 Móis bonitos a todos, espero que estéis disfrutando moço E, nada, voy a presentarmos a una gran amiga Ella ex ponente en charlas de seguridad, en grandes eventos en España co como Ciberwold También ex instructora de cursos de seguridad en LinkedIn Learning E es un persona a la que quiero mocho e agora entendereis por qué Os presento a Gavs García Ah, no, que tengo un micro. Que tal, como estamos? Ok. Thank you all for being here and speaking in English by request of the organization. Is there anyone here that doesn't speak in English or doesn't understand English? No? No problem? Ok. Thanks for choosing being in this talk because I'm really proud of being chosen over the Indian guy because everyone knows that we... If we have had any problem, there's always an Indian guy that had it first and had it better and knows how to fix it. So thank you all for being here and let's start this. Just to talk about me, I, as Erika said, I am going through the path of the dead secobs. I'm called an instructor in LinkedIn, LinkedIn Learning. Do you know LinkedIn Learning? Somebody raised good. At least one people knows it, so I'm happy. And I'm also a cyber security professor, not only in LinkedIn Learning but in private university in Madrid. But this is nothing related to security, it's nothing related to programming, but it's something related to both of them. The profilacted programming is a concept that I named but not invented but talks about the mixture between the design, between the programming and between the normal security protocols we create when we are developing any kind of software. We all love an appealing design, we love lights, we love textures, we love amazing images, we do or don't love design. Who doesn't love a good design? No one, right? Who loves a good design? This thing is just to keep you looking at me and not playing candy crash on the phone, ok? We all love an appealing design but this happens very often. We have a great frontend, we have a great presentation and we have an awful backend, Frankenstein made, a mixture of things based in the phrase, if it works, please don't touch it, ok? Do you see those dead people bones hanging on the figure? This is security, mostly, and this psychopath face dining size is just you thinking something will break in any point of your development. And you ask why? The questions are, people normally, organizations normally don't invest in security. It's very little investment or it's known an investment. Every measure related to cybersecurity or security in your system is focused on fixing problems after a big cybersecurity problem. For example, you have been a victim of ransomware and then you take measures. You have lost all your data and then you take measures. You have received the news of a giant fire in your OVH server and then you start the measures. So all the measures are after the problems and not before the problems and that's our main problem. And of course, all the work related to cybersecurity is made and based in patching vulnerabilities and not in creating systems that are strong and are robust from the beginning. This is the good part. If nothing works, nothing breaks. If you do a shitty work, you don't have to worry about cybersecurity. But this is the bad part. The short and medium enterprises are the 98.5% more than the 98.5% of the enterprise that conforms the business network in Spain. That means that not the most of enterprises can afford to have a purple team, to have a red team, to have a blue team or even to have one person dedicated to the cybersecurity only an exclusive for that. So here's you trying to do your work press trying to design, trying to develop, trying to secure, trying to sell, trying everything. This is who is not this picture right now. Everyone is suffering the same? Yes? That's our main problem. People don't have money to pay a big security team. So we are here trying to be the question man and try to do everything by ourselves. So if you are a cybersecurity technician you don't have problems, your problem is the UX UI but if you are a UX UI professional normally you will have cybersecurity problems, backend problems, etc. So that's the main problem. This is the second problem. People are idiots. Our users, but people are idiots. I mean, whatever you design there's always an idiot using it. So we have to keep that level when it comes to think about our users. And some people would say, don't be mean, my users are people I love are great people that take my service and stuff but they are idiots also. Are idiots you love? It's like your boyfriend. It's idiot but it's my idiot but it's the same. And this is the people you are dealing with. It's the people that cause you and tell you that they need to do a call because they don't like one color in your website. So you have to be very patient but you have to have some technical knowledge that not always we have and this is the beginning of the phrase learn to eat. And it's exhausting. The first thing if you are a designer, a web designer you should take into account is that there are lists of vulnerabilities that are published every year. I'm not breaking that. There is a list that is published every year that organizes by frequency the top ten vulnerabilities that they see in websites around the year. As we as developers from WordPress have two that are always with us. The insecure design because we start creating software and then we realize our software is not secure and vulnerable and obsolete components. This is something that you may have heard until exhausting these days that please update your plugins, please update your themes please update your stuff as soon as you can. There is of course the normal flaws that you have to take into account like the access control, the problems with cryptography, the injection, incorrect security configuration, Fernando Tejado. This guy has a very good guide to configure all the back end when you are installing your WordPress. So pay attention to this guy. And of course the normal flaws you have when you are developing any systems like identification and authentication, failures in security because you are not logging your movements and you don't know what's happening or the server side request forgery that goes with the way you put your URLs in your system. There are for designer and for software designer a set of general security principles that are very, very important, not only for designers. These ones are very important for all. The first one is the least privilege. So that means that you shouldn't give privilege of access and control of data to your users because your users are idiots. So if you are giving a user the privilege to get in to your system and the user only needs to see pictures, don't show them, I don't know, bills, don't show them enterprise data, don't show them more than what they strictly need to see. The next, simpler, is safer. There is a guy that builds drones called Davi Melendes. Once they asked him which will be the best way to create a robotic arm to do stuff and move stuff from here to there and do a super cool path. He says, okay, put something like this and make it roll. And people say, no, we have to put a robot arm. He says the best technology is not to have technology. For us it's the same. The best web, for example, or the best system to maintain is the one that has the zero entrance of data in any way. If you don't have a user, you don't have to worry about the logging problems or the authentication problems. You don't have any kind of connection with the outside world. You don't have to be worried about it. If your website is just an HTML and a CSS, you don't have to worry about security. You have to worry about that your website is a shit. But the rest is nothing you have to worry about. Okay? So, oh, sorry. The zero trust, did you remember the gift I used before? That says people are idiots? It's