Thinking about Secure Design

Talks May 27, 2016

NULL Hyderabad monthly security meet is back! I had to give a talk on a short notice and I didn't have enough time to prepare for a good demo-driven technical topic. While it is easy for me to do any basic topic, I wanted to take this as a challenge and THINK on what best I can give in the limited time I have. I wanted to be creative (read crazy :D).

Yeah, I wanted to connect two seemingly unrelated dots, both of which I had decent exposure to - Security and the game of 64 squares, Chess. If you see, both have several intersection points - Threats, Weaknesses, Attackers, Defenders, Traps, Mitigations (Defenses), Strategies, Tactics and the list goes on. What else can give me better analogies to explain about Secure Design? Surprising that I never got this thought till now. At times, you tend to think better when you have a strong force demanding excellence, and you love the force. Isn't it :)

Here are the slides of my talk:

If you know basic Chess moves, I would recommend to go through the positions. They are damn interesting! Particularly, you should not miss the game-The Opera House Massacre. In the slides, you will also see a blindfold Chess trainer. I have created it in 2009 just to practice blindfolded chess, but I have never used it. However, I gave the link to a couple of Chess academies so that they can use it to train their students. While I have built it for fun, little did I realize that it is going to help several hundreds of students. Came to know from a Chess coach (my friend) that several young kids use it in their daily practice. You can find the source code of tool at this Github repo.

While I am not sure if the audience got the Chess related intricacies in the slides, I think I could bring out the analogies and bring out the message. At least, the audience stayed glued till the end of the talk, though it was lunch time (1.30 PM already). So I would take the benefit of doubt ;)

NULL Hyd team has started covering OWASP Top 10 as a series. This time it was on A2-Broken Authentication and Session Management and Mahesh Bheema has done a decent job in explaining it from ground up! Also, we had security news bytes by Vamsi and attacking OAuth by Prashanth.

We had a surprise visitor in this meet - Bharadwaj Machiraju. The OWTF guy was in full swing and explained how he is attempting to make machines do the job for him (Machine Learning that is!)

Bharadwaj has always been an inquisitive and energetic guy and glad that he is aiming to do amazing things in security. Watch out this guy! On the whole, we had yet another fantastic meet. We are growing!

I am a Chess enthusiast and fortunately got trained by brilliant professional Chess coaches during my Engineering days (2003-07). I have played in a few district, inter-zonal tournaments and participated in All India Inter University championship in 2006. I am not a FIDE rated player and gave up participating in tournaments after I got into IT profession. Chess is addiction - Once you learn it properly, you cannot get rid of it. While I don't do serious practice anymore, I enjoy playing blitz almost every day. Check out my Chess blog for some of my little adventures