Sep 21, 2023

Assume Breach: Building Resilient Systems in an Era of Constant Threats

Assume Breach might seem a strange and pessimistic perspective to take when developing software solutions but can help us develop more secure solutions. The position assumes that it's not if but when a solution will be attacked or breached and is one of the first concepts, we teach on our Introduction to AppSec course.

It's not just large organizations that should be concerned they will be attacked either as smaller organizations can be a tempting and sometimes softer target for adversaries. For example, an attacker may want to make use of free computing resources that a poorly protected VM can provide to launch an attack or perhaps use a smaller company as a steppingstone to gain entry to a connected organization.

When developing solutions, a software development team can do everything right from a security perspective, but the application can still end up getting breached. This is because software doesn’t exist in a vacuum and is dependent on many other items.  

Even a theoretically 100% secure application (which does not exist!) can end up getting breached as:

By taking the assume breach perspective we ask questions such as:

“If an attacker was able to circumvent protections such as firewall rules what they could do?”

“What if an attacker gained database access could they read the sensitive information?”

We can then look at the defenses (controls) we can put in place to prevent or limit the damage that can be done.

Additional protections provide value outside of security and can protect us from mistakes such as accidental deletion or corruption of data.  

Of course, adding additional defenses can be expensive and have other implications so it’s important to balance these with the value of assets they are protecting.

Defenses take many forms from restrictive firewall rules to providing minimal database permissions limiting an attacker's options if a SQL injection issue was discovered to key system functions requiring multiple approvers to making sure data is encrypted at rest.  

Adding multiple protections provides defense in depth if one defense was to fail.

By assuming the worst, we can put in place additional defenses to prevent or mitigate the damage attackers can do and create more secure and resilient applications.

Interested in hearing more?
Lets connect.
January 17, 2024
AWS re:Invent 2023 (Part 02) Compute / Container / Serverless and Storage Major Announcements

At the re:Invent 2023 conference, AI became a major focus, with AWS introducing exciting updates in Compute, Container, Serverless technologies, and Storage. These advancements highlight AWS's commitment to pushing the limits of cloud computing, showcasing their dedication to innovation.

learn more
December 20, 2023
AWS re:Invent 2023 (Part 01) Generative AI / Machine Learning Major Announcements

The recently concluded AWS re:Invent 2023 in Las Vegas highlighted artificial intelligence as a central theme, with special attention given to Amazon Bedrock and Amazon Q. These cutting-edge technologies, particularly Amazon Q a new generative AI-powered assistant, took center stage during the keynote presentations. AWS re:Invent serves as a premier learning conference for the global cloud-computing community, providing an in-person platform for keynote revelations, extensive training and certification opportunities, over 2,000 technical sessions, the Expo, engaging after-hours events, and more.

learn more
November 16, 2023
Unlocking Remote Software Engineering Team Productivity

learn more
SERVICES
INSIGHTS
WHO WE ARE
CONTACT