Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security for Startups - ChicagoRuby/1871
Search
John Downey
June 04, 2014
Technology
0
180
Security for Startups - ChicagoRuby/1871
Presented at ChicagoRuby and 1871 on 6/4/2014
John Downey
June 04, 2014
Tweet
Share
More Decks by John Downey
See All by John Downey
Cryptography Pitfalls at CactusCon 2019
jtdowney
0
150
Intro to Cybersecurity Workshop
jtdowney
0
120
Cryptography Pitfalls at BsidesMSP 2017
jtdowney
0
160
Cryptography Pitfalls at THOTCON 0x8
jtdowney
0
160
Cryptography Pitfalls at ConFoo Montreal 2017
jtdowney
1
330
Cryptography Pitfalls at BSidesPhilly 2016
jtdowney
0
140
Cryptography Pitfalls at LASCON 2016
jtdowney
0
190
Debugging TLS/SSL at DevOps Days Detroit 2016
jtdowney
1
210
Debugging TLS/SSL at DevOpsDays Boston
jtdowney
1
300
Other Decks in Technology
See All in Technology
データ分析基盤のためにS3を深堀りする~アーキテクチャ設計の考え方のヒントに~
nrinetcom
PRO
1
760
巨大企業でDX革新を起こすということ BTCONJP 2024
yamaken66
0
210
パートナー企業のテクニカルサポートエンジニアとして気になる、より良い AWS サポートの利活用について
kazzpapa3
1
220
全社を巻き込んだ業務オペレーション改善と、それは事業成長に貢献しているのか?を実感した話
marroooon
0
130
管理画面とユーザー機能の調和を取り戻す!~クエリパフォーマンス改善の成功物語~ / Restore harmony between administrative and user functions!
minisera
1
280
LLMOps : ΔMLOps
shuntaito
12
1.6k
本番のトラフィック量でHudiを検証して見えてきた課題
joker1007
2
260
ReSTIRの数理と実装 (rtcamp10)
yumcyawiz
1
470
From LibreOffice to « La Suite » : providing civil servants with Free Software sovereign tools
bluehats
0
120
SageMaker学習のツボ / The Key Points of Learning SageMaker
cmhiranofumio
0
280
Covariance, Contravariance & Diamond
alexdaubois
1
110
LINE-ChatGPT 倫理問題を整理する全力肯定彼氏くん [LuC4]に訪れたサービス開始以来の最大の危機
o_ob
2
300
Featured
See All Featured
What's new in Ruby 2.0
geeforr
342
31k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
327
21k
Happy Clients
brianwarren
97
6.7k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
GraphQLの誤解/rethinking-graphql
sonatard
66
9.9k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Designing the Hi-DPI Web
ddemaree
280
34k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
5
130
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Making Projects Easy
brettharned
115
5.9k
Imperfection Machines: The Place of Print at Facebook
scottboms
264
13k
Transcript
SECURITY FOR STARTUPS John Downey | @jtdowney
None
None
None
https://flic.kr/p/84VQLx
https://flic.kr/p/78HkxU
OFFICE/IT SECURITY
https://flic.kr/p/K1SRT
http://www.nytimes.com/2010/04/20/technology/companies/20apple.html
PROTECT DEVICES UP FRONT • Password/passcode is an important first
step • Full disk encryption • Imperceptible slowdown on newer devices • FileVault on OS X • BitLocker on Windows
HAVE A PLAN • What is the procedure when a
device is lost? • Who do you email/call? • Spell it specifically • Turn off access to remote services
FIND THE DEVICE • File a police report • Need
the serial number (device inventory) • Sometimes they turn back up • Use remote find/wipe services • Find my iPhone • Prey
https://flic.kr/p/aias1G
http://techcrunch.com/2014/05/21/ebay-alerts-users-to-change-passwords-following-cyberattack/
http://www.bit-tech.net/news/bits/2013/10/04/adobe-breach/1
http://arstechnica.com/security/2012/06/8-million-leaked-passwords-connected-to-linkedin/
http://www.cnn.com/2012/07/12/tech/web/yahoo-users-hacked/
http://www.techradar.com/us/news/software/applications/dropbox-confirms-it-was-hacked-assures-it-s-safe-1090741
• People will reuse passwords • Password managers can help
this • Need to build it into the company culture
KeePass / KeePassX
TEAM SHARED PASSWORDS • No silver bullet • Try not
to do it • Our current solution • KeePassX file on Dropbox • Change them all when someone leaves
TWO-FACTOR AUTH • Turn on two-factor everywhere • Enforce it
