Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security for Startups - ChicagoRuby/1871
Search
John Downey
June 04, 2014
Technology
0
180
Security for Startups - ChicagoRuby/1871
Presented at ChicagoRuby and 1871 on 6/4/2014
John Downey
June 04, 2014
Tweet
Share
More Decks by John Downey
See All by John Downey
Cryptography Pitfalls at CactusCon 2019
jtdowney
0
150
Intro to Cybersecurity Workshop
jtdowney
0
120
Cryptography Pitfalls at BsidesMSP 2017
jtdowney
0
160
Cryptography Pitfalls at THOTCON 0x8
jtdowney
0
160
Cryptography Pitfalls at ConFoo Montreal 2017
jtdowney
1
340
Cryptography Pitfalls at BSidesPhilly 2016
jtdowney
0
140
Cryptography Pitfalls at LASCON 2016
jtdowney
0
190
Debugging TLS/SSL at DevOps Days Detroit 2016
jtdowney
1
230
Debugging TLS/SSL at DevOpsDays Boston
jtdowney
1
310
Other Decks in Technology
See All in Technology
日経のデータベース事業とElasticsearch
hinatades
PRO
0
230
【詳説】コンテンツ配信 システムの複数機能 基盤への拡張
hatena
0
230
組織におけるCCoEの役割とAWS活用事例
nrinetcom
PRO
4
130
クラウド食堂とは?
hiyanger
0
110
実は強い 非ViTな画像認識モデル
tattaka
2
1.2k
クラウド関連のインシデントケースを収集して見えてきたもの
lhazy
3
350
Ruby on Railsで持続可能な開発を行うために取り組んでいること
am1157154
3
140
ESXi で仮想化した ARM 環境で LLM を動作させてみるぞ
unnowataru
0
170
Amazon Q Developerの無料利用枠を使い倒してHello worldを表示させよう!
nrinetcom
PRO
2
110
短縮URLをお手軽に導入しよう
nakasho
0
140
Raycast Favorites × Script Command で実現するお手軽情報チェック
smasato
1
140
AI Agent時代なのでAWSのLLMs.txtが欲しい!
watany
2
220
Featured
See All Featured
Making the Leap to Tech Lead
cromwellryan
133
9.1k
Unsuck your backbone
ammeep
669
57k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
100
18k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
175
52k
GitHub's CSS Performance
jonrohan
1030
460k
Automating Front-end Workflow
addyosmani
1368
200k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Practical Orchestrator
shlominoach
186
10k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
Product Roadmaps are Hard
iamctodd
PRO
50
11k
Transcript
SECURITY FOR STARTUPS John Downey | @jtdowney
None
None
None
https://flic.kr/p/84VQLx
https://flic.kr/p/78HkxU
OFFICE/IT SECURITY
https://flic.kr/p/K1SRT
http://www.nytimes.com/2010/04/20/technology/companies/20apple.html
PROTECT DEVICES UP FRONT • Password/passcode is an important first
step • Full disk encryption • Imperceptible slowdown on newer devices • FileVault on OS X • BitLocker on Windows
HAVE A PLAN • What is the procedure when a
device is lost? • Who do you email/call? • Spell it specifically • Turn off access to remote services
FIND THE DEVICE • File a police report • Need
the serial number (device inventory) • Sometimes they turn back up • Use remote find/wipe services • Find my iPhone • Prey
https://flic.kr/p/aias1G
http://techcrunch.com/2014/05/21/ebay-alerts-users-to-change-passwords-following-cyberattack/
http://www.bit-tech.net/news/bits/2013/10/04/adobe-breach/1
http://arstechnica.com/security/2012/06/8-million-leaked-passwords-connected-to-linkedin/
http://www.cnn.com/2012/07/12/tech/web/yahoo-users-hacked/
http://www.techradar.com/us/news/software/applications/dropbox-confirms-it-was-hacked-assures-it-s-safe-1090741
• People will reuse passwords • Password managers can help
this • Need to build it into the company culture
KeePass / KeePassX
TEAM SHARED PASSWORDS • No silver bullet • Try not
to do it • Our current solution • KeePassX file on Dropbox • Change them all when someone leaves
TWO-FACTOR AUTH • Turn on two-factor everywhere • Enforce it
at the system level if possible • Google Apps, Dropbox, GitHub
PRODUCT SECURITY
http://www.digitalattackmap.com/
