swampUP 2019

It comes as no surprise that any micro-services, any security controls you use to build applications will eventually be broken (or fail). Under certain pressures, some components will fail together.

The question is – how do we build our systems in a way that security incidents won't happen even if some components fail? And data leaks won't occur even if penetration tests are successful?

"Defense in depth" is a security engineering pattern that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During this talk, we will model threats and risks for the modern distributed application, and improve it by building multiple lines of defense. We will overview high-level patterns and exact tools from the security engineering world and explain them to DevOps practitioners and architects. :)

We won't: crack real applications, discuss how insecure JWT tokens are, steal WiFi passwords.

We will: discuss practical security engineering approaches, covering security controls from complex encryption schemes to modern DevOps tools.