Cloud-based Data Validation patterns… We need a new approach! presented at DeepSec 2014

by Geoffrey Hill,

Summary : Current methodology in nearly every organisation is to create data validation gates. But when an organisation implements a cloud-based strategy, these security-quality gates may inadvertently become bypassed or suppressed. This talk discusses a methodology to encapsulate the validation at the object level, thus allowing each object to have validated or sanitised data at any given point in time.
Two kinds of patterns will be discussed, a validated object pattern and a tokenised object pattern. Examples of use-cases will be detailed for the delegates.
Advantages and possible pitfalls of these patterns in security design will also be reviewed.
Examples will be given in several main programming languages.
Geoffrey Hill has been in the IT industry since 1990, when he developed and sold a C++ application to measure risk in the commodities markets in New York City. Since then he has worked as a senior developer of quantitative finance applications in Nomura Finance (New York), Mitsukoshi Finance (Japan), Macquarie Finance (Australia) and NatWest Bank (UK).
From 2007 - 2011, Geoffrey was the custodian of the Security Development Lifecycle (SDL) initiative in the Services organization at Microsoft, with endorsement by the Microsoft Trustworthy Computing Initiative Group. He was responsible for the Security Engineering of several high-profile Microsoft Services projects, including the British Telecom pay-per-view Vision service and the United Nations World Economic Forum Collaboration Service.
Geoffrey was recently employed by Cigital Inc., a company that specializes in incorporating secure engineering development frameworks into the software development lifecycles of client organizations. He was leading the software security initiative at a major phone manufacturer and a major central European bank over the course of the last three years.
He is currently starting up his own security consulting company called Artis-Secure. It is focused on making security development frameworks better integrated with business processes.
As for hobbies… he's currently planning a massive fancy-dress gathering next year in an Irish castle.