Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security for Startups - ChicagoRuby/1871
Search
John Downey
June 04, 2014
Technology
0
180
Security for Startups - ChicagoRuby/1871
Presented at ChicagoRuby and 1871 on 6/4/2014
John Downey
June 04, 2014
Tweet
Share
More Decks by John Downey
See All by John Downey
Cryptography Pitfalls at CactusCon 2019
jtdowney
0
160
Intro to Cybersecurity Workshop
jtdowney
0
120
Cryptography Pitfalls at BsidesMSP 2017
jtdowney
0
160
Cryptography Pitfalls at THOTCON 0x8
jtdowney
0
170
Cryptography Pitfalls at ConFoo Montreal 2017
jtdowney
1
340
Cryptography Pitfalls at BSidesPhilly 2016
jtdowney
0
150
Cryptography Pitfalls at LASCON 2016
jtdowney
0
190
Debugging TLS/SSL at DevOps Days Detroit 2016
jtdowney
1
230
Debugging TLS/SSL at DevOpsDays Boston
jtdowney
1
310
Other Decks in Technology
See All in Technology
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
3
540
リクルートのエンジニア組織を下支えする 新卒の育成の仕組み
recruitengineers
PRO
2
180
エンジニア主導の企画立案を可能にする組織とは?
recruitengineers
PRO
1
310
Two Blades, One Journey: Engineering While Managing
ohbarye
4
2.6k
Qiita Organizationを導入したら、アウトプッターが爆増して会社がちょっと有名になった件
minorun365
PRO
1
320
困難を「一般解」で解く
fujiwara3
7
2.2k
ABWG2024採択者が語るエンジニアとしての自分自身の見つけ方〜発信して、つながって、世界を広げていく〜
maimyyym
1
210
JAWS DAYS 2025 アーキテクチャ道場 事前説明会 / JAWS DAYS 2025 briefing document
naospon
0
2.8k
x86-64 Assembly Essentials
latte72
3
390
JavaにおけるNull非許容性
skrb
2
2.7k
Exadata Database Service on Cloud@Customer セキュリティ、ネットワーク、および管理について
oracle4engineer
PRO
2
1.6k
MIMEと文字コードの闇
hirachan
2
1.5k
Featured
See All Featured
Making Projects Easy
brettharned
116
6k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
30
4.6k
Navigating Team Friction
lara
183
15k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Writing Fast Ruby
sferik
628
61k
Visualization
eitanlees
146
15k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Thoughts on Productivity
jonyablonski
69
4.5k
Building a Scalable Design System with Sketch
lauravandoore
461
33k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
Testing 201, or: Great Expectations
jmmastey
42
7.2k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Transcript
SECURITY FOR STARTUPS John Downey | @jtdowney
None
None
None
https://flic.kr/p/84VQLx
https://flic.kr/p/78HkxU
OFFICE/IT SECURITY
https://flic.kr/p/K1SRT
http://www.nytimes.com/2010/04/20/technology/companies/20apple.html
PROTECT DEVICES UP FRONT • Password/passcode is an important first
step • Full disk encryption • Imperceptible slowdown on newer devices • FileVault on OS X • BitLocker on Windows
HAVE A PLAN • What is the procedure when a
device is lost? • Who do you email/call? • Spell it specifically • Turn off access to remote services
FIND THE DEVICE • File a police report • Need
the serial number (device inventory) • Sometimes they turn back up • Use remote find/wipe services • Find my iPhone • Prey
https://flic.kr/p/aias1G
http://techcrunch.com/2014/05/21/ebay-alerts-users-to-change-passwords-following-cyberattack/
http://www.bit-tech.net/news/bits/2013/10/04/adobe-breach/1
http://arstechnica.com/security/2012/06/8-million-leaked-passwords-connected-to-linkedin/
http://www.cnn.com/2012/07/12/tech/web/yahoo-users-hacked/
http://www.techradar.com/us/news/software/applications/dropbox-confirms-it-was-hacked-assures-it-s-safe-1090741
• People will reuse passwords • Password managers can help
this • Need to build it into the company culture
KeePass / KeePassX
TEAM SHARED PASSWORDS • No silver bullet • Try not
to do it • Our current solution • KeePassX file on Dropbox • Change them all when someone leaves
TWO-FACTOR AUTH • Turn on two-factor everywhere • Enforce it
at the system level if possible • Google Apps, Dropbox, GitHub
