We Hack Purple Podcast

We Hack Purple Podcast Episode 68 with guest Gagandeep Singh

March 28, 2023 Tanya Janca / Gagandeep Singh Season 3 Episode 68
We Hack Purple Podcast
We Hack Purple Podcast Episode 68 with guest Gagandeep Singh
Show Notes Transcript

In episode 68 of the We Hack Purple Podcast host Tanya Janca dives into Domain Driven Design (and development) with Gagandeep Singh. Gagandeep is an avid blogger, and Tanya read his article on DDD and just had to interview him. We discussed if Design Driven design or development are those the same thing (they aren’t!), the security advantages of DDD, how Trusted Types and Content Security Policy Header come into play! We discussed the concept of having the security of a feature be part of the design and feature itself, and the huge security advantages we can expect to see. To hear more, you need to see the episode!


Gagandeep’s Bio:

Gagandeep Juneja is an experienced Information Security professional working in the Information Technology and Services Industry. Working in Application Security domain, security assessment, threat modeling, architecture review, DevSecOps and guidelines for security technologies to develop effective secure solutions. In his opinion if we focus on securing code which will result in fewer vulnerabilities in the solution. Domain Driven Design sets the bar higher for software development, providing an efficient way to designing and developing a more secure IT solution. 

His blog: https://securityintelligence.com/posts/secure-coding-domain-driven-design/


Very special thanks to our sponsor: The Diana Initiative

A conference committed to helping all those underrepresented in Information Security - Monday August 7, 2023 In-Person at The Westin Las Vegas Hotel & Spa



Join We Hack Purple!

 We have new courses in the We Hack Purple Academy! Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!




