Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rationalizing Security

Matt Konda
November 12, 2015

Rationalizing Security

Discussion around security for startups.

Matt Konda

November 12, 2015

More Decks by Matt Konda

Other Decks in Technology


  1. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

    Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 ChicagoCoderConference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Big Data Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] Secure DevOps Growing OWASP Board Agile Security
  2. “This year, organized crime became the most frequently seen threat

    actor for Web App Attacks.” Verizon 2015 DBIR
  3. See • Botnets • Widespread use of harvested credentials •

    Account takeover • Credit card fraud • Dumps of passwords and sensitive data with SQLi • User pwnage with XSS
  4. “Two thirds of the incidents in this pattern had no

    attacker-attribution information whatsoever.” Verizon 2015 DBIR Cyber-Espionage
  5. How long does it take for your host to get

    scanned / attacked on the open internet?
  6. Serious • Active monitoring, log collection • Incident response •

    Security in SDLC (Static analysis, code review, training, automation) • Have a security team, app security team (Network, Desktop, Server controls)
  7. Use Services Provided • Use IAM to define groups users.

    Use MFA. • Limit Network Access, Use TrustedAdvisor • CloudTrail • Use encryption for S3, EBS, RDS, etc. • New: Inspector, WAF, Config Rules
  8. • XSS is really code injection. • The distinction is

    that the code is running in your user’s browser. • This can have crippling significance - because it bypasses network and other typical controls. Cross-site Scripting
  9. Flagship Projects Tools • ZAP • OWASP Dependency Check •

    Web Testing Environment Project • OWTF Code • ModSecurity • CSRFGuard • AppSensor Documentation • ASVS • SAMM • Top 10 • Testing Guide • Benchmark
  10. Tiers • 0  –  Cursory  –  You  have  done  

    something.    You  define.   • 1  –  Opportunistic  –  Adequately  defends   against  easily  discoverable  items.   • 2  –  Standard  –  Adequately  defends   against  items  of  moderate  to  serious   risk.   • 3  –  Advanced  –  Defends  against  even   advanced  attacks  and  demonstrates   good  security  design.