Startups require some structured security hygiene practices that should be followed. Additionally a few Microsoft Azure services that can be deployed for continuous compliance and security.
laptop that you use for work Use licensed software Keep up with security patches Install anti-virus, anti-malware Don’t use unknown USB flash drives Don’t download and install unknown software from the internet
incremental backups of the software and data • Best defense against ransomware attacks • Allows for business continuity in case of hardware failure • Reduce Mean Time To Recovery in case of laptop theft
domain and email Use reputed domain registrars Use reputed email/office suite providers Ensure 2FA for admin accounts Reminders for renewing accounts and domains
you retain control of the billing and ownership of domain and email accounts management • Best defense against hijacking attempts (insider or external) • Allows for business continuity in case of active phishing attempts
data, files etc. Use secure file sharing solutions Use reputed email/office suite providers Ensure 2FA for admin accounts Create role-based access depending on need of access
sensitive data, as and when required, revoke when not required • Best defense against data breach/leakages • Understand how to revoke access before providing any as employees/contractors can and will leave you
services/banking with paranoia Use secure laptop with secure network (Don’t use open Wi-Fi) Avoid using mobile apps Enable and use 2FA Create a process of alerts on all transactions
a secure network to access bank website and enable 2FA for sensitive transactions • Know how to block bank transactions by calling the bank • Understand that fraud to steal your money can happen to you as well
inventory 2. Always do secure communications 1. Invest in account governance 3. Create and document processes for access and usage of information assets in the company 1. All processes need to have a source of truth 2. As processes evolve, put them under version control 4. Think in terms of service security
before exchanging sensitive information • Ensure email is set to use TLS/SSL • If using messaging applications, use the ones that have end to end encryption • Bonus points if it has ability to delete messages
steps to follow to add a user to corporate email and other accounts (apps inventory) • A clearly defined steps to follow to remove a user from corporate email and other accounts (apps inventory)
Service Security Passwords fail to protect against the following attacks Credential Stuffing Phishing Keystroke Logging Local Discovery (Password Sharing) Password Spraying Extortion Brute-force There are over 4 billion stolen passwords in circulation
about it? Anyone on the internet can try my DNS records Nope People are able to see who my domain registrar is Nope My ISP/Hosting company/Government is insecure Nope My OS/Processor/Hardware company is insecure Nope
the 2FA reset process works ❑ Make a note of what will need to be done, in case 2FA needs to be disabled ❑ Enable 2FA for login ❑ Bonus Points – If authentication logs can be stored No ❑ Change your provider
to enable domain whois privacy ❑ Enable domain whois privacy before configuring the domain to do anything No ❑ Change your provider ❑ If not an option, accept that as a potential risk factor
does the 2FA reset process works ❑ Make a note of what will need to be done, in case 2FA needs to be disabled ❑ Enable 2FA for login ❑ Bonus Points – If authentication logs can be stored No ❑ Change your provider
Ideally not SMS based but app based ❑ Use a reputed 3rd party provider (like Gmail maybe) ❑ Make sure your password is sufficiently random ❑ Put in a process to change it after a fixed duration Don’ts ❑ Use that email address for registering to other sites ❑ Never reuse that password if you have to use the same email ID elsewhere
Useful if you integrate and deploy applications using CI/CD pipeline software • Instead of secrets stored everywhere they can stay safe in Key Vault and requested on demand
minimum-security controls for your source code 2. OWASP Mobile Top 10 Bare minimum-security controls for your mobile apps 3. OWASP ASVS (Application Security Verification Guide) A comprehensive checklist covering many areas on how to build secure web applications 4. OWASP MASVS (Mobile ASVS) A comprehensive checklist covering many areas on how to build secure mobile applications 5. OWASP Security Testing Guide If you require 3rd party VA/PT they should be testing for at least what is mentioned here 6. OWASP Mobile Security Testing Guide If you require 3rd party VA/PT they should be testing for at least what is mentioned here 7. Azure Data Security and Encryption Best Practices If you plan to store or transfer data in or out of Azure 8. Azure best practices for Network Security If you plan to have any kind of service available over the network (website/app backend/API) 9. Azure CIS Benchmark If you plan to host and maintain many virtual machines Key Take Aways – Important Security Checklists
makash
ebarakazuhiro
manarobot
infiniteloop_inc
maimyyym
lycorptech_jp
dahatake
egmc
pamelafox
konifar
ryysud
tomorrowkey
lmi
destraynor
chrislema
moore
sstephenson
eileencodes
erikaheidi
mza
wjessup
zakiyama
mongodb
addyosmani
![Any Questions or thoughts? Akash Mahajan | [email protected] | @makash](https://files.speakerdeck.com/presentations/2c49341520d94290b1d190177d8e6a76/slide_32.jpg){kind=link}