http://techcrunch.com/2014/05/19/typepad-claims-it-was-hit-by-another-ddos-attack/
• Use botnets and amplifiers to flood traffic • Increasingly
likely as popularity grows • Major launch dates • Often preceded by a ransom note • Digital extortion
• Don’t bother paying the extortion money • Enlist a
DDoS protection company • CloudFlare • Akamai/Prolexic • Put protection in place before attack
None
TOP 10 • Entire presentation in itself • Covers the
top 10 attack vectors for web apps • SQL Injection • Cross-site scripting (XSS) • Cross-site request forgery (CSRF)
WEBGOAT • Intentionally vulnerable app • Guide you through various
common exploits • Java, .NET, Ruby, Python • iOS
https://flic.kr/p/5Y4yqW
None
$ gem install brakeman $ brakeman path/to/project
$ gem install bundler-audit $ cd path/to/project $ bundle-audit
None
https://flic.kr/p/9F2BCv
• Data at rest • Use GPG/PGP • Data in
motion • Use TLS/SSL, SSH, or VPN
http://techcrunch.com/2013/10/29/hosting-service-mongohq-suffers-major-security-breach-that-explains-buffers-hack-over-the-weekend/
http://www.zdnet.com/circleci-temporarily-shuts-doors-amid-mongohq-hack-7000022652/
• Where is your data kept? • Do they publish
their security practices? • What could happen if they were breached?
None
SECURITY PAGE • Put a link in the footer •
Provide a dedicated email address •
[email protected]
• Welcome researchers to report bugs • Spell out exactly what they will get • Hall of fame is a good start
RESPONSE PLAN • Make it someone’s job to watch and
respond • Respond as soon as you see it • Give an initial timeline for a response (24 hours) • Investigate • Ask for reproduction details
VULNERABILITY WAS FOUND • Respond to reporter with confirmation •
Establish a new timeline for a fix • Confirm with reporter when fixed in production • Expect them to publish their findings
Rewards ≠ Hush money
FALSE POSITIVES • Automated vulnerability scanners produce noise • You
will get bad reports • Respond to every report • Explain why you do not agree it is a vulnerability
None
It’s 2 am, do you know what code is running
on your server?
INVENTORY • What applications are running? • In every environment
• What frameworks/libraries do they use? • What servers are running?
NOTIFICATIONS • Use tools like bundle-audit to watch dependencies •
Sign up for mailing lists • Most Linux distros have a list • oss-security for general announcements • Hook it up to PagerDuty
PATCH PARTY • Someone needs to coordinate/own the process •
Assign owners to each app or server • Google Spreadsheet is great for this • Make sure you cover every environment
None
IDENTITY AND ACCESS MANAGEMENT (IAM) • Each user has an
account • Every account can have API access • Accounts can be protected with two-factor
SECURITY GROUPS • Provide logical separation for servers • Great
first level firewall • Only assignable at instance creation • Think about it up front
• CloudTrail • Trusted Advisor • If you have the
right support contract
None
PCI-DSS • Not intended to be a boogeyman • Every
business that takes credit cards • Self-assesment process until you get large • Quarterly vulnerability scans
Compliant ≠ Secure
http://www.forbes.com/sites/paularosenblum/2014/01/17/the-target-data-breach-is-becoming-a-nightmare/
None
• Assess what happened • Hire a forensics consultant •
Work with authorities • Patch the holes • Determine your legal obligations • Unfortunately may involve lawyers
NOTIFY THE PUBLIC • Might want to hire a PR
firm • Setup a dedicated information site • Email your users as soon as possible • Clear instructions, all the information
QUESTIONS