because of that. Okay? Zero trust. Your hosting may be the best, but they are insecure, your plugins may be the best, but they are insecure. Your developers that you hire because they are graduated in Harvard is an idiot. Everyone is an idiot. You yourself is an idiot. I am an idiot. Everyone is an idiot. So, zero trust. Make everything so strong that you don't really need to trust anyone. Okay? And expect the unexpected. I don't know if you see it, but there is a video of two firemen here, a firehose here, and there is a woman that comes, takes the firehose just like that, and starts walking. Instead of doing this. Did you see that video? That the firefighters are like, what? This is people as a concept. So expect the unexpected. If you put a firehose on the floor expecting people to do this, there's always one idiot that will do this instead. Okay? Expect that your data center blows on fire. OVH didn't expect that and we all lost something in that fire. Expect everything. Expect the aliens coming to the earth trying to speak to our leaders. This will happen eventually. So, the deep defense. The deep defense. You will know it because some of you have been talking about this. Defend everything. Make everything strong. Go hard for the security. But please, and this is a personal case, don't make things so secure that they are unusable. If you can't use something because it's so secure that you can't use it, this is not well secured. Because things have to be usable. The security through obscurity is a principle that is kind of weird because they defend that you don't give any information to your users. Try to give the least information possible to your users on how things works. For example, I'm trying to honorate your passwords and I put a random username and if I say, username is not correct, I know as an attacker that this username is not correct. If I use a bad password but the username is correct and you put a message that says the username is correct but the password is not correct, I have this information on me to keep doing attacks to your systems. So try not to give information to the people on how things works. And white list and black lists, is there anyone here that doesn't know what this means? A white list means I don't let anyone enter except the people I put in my white list and the black list means I let anyone enter but I block some certain people that I have on my list. So the main recommendation uses to be to use white lists instead of black lists. But white lists mean you have to work more because you have to be putting every time you want to use something that is forbidden by default you have to be putting this on your list. So you have to measure which is better for you but the main recommendation is to use white lists instead of black lists. And of course you have to have a way to map any vulnerability and the root, the data is flowing inside your system. I don't know if you know but food has a concept called traxability. I don't know if it's the word in English but the way you have to know for example if you get sick with cheese you need to know where this came from where this cheese was sold when it was fabriced it was made I don't know how they do cheese it's not my field of expertise but you have to know where the people did that whatever it is and you should know what kind of materials they used to make the cheese and of course not familiar with anything related to cheese as you can see but it's sort of like that you have to have the ability to trace what's happening with your data to trace what's happening with the vulnerabilities that are happening in your system you have to have all that information because if you suffer an attack and don't have anything to trace it you're lost your data is lost and mostly your money is lost too and there are special there are special principles only applied to design to make a context before designing a system to make compromise difficult so try not to make easy for people to compromise your info because you give more than expected to make disruption difficult try to make things not to be broken because of our vulnerability try to slice your system in as much modules as you can etc and make compromise detection easier take into account your in your design ways of detect or look at any kind of vulnerability or any kind of attack take them into account lock them and make them disrupt your working process the least as possible and reduce the impact of the compromise is the same I said before try that any attack or any vulnerability break the least amount of things possible so it's just intuition try not to break things try people not to break your stuff and try people not to create a big problem that makes you lose money so it's kind of easy to take them to again go bro no? yes the security by design is a principle that is very interesting because it's a way of seeing your software secure before beautiful you create a software that is made especially to be secure and then to be usable, beautiful interesting, whatever security first and then the rest and this comes by the step of the design process we have sort of a little list of principles the security by design sorry has and they are quite easy expect attacks everyone will attack you this phrase that no one is interested in my data because I am nobody, this is shit I'm sorry, this doesn't work I am a hairdresser and nobody wants my debt, this is shit don't do that take care of your data don't take a newspaper and give that's lapping in their faces if they say that and avoid security through obscurity as I said before this is a principle that has been under discussion by certain people because security people doesn't want to give you more information than what you need on how the things work but the security by design says if you can secure your system I don't have to hide any info from you if things are well done I don't need to hide info so you have to measure what you want to hide and what you don't want to hide it's just like that and give the fewest privileges because people are idiots use any security by design methodology there are a few one that is very widely known is from Microsoft the people that are having a zero day every day they have a methodology of security by design I'm just dropping that here but they have a methodology and something that is quite boring and weird and we used to take it for granted is the compliance the compliance are all the legal documents that are related to the use or the creation of your software so take always into account the compliance because there are some things that you cannot do but it's just because they are illegal in the place you are selling your software and of course mind the server client architectures because they have more doors or more vectors or more security points that you have to view so they are the most propens to be attacked and of course follow the best practices and the best practices try not to break anything separate components because if you break anything things don't need to be broken completely so separate stuff and of course use the least privilege principle because if you haven't heard this in this speak people are idiots so don't give them more than expected and of course if you follow these principles when it comes to design these kinds of systems you will be the guy with the giant word with the giant sword trying to kill the idiots trying to use your system so take this into account and if you want to insult me there is an email there I am always in twitter if you want to worship me because you love me by this time you can follow me and talk to me and thank you all for being here and for attending this talk any questions? they can be in Spanish I understand that no? it's time to eat and nobody wanted to do questions like I want to go nice talk let me go ok you are free thank you so much for coming and see you there