welcome to the we hack purple podcast

where each episode we meet a new person

who works in information security but

ideally someone who helps to secure

software as part of their work this

episode is sponsored by the Diana

initiative they are an amazing

conference that focuses on getting

people from underrepresented groups to

start working in information security we

want more of you and that means every

single person to join our field and this

is what they do with their conference

which is August 7th in Las Vegas Nevada

United States also known as Vegas and it

happens just before Defcon and black hat

so if you're going down there anyway you

could go one day early and attend this

amazing amazing amazing event but you're

not here to hear about our sponsor

usually you're here to hear about our

guests and our guest this week is

Gagandeep Singh and he's awesome I so I

was like reading his stuff and reading

his blog on the internet and I thought

okay so maybe if I invite him on the

show he'll say yes the worst he could do

is say no and I asked him when he said

yes will you tell our audience a little

bit more about you

yeah thanks Daniel for having me and

sharing my experience here uh about me

uh this is Gagandeep and I have 11 years

of it experience and I started working

as a developer and very soon in my

career I realized uh the importance of

writing secure code by and building

secure products so I started practicing

our upper writing secure code and from

there my interest in security grew and I

do security testing as my keys key skill

and I did perform vulnerability

assessments code review pen test

offensive security at different stages

of my career now I am working more on

defensive site and application security

side so I perform thread modeling design

review and devsecops and helping

developers with their security needs


the main reason that I was like I have

to I have to talk to him was so I am

writing my next book which is called

Alison Bob learns care coding and there

is a section where I wanted to talk

about domain driven development and how

so it's sort of like a fancier newer

like newer more organized way to write

software and it has all these awesome

Security benefits so then when I was

looking up all of the stuff I just kept

finding you so I I was like so I felt

like you had a blog post that to me

explained it in the most clear way you

went over like a lot of the the reasons

why it's good and so I was hoping

can we talk first of all could you like

just give sort of an overview of what

the heck is design driven development

before we get into domain driven design

uh I would like to share uh that when a

software is built the teams mostly focus

on just to make things work and uh that

is the main goal of uh the development

teams and When developing a product the

quality assurance uh time to Market and

cost is the more driving principle and

when security vulnerabilities are

identified so we follow more reactive

approach in uh in remediating them but

with domain driven design the bar is

little bit higher uh with regards to

most software development and domain

driven design does not just focus on uh

how the system should work but having a

deeper understanding of what we are


and there is a significant emphasis on

understanding the problem domain and

what we are building rather than just

focusing on the solutions

and with domain driven design we take

active decisions uh throughout the

different phases of the development life

cycle and eventually the focus is on the

design which is uh zeroed down to from

the code to the architecture level so

that the end solution is more secure

that I liked about it when I was so I

had put on the internet like I'm

thinking of covering these things and

someone said you should cover

domain-driven design and development and

I was like oh I actually hadn't heard of

this before and then when I was reading

about it the idea of you know naming

things and organizing things based on

what the product is about so let's say

it builds cars uh like having like the

car object or whatever and all the

things inside of it

um the idea is to make it really

readable and easily understandable and I

feel from a security perspective

sometimes we come in and we look at an

app and we're like where's this thing

supposed to do oh my gosh and with

domain driven design it makes so much

more sense like right out of the box

from the first time you look at it's

like oh this does this and this does

that thanks guys

you were so in your blog article and

like and we've discussed just what are

some of the security advantages that

might happen

um for a domain driven design uh and

understanding the security advantages I

will take a step back and uh highlight

the issues which we are facing right now

in our traditional uh approach

so uh when we when the developers are

asked to build the product and there is

a security vulnerability so during

development they have to have an

explicit knowledge about security

vulnerabilities and their focus is on

vulnerabilities and rather than the

rather than solving the business

business problem and building on

business functionality

and with that developers need to have a

good knowledge about security and having

and we considered them to be a security

aspect expert also along with a

developer with domain driven design the

organization uh

the where the organizations are now

focusing more on is to uh with the shift

left approach we can


uh in incorporate security as early as

in the development life cycle which will

make uh it the development life cycle

more effortless and

and security is integrated into it

so to explain uh the advantages I will

use an example uh like for example we

have a simple application which has

um which is we are using it for

uploading images


so for that application we will need a

login page and

um and and for and the login page

eventually becomes a feature of an


yeah but we and as as an end user I

would like my uh

my application my images on the

application be more confidential and it

is not uh going in and like

in an unauthorized hand so I wanted my

images to be more confidential So


um security uh it is the concern of a

user So eventually it becomes a security

concern with domain driven design not

just a feature So eventually if we think

about a

if we even we are building an

application we should not just focus on

security features we should focus uh we

should take security as a concern of an

end user like in this case

confidentiality and login login page a

login mechanism gives confidentiality in

an application

and understanding that

concern security concerns we will say

that um

the uh the CIA is the main main concern


of security basically so uh the four

pillars of uh

domain driven design is

