DeepSec 2014 Talk: Cloud-based Data Validation Patterns… We need a new Approach!
Data validation threats (e.g. sensitive data, injection attacks) account for the vast majority of security issues in any system, including cloud-based systems. Current methodology in nearly every organisation is to create data validation gates. But when an organisation implements a cloud-based strategy, these security-quality gates may inadvertently become bypassed or suppressed. Everyone relying on these filters should know how they can fail and what it means to your flow of data.
Geoffrey Hill has been in the IT industry since 1990, when he developed and sold a C++ application to measure risk in the commodities markets in New York City. He was recently employed by Cigital Inc., a company that specializes in incorporating secure engineering development frameworks into the software development life-cycles of client organizations. He was leading the software security initiative at a major phone manufacturer and a major central European bank over the course of the last three years.
Currently Geoffrey’s starting up his own security consulting company called Artis-Secure. It is focused on making security development frameworks better integrated with business processes.
As for hobbies apart information security: he’s currently planning a massive fancy-dress gathering next year in an Irish castle. Social engineers, beware! And between all of this he was so kind to answer some questions about the talk his going to give at our upcoming conference…
1. Please tell us the top 5 facts about your talk.
a. The contents will be very useful for enterprise and cloud projects.
b. I will show how the data validation problem is getting increasingly complex.
c. My proposed design uses current technologies.
d. I will describe a validation methodology that is language and process-agnostic.
e. My talk outlines a lightweight and simple solution.
2. How did you come up with it? was there something like an initial spark that set your mind on it?
I have been frustrated by the lack of coherent and concrete validation patterns in my previous projects. I needed to think of a simple way to sanitize and constrain unknown inputs, given the complexities of multiple languages, exceptions and character sets. My talk came out of this.
3. Why do you think this is an important topic?
Data validation threats (e.g. sensitive data, injection attacks) account for the vast majority of security issues in any system, including cloud-based systems. However, the current approach for validation patterns needs to be revisited and simplified or there will be no adoption in the developer community.
4. Is there something you want everybody to know – some good advice for our readers maybe? except for “come to my talk”. 😉
Good security patterns are very useful in a fast moving development environment because they can be easily deployed with minimal disruption. My talk is aimed at fellow security professionals who can use this information.
5. A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to cloud based strategies particularly your field of expertise. Is the cloud here to stay? what’s next?
“Each time history repeats itself, the price goes up”. The ‘Internet of Things’ (IoT) will be driven by new devices and cloud-based operations, making for incredibly complex meta-systems. This complexity will bring with it new security challenges. I believe that many costly mistakes could be made with this next advance in IT. The key to properly addressing these challenges with fewer mistakes is to implement simple models that are based on well-known security patterns. I see the next innovative wave of security as creating and providing standard libraries of these design patterns.