PRODUCT SECURITY
http://www.digitalattackmap.com/
http://techcrunch.com/2014/05/19/typepad-claims-it-was-hit-by-another-ddos-attack/
• Use botnets and amplifiers to flood traffic • Increasingly
likely as popularity grows • Major launch dates • Often preceded by a ransom note • Digital extortion
• Don’t bother paying the extortion money • Enlist a
DDoS protection company • CloudFlare • Akamai/Prolexic • Put protection in place before attack
None
TOP 10 • Entire presentation in itself • Covers the
top 10 attack vectors for web apps • SQL Injection • Cross-site scripting (XSS) • Cross-site request forgery (CSRF)
WEBGOAT • Intentionally vulnerable app • Guide you through various
common exploits • Java, .NET, Ruby, Python • iOS
https://flic.kr/p/5Y4yqW
None
$ gem install brakeman $ brakeman path/to/project
$ gem install bundler-audit $ cd path/to/project $ bundle-audit
None
https://flic.kr/p/9F2BCv
• Data at rest • Use GPG/PGP • Data in
motion • Use TLS/SSL, SSH, or VPN
http://techcrunch.com/2013/10/29/hosting-service-mongohq-suffers-major-security-breach-that-explains-buffers-hack-over-the-weekend/
http://www.zdnet.com/circleci-temporarily-shuts-doors-amid-mongohq-hack-7000022652/
• Where is your data kept? • Do they publish
their security practices? • What could happen if they were breached?
None
SECURITY PAGE • Put a link in the footer •
Provide a dedicated email address • security@example.com • Welcome researchers to report bugs • Spell out exactly what they will get • Hall of fame is a good start
RESPONSE PLAN • Make it someone’s job to watch and
respond • Respond as soon as you see it • Give an initial timeline for a response (24 hours) • Investigate • Ask for reproduction details
VULNERABILITY WAS FOUND • Respond to reporter with confirmation •
Establish a new timeline for a fix • Confirm with reporter when fixed in production • Expect them to publish their findings
Rewards ≠ Hush money
FALSE POSITIVES • Automated vulnerability scanners produce noise • You
will get bad reports • Respond to every report • Explain why you do not agree it is a vulnerability
None
It’s 2 am, do you know what code is running
on your server?
INVENTORY • What applications are running? • In every environment
• What frameworks/libraries do they use? • What servers are running?
NOTIFICATIONS • Use tools like bundle-audit to watch dependencies •
Sign up for mailing lists • Most Linux distros have a list • oss-security for general announcements • Hook it up to PagerDuty
PATCH PARTY • Someone needs to coordinate/own the process •
Assign owners to each app or server • Google Spreadsheet is great for this • Make sure you cover every environment
None
IDENTITY AND ACCESS MANAGEMENT (IAM) • Each user has an
account • Every account can have API access • Accounts can be protected with two-factor
SECURITY GROUPS • Provide logical separation for servers • Great
first level firewall • Only assignable at instance creation • Think about it up front
• CloudTrail • Trusted Advisor • If you have the
right support contract
None
PCI-DSS • Not intended to be a boogeyman • Every
business that takes credit cards • Self-assesment process until you get large • Quarterly vulnerability scans
Compliant ≠ Secure
http://www.forbes.com/sites/paularosenblum/2014/01/17/the-target-data-breach-is-becoming-a-nightmare/
None
• Assess what happened • Hire a forensics consultant •
Work with authorities • Patch the holes • Determine your legal obligations • Unfortunately may involve lawyers
NOTIFY THE PUBLIC • Might want to hire a PR
firm • Setup a dedicated information site • Email your users as soon as possible • Clear instructions, all the information
QUESTIONS