In this episode, I interview Anastasiia Voitova about mobile security and the trade-offs it involves (cost, user experience, team collaboration). She has some great advice about how much to invest in your project. We talk about early start-up and try to give a good rule about how much to invest in security.
=============Bio===============
Anastasiia Voitova, Head of customer solutions, security software engineer at Cossack Labs, is a software engineer with 10+ experience years. She builds security tools for protecting data during the whole lifecycle (encrypt everything!). Anastasiia shares a lot about "boring cryptography", end-to-end encryption, data security, zero-knowledge & zero trust systems, software security architecture. She speaks at international conferences, conducts workshops and training for developers, and co-organizes cybersec events.
Twitter: https://twitter.com/vixentael
=============Quotes============
"Security is a process and this is a very long process. And there is not this and like table and ribbon, finish ribbon that says, yeah, you're done. Sorry, you're not done. You can do it all the time like month after month, year after year. So the question with security engineering is a question of tradeoff. How to put just enough money into security to have a secure application not to get into, you know, super paranoia mode, not to create applications that is very secure, but no one will use it. At the same time still invest money, because if you don't invest money and in security, it won't happen magically right now. So it's like a game with trade-offs."
"However, really scary things happen when it's not only about money, but it's more related to our physical life. For example, those mobile applications that can control automobiles, controlled cars. And now, especially electric or hybrid car. They have a mobile app that controls this car. And there were cases with Nissan Leaf, for example, where you can just get the application check the network connection from the app to the backend. Go to the Nissan Leaf parking lot and enumerate, like find a Nissan Leaf car ID, just by enumeration and you might be lucky. And there is this car in this parking lot with this ID and suddenly you can control someone else's car."
"Well, you know, like no one really aims to create insecure applications. So I don't know a lot of people whose goal was to create bad applications. OK, so it's not something that happens intentionally and it's not something that we can fix. And that's something that we can say to someone else, just like some person on our team, "Hey stop doing that". To do more secure applications, we need some kind of process that will integrate security into the life of our team, basically like day by day, week by week, as in a process that they can't run away from."
=============Links==============
Themis crypto lib: https://github.com/cossacklabs/themis
Cossack Labs blog: https://www.cossacklabs.com/blog
Security Workshop for devs: https://github.com/vixentael/security-data-management-for-app-devs-workshop
OWASP (Open Web Application Security Project) MASVS (Mobile Application Security Verification Standard): https://github.com/OWASP/owasp-masvs
NIST guidelines for passwords: https://pages.nist.gov/800-63-3/sp800-63-3.html