confidentiality Integrity availability

and traceability

and those things are eventually uh

integrated into the life cycle and and

when the user stories are defined on

those principles this will eventually

lead to lesser security vulnerabilities

and having the positive impact in the

development life cycle


I feel like

having security be a part of the feature

itself like built in from the beginning

rather than being added on later like

that sounds great I remember you're

saying so for instance if we have a file

upload feature

we would want to create a secure file

upload feature and security is outlined

in what the feature does like that it's

part of the description of what will be

performed so it's not we're doing a file

upload and we're smashing a security

control on top of it it's that the

feature that we are offering to our

users is to securely upload files and

this is how we accomplish that whole

thing and a bunch of the things in it

are security does that make sense

yes yes eventually uh if we are building

a good design

and taking all the things into

consideration uh then this becomes a

natural process rather than I would say

and interest of uh that and we need an

expert for it defining the user stories

in a more structured way will eventually

has a natural


benefits to uh the developmental life

cycle so yeah

okay so one of the things when I was

reading up on domain or main driven

development was

apes and so I went to go see a talk in

um in September of 2020 no 2022 in

Vienna at this conference called SEC for

Deb and there was this guy who gave a

talk his name's Michael

um Michael copen Copeland

um and he talked about so content

security policy headers growing and

growing and growing it does more and

more stuff and so there was a guy named

Lucas that works at Google and he talked

about that but then Michael talked about

specifically part of it with trusted


is is a way that we could enforce the

domain-driven development so you

implement a CSP and one of the things

you would say is these are specific

trusted types and you can only use these

types so instead of having

um let's say you know you have an object

and it collects an email address

but it's not a validated email address

it's just something we got from the user

we don't know if this is good or not and

then rather than us running it through a

validation function of some sort

we pass it to another object that's

called validated email address

and then what it does is it validates it

and then it returns either the email

address or full

because it's not validated right and it

throws an error and it says to the

original email address thing hey go out

and get that email address again because

it's no good and so from then on and all

the rest of your application you just

access the validated email address and

so this solves the problem of I'm sure

you've seen this before where a

developer takes uh something from the

user and there is a validation feature

somewhere in the app but sometimes they

use it first to make a business decision

they take this the user input from the

user and make a business decision before

they validated it or they forgot to do

the input validation like just this one

time and then it gets you somewhere to

make a business decision like you know

something we should send to the SQL

server or something like that and then

disaster ensues so with domain-driven

development if we're planning these

domains and we're using trusted types

CSP can say you know we don't use the

email address we only use validated

email address

type from now on and so that means you

can't put that to the screen or you

can't do these other things with it and

CSP helps so while you're coding it may

seem annoying where it's like you can't

use that and I'm like why it's like

because it's the email address not the

validate email address Tanya that's why

you're supposed to use them like oh CSP

you're right and so that was one of the

ways that was suggested that we would be

able to kind of force some of the

domain-driven development because so the

idea of domain driven development is

awesome but enforcing it seems like it

can be complex

did you want to add any other things on


yes I would like to add one more uh

feature about a key principle about

domain driven design uh failing fast as

you were saying that uh validating the

email address and so uh when there's a

you when a user input is uh ingested

into an application so based on uh the

user input we validate it and

um like based on what the design uh the

contract of design says and if the email

address for example is invalid so that

request before it is processed by uh the

method it the request is discarded so it

eventually helps uh in sanitizing of the

input and only correct uh structure of

input is only

ingested into the application so yeah

this is one of the key principle of

domain driven design and uh and apart

from that I would say a validation

becomes is always a very critical aspect

of all the applications and if the user

input is not validated properly it can

lead into various types of attacks like

cross-site scripting or code injection

and it's an attacker's playground to

exploit and to the level of extent they

want to go and I would say that well

when interacting with developers uh

validation is not properly understood

and with domain driven design we have

like with this particular concept we

have uh we can Define at various stages

where we can validate a user input and

ideally there are five way five five

stages we can validate a user input in

to ensure that no malicious input is

ingested into the application

so the first one is uh to check the

origin from where the data is coming

then the size of the user input and

latex the context of the basically

context of the user input and we can do

it through regex or other ways other

other open source libraries for it and

the syntax which is there in the user

input and eventually uh semantics of the

user input to ensure that all the user

input is uh it makes sense for an

application to process it so if we

Implement validation at these levels

then I would say a very high number I

would say 90 percent of security issues

are resolved if we are validating user

input properly

literally that was the exact question I

was going to ask you how many security

problems would just be eliminated if we

all did perfect input validation yes yes

so if everyone could just listen to what

he said especially every software

developer on the planet just follow his

advice I'd appreciate it because

seriously you and I we wouldn't wouldn't

need jobs or we would need to get other

jobs because everything would be no

might be so much better if input

validation input validation and proper

hardening and keeping up with patches

the world would be a very secure place


