Building Secure & Reliable Systems (OReilly) - book notes

passwords & power drills
reliability & security - design
confidentiality, integrity & availability
reliability & security - commonalities
motivations
profiles
methods
risk assessment factors
production environments
google tool proxy
design objectives & requirements
balancing requirements
managing tensions & aligning goals
initial vs sustained velocity
concepts & terminology
risk-based access classification
best practices
example - configuration distribution
authentication & authorization policy framework
advanced controls
tradeoffs & tensions
why is this important?
understandable system design
system architecture
software design
types of security changes
designing your change
architecture decisions & change velocity
different speeds & timelines
complications
example - heartbleed
design principles
defense in depth
controlling degredation
controlling the blast radius
failure domains & redundancies
continuous validation
practical advice
attack & defense strategies
defensive design
mitigating attacks
self-inflicted attacks
background
why needed?
build or buy?
design, implementation & maintenance factors
frameworks to enforce security & reliability
common vulnerabilities
lessons learned
simplicity is your friend
security & reliability by default
unit testing
integration testing
dynamic program analysis
fuzz testing
static program analysis
concepts & terms
threat models
best practices
securing against a threat model
advanced mitigation
practical advice
securing against a threat model, pt 2
debugging to investigation
logging
debugging access
definitions
response strategies
risk analysis
incident response team - setup
pre-staging systems & people
testing systems & response plans
google examples
is this a crisis or not?
taking command
keeping control
communications
putting it together
logistics
timeline
planning a recovery
initiating a recovery
after the recovery
examples
background
security = team responsibility
help users safely navigate
speed matters
design for defense - in depth
transparency
who is responsible?
integrating security into an organization
definition
culture via good practices
convincing leadership