Duration: 2:55pm - 3:45pm

Day of week: Wednesday

Slides: Download Slides

Share this on:

This presentation is now available to view on InfoQ.com

Watch video with transcript

What You’ll Learn

  1. Find out what are some of the security vulnerabilities usually present in products.
  2. Learn how to fix these vulnerabilities and how to avoid them.

Abstract

Project Zero has reported over 1500 vulnerabilities in commonly used software, including Windows, Android, iOS, browsers and may others. A common factor in many of these vulnerabilities is unnecessary attack surface. This presentation explains several causes of unnecessary attack surface and how to avoid them. It includes examples of vulnerabilities reported by Project Zero and explains how developers can prevent similar bugs.

Question: 

Please introduce yourself.

Answer: 

I'm Natalie Silvanovich and I'm on a team called Project Zero at Google. Our team's mission is to make zero day vulnerabilities less accessible to attackers. The biggest thing I do is find vulnerabilities so that they can be fixed so that they're not available to attackers. And I've done this in all sorts of targets:all the browsers and things like Adobe Flash and messaging clients. Altogether in the past five years our team has found over a thousand bugs, a really large number. As we've looked at all those vulnerabilities there seems to be some things they have in common and a very common cause of vulnerabilities is unnecessary attack surface. So there'll be a feature that is not being used or maybe not being used in the context that's causing the vulnerabilities. That's putting the users at risk with no benefits. My goal in this talk is to share some of these vulnerabilities and look why the code is necessary. I'm hoping that people will learn a bit about the importance of getting your code base clean. It doesn't just make things easier, it can also have a big security benefit.

Question: 

Who's the target? Are you talking to developers, architects, leadership?

Answer: 

I would say all of them. For developers it is useful to understand that on the level of your code base why is it important to get rid of code you aren't using. But also from the architect's perspective there are lots of examples where there is some code that's high risk that was intended to be used in a local context, but designed to make it available in a remote context. There are lots of opportunities for secure design that reduces the risk that components get exposed to high risk interfaces. A lot of this stuff requires leadership support, it requires people being given the time and resources to make projects that reduce attack surface. So I think it's important to everyone involved in this lifecycle.

Question: 

When you're talking about some of the vulnerabilities like the attack surface, are you talking about Box diagrams or code samples?

Answer: 

There is a whole spectrum. There are some bugs where I'll be explaining, this is the line of code and this is how it got in. When I'm starting the talk I'll explain that in detail so people get the concept of what are these bugs, how did they cause security problems, and then as I go through the talk I move to a much higher level. For example, this was a similar bug, and it happened because someone didn't sync the change to another branch, and to explain how when these fundamentals are not respected bad things can start happening. I would say 20% are code-level examples, 80% are more general.

Question: 

What do you want someone to learn from your talk?

Answer: 

I want them to say, OMG, I am deleting a bunch of stuff tomorrow.

Speaker: Natalie Silvanovich

Security Researcher @Google

Natalie Silvanovich is a security researcher on Google Project Zero. Her current focus is browser security, including script engines, WebAssembly and WebRTC. Previously, she worked in mobile security on the Android Security Team at Google and as a team lead of the Security Research Group at BlackBerry, where her work included finding security issues in mobile software and improving the security of mobile platforms. Outside of work, Natalie enjoys applying her hacking and reverse engineering skills to unusual targets and has spoken at several conferences on the subject of Tamagotchi hacking.

Find Natalie Silvanovich at

2020 Tracks

  • Machine Learning for the Software Engineer

    AI and machine learning is more approachable than ever. Discover how ML, deep learning, and other modern approaches are being used in practice by Software Engineers.

  • Inclusion & Diversity in Tech

    The road map to a inclusive and diverse tech organization. *Diversity & Inclusion defined as the inclusion of all individuals in an within tech, regardless of gender, religion, ethnicity, race, age, sexual orientation, and physical or mental fitness.

  • Architectures You've Always Wondered About

    How do they do it? In QCon's marquee Architectures track, we learn what it takes to operate at large scale from well-known names in our industry. You will take away hard-earned architectural lessons on scalability, reliability, throughput, and performance.

  • Architecting for Confidence: Building Resilant Systems

    Your system will fail. Build systems with the confidence to know when they do, you won't.

  • Remotely Productive: Remote Teams & Software

    More and more companies are moving to remote work. How do you build, work on, and lead teams remotely?

  • Operating Microservices

    Building and operating distributed systems is hard, and microservices are no different. Learn strategies for not just building a service but operating them at scale.

  • Distributed Systems for Developers

    Computer science in practice. An applied track that fuses together the human side of computer science with the technical choices that are made along the way

  • The Future of the API: REST, gRPC, GraphQL and More

    Web-based API continue to evolve. The track provides the what, how, and why of future APIs, including GraphQL, Backend for Frontend, gRPC, & ReST

  • Resurgence of Functional Programming

    What was once a paradigm shift in how we thought of programming languages is now main stream in nearly all modern languages. Hear how software shops are infusing concepts like pure functions and immutablity into their architectures and design choices.

  • Social Responsibility: Implications of Building Modern Software

    Software has an ever increasing impact on individuals and society. Understanding these implications helps build software that works for all users

  • Non-Technical Skills for Technical Folks

    To be an effective engineer, requires more than great coding skills. Learn the subtle arts of the tech lead, including empathy, communication, and organization.

  • Clientside: From WASM to Browser Applications

    Dive into some of the technologies that can be leveraged to ultimately deliver a more impactful interaction between the user and client.

  • Languages of Infra

    More than just Infrastructure as a Service, today we have librarys, languages, and platforms that help us define our infra. Languages of Infra explore languages and libraries being used today to build modern cloud native architectures.

  • Mechanical Sympathy: The Software/Hardware Divide

    Understanding the Hardware Makes You a Better Developer

  • Paths to Production: Deployments You've Always Wondered About

    Deployment pipelines allow us to push to production at ever increasing volume. Paths to production looks at how some of software's most well known shops continuous deliver code.

  • Java, The Platform

    Mobile, Micro, Modular: The platform continues to evolve and change. Discover how the platform continues to drive us forward.

  • Security for Engineers

    How to build secure, yet usable, systems from the engineer's perspective.

  • Modern Data Engineering

    The innovations necessary to build towards a fully automated decentralized data warehouse.