Security for Startups - ChicagoRuby/1871

Transcript

1. SECURITY FOR STARTUPS John Downey | @jtdowney

2. None
3. None
4. None

5. https://flic.kr/p/84VQLx

6. https://flic.kr/p/78HkxU

7. OFFICE/IT SECURITY

8. https://flic.kr/p/K1SRT

9. http://www.nytimes.com/2010/04/20/technology/companies/20apple.html

10. PROTECT DEVICES UP FRONT • Password/passcode is an important first

    step • Full disk encryption • Imperceptible slowdown on newer devices • FileVault on OS X • BitLocker on Windows

11. HAVE A PLAN • What is the procedure when a

    device is lost? • Who do you email/call? • Spell it specifically • Turn off access to remote services

12. FIND THE DEVICE • File a police report • Need

    the serial number (device inventory) • Sometimes they turn back up • Use remote find/wipe services • Find my iPhone • Prey

13. https://flic.kr/p/aias1G

14. http://techcrunch.com/2014/05/21/ebay-alerts-users-to-change-passwords-following-cyberattack/

15. http://www.bit-tech.net/news/bits/2013/10/04/adobe-breach/1

16. http://arstechnica.com/security/2012/06/8-million-leaked-passwords-connected-to-linkedin/

17. http://www.cnn.com/2012/07/12/tech/web/yahoo-users-hacked/

18. http://www.techradar.com/us/news/software/applications/dropbox-confirms-it-was-hacked-assures-it-s-safe-1090741

19. • People will reuse passwords • Password managers can help

    this • Need to build it into the company culture

20. KeePass / KeePassX

21. TEAM SHARED PASSWORDS • No silver bullet • Try not

    to do it • Our current solution • KeePassX file on Dropbox • Change them all when someone leaves

22. TWO-FACTOR AUTH • Turn on two-factor everywhere • Enforce it

    at the system level if possible • Google Apps, Dropbox, GitHub

23. PRODUCT SECURITY

24. http://www.digitalattackmap.com/

25. http://techcrunch.com/2014/05/19/typepad-claims-it-was-hit-by-another-ddos-attack/

26. • Use botnets and amplifiers to flood traffic • Increasingly

    likely as popularity grows • Major launch dates • Often preceded by a ransom note • Digital extortion

27. • Don’t bother paying the extortion money • Enlist a

    DDoS protection company • CloudFlare • Akamai/Prolexic • Put protection in place before attack
28. None

29. TOP 10 • Entire presentation in itself • Covers the

    top 10 attack vectors for web apps • SQL Injection • Cross-site scripting (XSS) • Cross-site request forgery (CSRF)

30. WEBGOAT • Intentionally vulnerable app • Guide you through various

    common exploits • Java, .NET, Ruby, Python • iOS

31. https://flic.kr/p/5Y4yqW

32. None

33. $ gem install brakeman $ brakeman path/to/project

34. $ gem install bundler-audit $ cd path/to/project $ bundle-audit

35. None

36. https://flic.kr/p/9F2BCv

37. • Data at rest • Use GPG/PGP • Data in

    motion • Use TLS/SSL, SSH, or VPN

38. http://techcrunch.com/2013/10/29/hosting-service-mongohq-suffers-major-security-breach-that-explains-buffers-hack-over-the-weekend/

39. http://www.zdnet.com/circleci-temporarily-shuts-doors-amid-mongohq-hack-7000022652/

40. • Where is your data kept? • Do they publish

    their security practices? • What could happen if they were breached?
41. None

42. SECURITY PAGE • Put a link in the footer •

    Provide a dedicated email address • security@example.com • Welcome researchers to report bugs • Spell out exactly what they will get • Hall of fame is a good start

43. RESPONSE PLAN • Make it someone’s job to watch and

    respond • Respond as soon as you see it • Give an initial timeline for a response (24 hours) • Investigate • Ask for reproduction details

44. VULNERABILITY WAS FOUND • Respond to reporter with confirmation •

    Establish a new timeline for a fix • Confirm with reporter when fixed in production • Expect them to publish their findings

45. Rewards ≠ Hush money

46. FALSE POSITIVES • Automated vulnerability scanners produce noise • You

    will get bad reports • Respond to every report • Explain why you do not agree it is a vulnerability
47. None

48. It’s 2 am, do you know what code is running

    on your server?

49. INVENTORY • What applications are running? • In every environment

    • What frameworks/libraries do they use? • What servers are running?

50. NOTIFICATIONS • Use tools like bundle-audit to watch dependencies •

    Sign up for mailing lists • Most Linux distros have a list • oss-security for general announcements • Hook it up to PagerDuty

51. PATCH PARTY • Someone needs to coordinate/own the process •

    Assign owners to each app or server • Google Spreadsheet is great for this • Make sure you cover every environment
52. None

53. IDENTITY AND ACCESS MANAGEMENT (IAM) • Each user has an

    account • Every account can have API access • Accounts can be protected with two-factor

54. SECURITY GROUPS • Provide logical separation for servers • Great

    first level firewall • Only assignable at instance creation • Think about it up front

55. • CloudTrail • Trusted Advisor • If you have the

    right support contract
56. None

57. PCI-DSS • Not intended to be a boogeyman • Every

    business that takes credit cards • Self-assesment process until you get large • Quarterly vulnerability scans

58. Compliant ≠ Secure

59. http://www.forbes.com/sites/paularosenblum/2014/01/17/the-target-data-breach-is-becoming-a-nightmare/

60. None

61. • Assess what happened • Hire a forensics consultant •

    Work with authorities • Patch the holes • Determine your legal obligations • Unfortunately may involve lawyers

62. NOTIFY THE PUBLIC • Might want to hire a PR

    firm • Setup a dedicated information site • Email your users as soon as possible • Clear instructions, all the information

63. QUESTIONS