Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2jWsN95.
Anastasiia Voitova talks about cryptography: how it helps to narrow more significant risks to controlled attack surfaces, enables managing the risk efficiently, and how tools and algorithms sit in a broader context of managing infrastructure-wide risks associated with handling sensitive data. She also focuses on what to do after implementing encryption in a system. Filmed at qconlondon.com.
Anastasiia Voitova is Product Engineer at Cossacklabs. She has plenty of experience in building mobile apps. She developed many applications, frequently taking care of both iOS and server sides of the system.
2. InfoQ.com: News & Community Site
Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
encryption-risk-management
• Over 1,000,000 software developers, architects and CTOs read the site world-
wide every month
• 250,000 senior developers subscribe to our weekly newsletter
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• 2 dedicated podcast channels: The InfoQ Podcast, with a focus on
Architecture and The Engineering Culture Podcast, with a focus on building
• 96 deep dives on innovative topics packed as downloadable emags and
minibooks
• Over 40 new content items per week
3. Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide
Presented at QCon London
www.qconlondon.com
11. #qconlondon @vixentael
ATTACK SURFACE
– all the possible places
where sensitive data may be
stolen by adversary
https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet
13. #qconlondon @vixentael
HANDLING SECRET DATA WITH CARE
avoid plain text as possible
manage keys properly
decrease time of plaintext secrets in memory
log, monitor and inspect
14. – HOW TO MANAGE
THE ATTACK SURFACE
OF MY DATA?
28. #qconlondon @vixentael
TRY SYMMETRIC ENCRYPTION?
encrypt/decrypt data
using symm key
easy to steal a key
https://www.alibabacloud.com/
help/faq-detail/37505.htm
35. #qconlondon @vixentael
WHERE TO USE THIS TECHNIQUE?
micro-services infrastructure
public-oriented interfaces
non trusted client side (browsers, IoT devices)
hard to store keys securely
36. #qconlondon @vixentael
HOW TO IMPLEMENT?
ACRA
https://github.com/cossacklabs/acra
GREEN SQL
https://github.com/larskanis/greensql-fw
HEXATIER
http://www.hexatier.com/
ORACLE DATABASE
FIREWALL / TDE
http://www.oracle.com/
42. ZKA is a design principle that
enables software to provide services
over protected client data without
having an unencrypted access to it.
#qconlondon @vixentael
44. e2ee clients
all operations are on encrypted data:
– control access to data from different users
– CRUD
– search (in encrypted data)
ZKA INCLUDES:
#qconlondon @vixentael
66. #qconlondon @vixentael
THINGS TO REMEMBER
1. cryptography aims to narrow the attack surface
2. choose relevant encryption scheme
3. combine crypto and classic techniques
4. there is a lib for that
67.
68. https://hackernoon.com/eli5-zero-knowledge-proof-78a276db9eff
Explain Like I’m 5: Zero Knowledge Proof
https://medium.com/@9gunpi/devops-and-security-from-trenches-to-command-
centers-466dfb58fe5b
DevOps and security: from trenches to command centers
https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data-
security-4b8ceb5ccb88
12 and 1 ideas how to enhance backend data security
LINKS
https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/
How GDPR Will Change The Way You Develop