Minimum Viable Security Akash Mahajan Co-Founder Appsecco

Founder Bootcamp - Goa #MSFT4Startups

Akash Mahajan - Author | Speaker | Trainer | Community Started & Nurtured Author Speaker & Trainer Technical Reviewer Ex Co-Founder

Click to add text

A simplified depiction of the start-up’s journey Great Idea Documented Idea in laptop Idea shared with co-founder Potential team formed Domain & Email • Website • Source Code • Processes • Shared files • Presentations • Strategy Documents • SuperSecret Sauce • List of potential clients • Clients • Financial Details $$$ Exit $$$

A start-up’s journey in becoming secure - Great Idea Documented Idea in laptop Idea shared with co-founder Potential team formed Domain & Email • Website • Source Code • Processes • Shared files • Presentations • Strategy Documents • SuperSecret Sauce • List of potential clients • Clients • Financial Details $$$ Exit $$$

Laptop Security – Becoming and Staying Secure • Securing a laptop that you use for work Use licensed software Keep up with security patches Install anti-virus, anti-malware Don’t use unknown USB flash drives Don’t download and install unknown software from the internet

Laptop Security – Resilience against security threats Take continuous, encrypted, incremental backups of the software and data • Best defense against ransomware attacks • Allows for business continuity in case of hardware failure • Reduce Mean Time To Recovery in case of laptop theft

Domain & Email – Becoming and Staying Secure • Securing domain and email Use reputed domain registrars Use reputed email/office suite providers Ensure 2FA for admin accounts Reminders for renewing accounts and domains

Domain and Email – Resilience against security threats Ensure that you retain control of the billing and ownership of domain and email accounts management • Best defense against hijacking attempts (insider or external) • Allows for business continuity in case of active phishing attempts

Sensitive Data – Becoming and Staying Secure • Securing sensitive data, files etc. Use secure file sharing solutions Use reputed email/office suite providers Ensure 2FA for admin accounts Create role-based access depending on need of access

Sensitive Data – Resilience against security threats Provide access to sensitive data, as and when required, revoke when not required • Best defense against data breach/leakages • Understand how to revoke access before providing any as employees/contractors can and will leave you

Finance/Banking – Becoming and Staying Secure • Access your finance services/banking with paranoia Use secure laptop with secure network (Don’t use open Wi-Fi) Avoid using mobile apps Enable and use 2FA Create a process of alerts on all transactions

Finance/Banking – Resilience against security threats Use secure laptop, over a secure network to access bank website and enable 2FA for sensitive transactions • Know how to block bank transactions by calling the bank • Understand that fraud to steal your money can happen to you as well

Four pillars of abstract thoughts on Security 1. Create an inventory 2. Always do secure communications 1. Invest in account governance 3. Create and document processes for access and usage of information assets in the company 1. All processes need to have a source of truth 2. As processes evolve, put them under version control 4. Think in terms of service security

Create Inventory • Of users for email • Of users for file sharing • Of various websites and apps being used by the start-up • Of users who are also admins

Doing Secure Communications • Add team members to domain/corporate email before exchanging sensitive information • Ensure email is set to use TLS/SSL • If using messaging applications, use the ones that have end to end encryption • Bonus points if it has ability to delete messages

Document processes around onboarding and exits • A clearly defined steps to follow to add a user to corporate email and other accounts (apps inventory) • A clearly defined steps to follow to remove a user from corporate email and other accounts (apps inventory)

Who needs access? Can you avoid giving access to everyone? Thinking in terms of Service Security

Can you enforce a password policy? Thinking in terms of Service Security Top 10 weakest passwords for 2019 so far

Can you enforce a 2FA policy? Thinking in terms of Service Security Passwords fail to protect against the following attacks Credential Stuffing Phishing Keystroke Logging Local Discovery (Password Sharing) Password Spraying Extortion Brute-force There are over 4 billion stolen passwords in circulation

Self evaluation checklist • Protect your personal email account (used to register to everything else initially with 2FA) • Make sure email is setup with proper SPF, DKIM, DMARC • Don’t lose control of your mobile number

Understand risks with examples Potential risk Can you do anything about it? Anyone on the internet can try my DNS records Nope People are able to see who my domain registrar is Nope My ISP/Hosting company/Government is insecure Nope My OS/Processor/Hardware company is insecure Nope

Does my registrar support 2FA? Yes ❑ Understand how does the 2FA reset process works ❑ Make a note of what will need to be done, in case 2FA needs to be disabled ❑ Enable 2FA for login ❑ Bonus Points – If authentication logs can be stored No ❑ Change your provider

Does my registrar support whois privacy? Yes ❑ Understand how to enable domain whois privacy ❑ Enable domain whois privacy before configuring the domain to do anything No ❑ Change your provider ❑ If not an option, accept that as a potential risk factor

Does my domain email support 2FA? Yes ❑ Understand how does the 2FA reset process works ❑ Make a note of what will need to be done, in case 2FA needs to be disabled ❑ Enable 2FA for login ❑ Bonus Points – If authentication logs can be stored No ❑ Change your provider

Protecting the domain admin email Dos ❑ Enable 2FA ❑ Ideally not SMS based but app based ❑ Use a reputed 3rd party provider (like Gmail maybe) ❑ Make sure your password is sufficiently random ❑ Put in a process to change it after a fixed duration Don’ts ❑ Use that email address for registering to other sites ❑ Never reuse that password if you have to use the same email ID elsewhere

Using Azure Services for Security A quick tour to give you some ideas

Azure Security Centre – Security for your platform use • Useful if you have virtual machine servers in Azure • Also useful if you want a visibility on your Azure resources

Azure Enterprise Applications – Secure apps with SSO • If you have internal facing applications which require Role Based Access Control • If you have O365, adding or removing users is seamless

Azure Key Vault – Secrets Management for your Pipeline • Useful if you integrate and deploy applications using CI/CD pipeline software • Instead of secrets stored everywhere they can stay safe in Key Vault and requested on demand

Checklist Why is it useful 1. OWASP Top 10 Bare minimum-security controls for your source code 2. OWASP Mobile Top 10 Bare minimum-security controls for your mobile apps 3. OWASP ASVS (Application Security Verification Guide) A comprehensive checklist covering many areas on how to build secure web applications 4. OWASP MASVS (Mobile ASVS) A comprehensive checklist covering many areas on how to build secure mobile applications 5. OWASP Security Testing Guide If you require 3rd party VA/PT they should be testing for at least what is mentioned here 6. OWASP Mobile Security Testing Guide If you require 3rd party VA/PT they should be testing for at least what is mentioned here 7. Azure Data Security and Encryption Best Practices If you plan to store or transfer data in or out of Azure 8. Azure best practices for Network Security If you plan to have any kind of service available over the network (website/app backend/API) 9. Azure CIS Benchmark If you plan to host and maintain many virtual machines Key Take Aways – Important Security Checklists

Any Questions or thoughts? Akash Mahajan | akash@appsecco.com | @makash