so true and I think domain driven

development and actually I have one more


I mean I have a thousand questions but I

want to respect your time

so do domain driven design and domain

driven development are those kind of the

same thing or are they sort of different

um basically it's um the design I would

say in I will explain you in terms of

sdlc so before we actually develop

anything we design it and and

the term they are I would say one and

the same thing and it is used at

different stages so when we are

designing a solution then that what we

mean is to model basically an

application and a problem statement and

where uh

I would say I saw a it a modeling

requires collaboration between domain

and software practitioners where the

requirements are being fetched and

understood uh and then written into user

stories and

and base once we understand what we need

to build then we design our uh solution

and eventually that leads to development

so uh having a strong design will will

make sure that the development is more

secure and well understood by the

developers when they are writing code so

I would say there is a definite uh would

say mapping between them and then go in

sync together

okay so I'm going to ask a super

sensitive question so when I was a

software developer I always never handed

a good design doc they'd be like it's

going to do this stuff good luck Janka

um I never got like

you know you know this is the domain

it's in these are the objects we want

this is that I never ever received

something like that when I was a

developer is this something that is this

something that's in wide practice is

this something that like organizations

could Implement like how could we take

advantage of this cool methodology

um yes I would say that this is a very

Advanced uh I would say uh principle and

through if we follow and if we

understand domain driven design then uh

developing a very complex solution will

eventually become very easy for it for

us to implement and uh so uh for that we

have to understand the building blocks

of domain driven design and uh I will go

them uh like on an high level on the

building blocks uh so the first is

entities so what are entities entities

are I would say a primary key or a key

identity of an individual or a product

uh which is consistent towards in the

entire life cycle and we should

emphasize that once we are defining an

entity it should be

always consistent and there uh and well

coordinated uh throughout the life cycle

which will make sure that um

we can control the behavior of an of a

of an object in an application and then

it will help us in resolving a lot of uh

security issues later in the uh in the


oh sorry please yeah sorry sorry

I feel like if we could hand to a

software developer or a team of software


an entire design modeled upon this

methodology I feel like

I feel like it would be a dream as a Dev

it's like oh I know like I just like

feeling like so right I got this like

have you have you ever

um had a chance to work with this where

you got to get feedback from the

developers as to if they liked having

this level of guidance is

I would say that uh I have not uh so far

uh able to get a pitch in this idea uh

for most of our customers because uh it

is still relatively new for people to

understand and start implementing

but it is I would say it is a very

powerful uh powerful principle and it

should be uh and through this I would uh

like people to be uh aware and adopt uh

adopt this new methodology in which uh

we uh we can eventually build more

secure products and eventually if uh

reading through code will make sense for

for the people in the longer run and the

maintainability of our solution will be

uh very beneficial to be having a very

benefit of

it will be very beneficial for us no I

agree completely I mean like when I was

a software developer the design doc

would be like

idea of being past something that's so

organized and just being able to look

over it because I I remember being a Dev

and like talking about the things and

saying like yo this is like this won't

work because of this or this can work

because of that and offering feedback on

designs but actually getting one that

was good and getting to work with it I


it might speed up the entire development

process because they have clear guidance

for the first time and from a security

perspective being able to just look at

the design and having literally the

words explain what it does that sounds


okay so we are coming to the end of our

time and so I'm going to ask the thing I

always ask if people want more of you

where could they perhaps follow you on

social media or maybe you might have a

Blog that they might want to read

yes I have a Blog uh which is we can

share uh with with this platform and

people who are interested in

understanding and like diving in deep

with me I will be very happy to

collaborate with them and I'm active on

LinkedIn and I can share the link with

you and will be

like happy to connect with people who

have similar interests

that would be awesome so if you are

listening or watching so if you're

watching you're on YouTube you just go

down the page and there will be links to

all of the things that we talked about

so that you can follow him and you can

read his blog if you are listening it's

audio only if you uh chances are you're

on a podcast episode if you go to the

show notes you should be able to see

this link but some of the podcast

platforms don't allow that so for you

folks I would say that you should cruise

on over to wehackpurple.com

podcast and then you will see this

gentleman's face and hear his voice and

go to his page so this I believe is

going to be number 68 podcast episode

68. and so to scroll down we have a

whole bunch and you will find this one

and it will say design driven

development I want to thank our sponsor

one more time the Diana initiative this

is a conference that is focused

specifically on helping people from

underrepresented groups get into

information security so working in our

field their event is held August 7th in

Las Vegas in the United States it's

gonna be hot there it's going to be very

warm their tickets are super reasonable

to be priced compared to basically

everything else that ever happens in Las

Vegas there's going to be tons of

friendly faces including mine we had

purple is a proud sponsor of the Diana

initiative and I'm looking forward to

seeing lots of you there

but now that I've thanked my sponsor I

want to say thank you to my guest I

really appreciate you being on our

podcast and I know that it's not like

you do 100 podcasts all the time so I

appreciate you taking a chance on rehab


yep thanks uh Daniel for having me and

giving me the opportunity to express

this awesome okay bye everyone