at the system level if possible • Google Apps, Dropbox, GitHub
PRODUCT SECURITY
http://www.digitalattackmap.com/
http://techcrunch.com/2014/05/19/typepad-claims-it-was-hit-by-another-ddos-attack/
• Use botnets and amplifiers to flood traffic • Increasingly
likely as popularity grows • Major launch dates • Often preceded by a ransom note • Digital extortion
• Don’t bother paying the extortion money • Enlist a
DDoS protection company • CloudFlare • Akamai/Prolexic • Put protection in place before attack
None
TOP 10 • Entire presentation in itself • Covers the
top 10 attack vectors for web apps • SQL Injection • Cross-site scripting (XSS) • Cross-site request forgery (CSRF)
WEBGOAT • Intentionally vulnerable app • Guide you through various
common exploits • Java, .NET, Ruby, Python • iOS
https://flic.kr/p/5Y4yqW
None
$ gem install brakeman $ brakeman path/to/project
$ gem install bundler-audit $ cd path/to/project $ bundle-audit
None
https://flic.kr/p/9F2BCv
• Data at rest • Use GPG/PGP • Data in
motion • Use TLS/SSL, SSH, or VPN
http://techcrunch.com/2013/10/29/hosting-service-mongohq-suffers-major-security-breach-that-explains-buffers-hack-over-the-weekend/
http://www.zdnet.com/circleci-temporarily-shuts-doors-amid-mongohq-hack-7000022652/
• Where is your data kept? • Do they publish
their security practices? • What could happen if they were breached?
None
SECURITY PAGE • Put a link in the footer •
Provide a dedicated email address •
[email protected]
• Welcome researchers to report bugs • Spell out exactly what they will get • Hall of fame is a good start
RESPONSE PLAN • Make it someone’s job to watch and
respond • Respond as soon as you see it • Give an initial timeline for a response (24 hours) • Investigate • Ask for reproduction details
VULNERABILITY WAS FOUND • Respond to reporter with confirmation •
Establish a new timeline for a fix • Confirm with reporter when fixed in production • Expect them to publish their findings
Rewards ≠ Hush money
FALSE POSITIVES • Automated vulnerability scanners produce noise • You
will get bad reports • Respond to every report • Explain why you do not agree it is a vulnerability
None
It’s 2 am, do you know what code is running
on your server?
INVENTORY • What applications are running? • In every environment
• What frameworks/libraries do they use? • What servers are running?
NOTIFICATIONS • Use tools like bundle-audit to watch dependencies •
Sign up for mailing lists • Most Linux distros have a list • oss-security for general announcements • Hook it up to PagerDuty
PATCH PARTY • Someone needs to coordinate/own the process •
Assign owners to each app or server • Google Spreadsheet is great for this • Make sure you cover every environment
None
IDENTITY AND ACCESS MANAGEMENT (IAM) • Each user has an
account • Every account can have API access • Accounts can be protected with two-factor
SECURITY GROUPS • Provide logical separation for servers • Great
first level firewall • Only assignable at instance creation • Think about it up front
• CloudTrail • Trusted Advisor • If you have the
right support contract
None
PCI-DSS • Not intended to be a boogeyman • Every
business that takes credit cards • Self-assesment process until you get large • Quarterly vulnerability scans
Compliant ≠ Secure
http://www.forbes.com/sites/paularosenblum/2014/01/17/the-target-data-breach-is-becoming-a-nightmare/
None
• Assess what happened • Hire a forensics consultant •
Work with authorities • Patch the holes • Determine your legal obligations • Unfortunately may involve lawyers
NOTIFY THE PUBLIC • Might want to hire a PR
firm • Setup a dedicated information site • Email your users as soon as possible • Clear instructions, all the information
QUESTIONS