“Do not IMPROVE information security, CREATE secure network/application/infra”
Earlier blogpost was more problem centric and this one addresses solutions to most of them and give directions to build/create secure network/apps/infra.
“Security is a process , not a destination”
Information security is never going by the checklist but thinking out of the box. But surely I have few pointers to share:
- Set up “firstname.lastname@example.org“ ,if you have an online identity, it is a must have on your contact us page. This will help you in ways you have not imagined [World still consists of good guys who love breaking and let you know about it, make sure you let them know your coordinates]
- Think and setup security engineering [Almost all companies don’t do it and few others outsource it]. The reason we need this is because you can’t break things from the mindset you created them. Software engineer focuses on feature roll out in the aggressive timelines with the most efficient way. Do not try to confuse security folks with normal devs.
- Let the application security engineering leader drive everything related to security. There was a reason you hired a smart guy and handed him over the reins [Don’t poke/micro-manage around unless you are too sure of how things are done in information security. It is important to understand that security engg. is WAY too different than heading an engineering team. This is the biggest mistake companies make; never put security engineering under dev engineering heads unless the leader has good experience in security. Never do it] Information Security is supposed to be horizontal across theorganization and has to be empowered.
- Top Management needs to understand the importance of information security (Security is always top down) and give a clear mandate to all EMs/DoEs that security should be taken care of. Otherwise, security will never move out of square one. Security engineering should have an override over business need (if required).
- Evaluate the security standard of everything, literally everything [git, VPN,wifi, production engineering, internal apps, and every minuscule thing you could think of], prioritize(there is a high chance you are going to be lost doing the last exercise because of way too many low hanging fruits) , plan, decide action item and get the ball rolling (do things in that priority order)
Example: One of my employers had bugs(IDOR, XSS, CSRF, brute force etc.) left, right and center including missing HTTPS support and I chose to fix SSL/TLS issue first and made sure next release had complete SSL/TLS because we use to accept Credit Card.
- Talk to people especially developers and dev-ops, you have no idea what a friend who appreciates security could do for you, you just need to find one.
- Run an Internal Bug Bounty (Developers knows the code/hacks and can find issues better than anyone)
- Make sure you have VPN and everything is only accessed from office network by default (No matter how small the startup — never let the portals be accessible over the internet just because you right now do not see the need to have a VPN. And the next thing you know, you expand to 50+ cities and implementing a VPN becomes even harder (technically), which in turn opens the attack surface area. Avoid it at all costs!).Example: if you have production PhpMyAdmin accessible over the internet and you bank on the fact that no one would know the IP/Url then my friend, you are going to fall in the deepest hole. A real world example:Code space hack, this happens when you think about security after 1 m+ download or after acquiring X no. of users
Code Spaces says it won’t be back after an intruder deleted EC2 machines, storage volumes and backup data via the company’s AWS management console.Within 12 hours, Code Spaces went from a viable business to devastation
- Get rid of all hardcoded secrets from Github / Mobile Apps (Play Store app signing keys, encryption keys, AWS keys, datastore password etc.)
- Use two-factor authentication across. [It applies for a startup with even 3 employees, you have no idea how your trust can be exploitable on the internet]
- Monitor each and everything you possibly can(do not go for the big bang, baby steps are what you have to take). Just don’t get lost by the scale on which you operate. It is really important and can help you in long term.
- Give as many security sessions to dev engineers/ QA/ Dev-ops as possible. Show them the impact it can have and just not walk them through the set of slides,so they understand what mistake not to make. Going forward, the way you conduct sessions is really important. It should be interesting one rather than just running through OWASP top 10.
- Work on Assumed breach scenario: Think if a breach happens today on your application, DB, Server, Source code , Network etc., what all things would you would need handy to figure out ?what went wrong?when it went wrong ? for each of those cases. Make a list. Put all those alerts — Monitoring , checks and balances , tools or other things you need to so that you get intimated right at the root cause of any issue.
- Make your product team aware about security so that they involve you from PRD phase and you have a better grasp of things happening. This is the major gap in all the start-ups, fill this and you have won the battle of security evangelization, Bingo! This battle will help you win half the war.
- Have an external bug bounty program. This gives security researchers, a sense that their work could be appreciated and they will be super motivated to find the awesome bugs to help them and you [Good news! I would be soon open sourcing a full-fledged automated Bug Bounty program].
Most important thing to note that there should be no ‘Chalta hai’ attitude. Even if it takes the time to add proper validation for each and everything you could think of, take time in coding and testing of the platform or app.
When all of the above is set, you could do more things like Secure SDLCformally(earlier we did in bits and pieces), Threat modeling, have SAST ,DAST, put up a process around security and tons of things that could follow. Achieve all of the above ,above, and you are at a fabulous Starting Point!
Weakest link in security | Original image
- I have not considered the weakest link in chain, Humans(employees)
- This is not for giants corporate they already have lot of setups, and tons of things in place. Start-ups work completely different, do not make a comparison with them.
With this article, I tried to explain smallest and independent task any CTO/founder could do to have information security in place from the start with least amount of investment and effort.
“Internet is a public place, do not let your data/details lying around”
Concluding with some food for thought:
“Information security is just like your medical insurance, you never know what will tomorrow have in for you”
Keep safe. Happy Hacking.
[About the Author: Shadab Siddiqui heads Security Engineering @Olacabs]