Security and Mobility Co Create Week Jakarta
•Download as PPTX, PDF•
1 like•174 views
Mobility and security are important factors that need to be prioritized by fintech startups in building user trust. This presentations shares how to build, develop, and improve these two things so that your business can grow.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Security and Mobility Co Create Week Jakarta
Similar to Security and Mobility Co Create Week Jakarta (20)
More from Stefan Streichsbier
More from Stefan Streichsbier (7)
Recently uploaded
Recently uploaded (20)
Security and Mobility Co Create Week Jakarta
- 1. Mobility and Security Stefan Streichsbier NUMISEC International Indonesia Version 1.1 21.02.2019
- 2. About me Stefan Streichsbier @s_streichsbier stefan@numisec.com stefan@guardrails.io GuardRails.io Move fast, be safe.
- 4. Book and Kindle version now on Amazon!
- 5. What are we going to cover? And also, how security and developer experience are related. How to find a balanced approach Why Mobility and Security are important factors How businesses can leverage security
- 6. Some Statistics As of June 2017, 51% of the world's population has internet access. That’s close to 4,000,000,000 people As of October 2018, there are 31,000,000 developers on Github alone.
- 7. Mark Andreessen Renowned VC Software is eating the world, in all sectors. In the future every company will become a software company “The Wall Street Journal” in 2011
- 9. The most well funded startups in Asia http://fintechnews.sg/6612/fintech/well-funded-tech-startups-asia-apac/
- 11. Exercise: Impact of Security Breaches? 22% lost customers because of attacks 49% experienced public scrutiny after a breach 29% lost revenue as a result of attacks https://www.cisco.com/c/m/en_au/products/security/offers/annual-cybersecurity-report-2017.html https://www.cisco.com/c/dam/m/digital/en_us/Cisco_Annual_Cybersecurity_Report_2017.pdf
- 12. The Impact of Security Breaches (cont) Reputational damage TalkTalk’s high profile data breach in 2014, showed the company’s reputation took a tremendous hit. Legal implications The biggest issue a business will face following a data breach. Enormous fines await companies that fail to protect their customers’ data. https://medium.com/fintech-weekly-magazine/counting-the-costs-of-a-data-breach-8ac2327aee0d
- 13. Fintech Indonesia Regulatory Environment Self-Regulation http://fintechnews.sg/20712/indonesia/fintech-indonesia-report-2018/ vs
- 14. Fintech – What Security Should Not Be Like
- 15. Is Risk Equal For All? Scaling StartupsNew Ventures Unicorns
- 16. Exercise: What security risks do you know? Business Logic Wallets, reward systems, … Privacy/Data PII, credit card data, … Application Vulnerabilities in app, cloud, …
- 19. How does security fit into this?
- 20. AWS Security Primer https://news.ycombinator.com/item?id=14628108 https://cloudonaut.io/aws-security-primer/ I have worked extensively with AWS over the last 4 years, and I can barely wrap my head around the scope of managing security in AWS. We have an entire department dedicated to security in our company, and none of them are remotely close to being experts in AWS security either. I’m starting to get curious if there even is an expert who could set up and maintain a bulletproof AWS account.
- 22. The Evolution of Security Secure SDLCPenetration Testing DevSecOps
- 23. Automated Security Defense Do you know if you are under attack at this current moment? Can you automatically defend against attacks? Do you know what the attackers are going after?
- 24. Automated Security Testing SAST SCA DAST/IASTCCA CommercialOpenSource 60+
- 25. Exercise: Where can you add security? https://gist.github.com/rasheedamir/7da0145ae1b5d9889e4085ded21d1acb
- 26. Where do these tools live? Source: https://twitter.com/djschleen
- 27. Be aware of the vicious cycle Tools compound the issue. There is too much security debt Developers “comply”
- 28. “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. Bill Gates The second is that automation applied to an inefficient operation will magnify the inefficiency. ”
- 30. Exercise: How would you balance Security? Scaling StartupsNew Ventures Unicorns
- 31. Security and Developer Experience! User ExperienceUsability Developer Experience
- 32. Signals vs Noise Focus on high-impact issues Don’t add to the noise Ensure the issues have high accuracy Security Trivia #213: What is the largest security tool report that has been recorded? 13,000 pages
- 33. Lost in Translation Speak the same language as developers Issues are useless until they are fixed Leverage the right communication channel Security Trivia #937: What is the official CWE title for a SQL Injection? Improper Neutralization of Special Elements used in an SQL Command
- 34. Make it easy Tightly integratedAllow developers to get started in minutes Provide all the needed functionality Security Trivia #23: How many of the 12 leading AST companies - according to the Gartner Magic Quadrant – have clear pricing information on their website? 1
- 35. Automated Security Testing - What is better? Option A Option B
- 36. Exercise: How can businesses leverage security? Use Security to Differentiate Yourself Acknowledge that Security is Important Earn the Trust and Loyalty of Users and Investors
- 38. Get a curated list of security resources Consisting of: • Awesome lists • Developer trainings • List of great tools • Security Page templates • Free digital copy of my book • the slides • … and more Then send an email to: iwant@guardrails.io
- 39. Questions?
Editor's Notes
- Mobility and security are important factors that need to be prioritized by fintech startups in building user trust. Come on, find out how to build, develop, and improve these two things so that your business / business grows.
- If you are passionate in ditching traditional security and helping companies in Asia getting into the age of DevSecOps then drop me a line. At GuardRails we are working on a very different approach to security, which puts developers first and I’m excited to announce that we have launched last week. CEO & Founder at GuardRails Stefan has been focusing on information security since 2003. He has worked at Numisec and integrated security through the Agile and DevOps work methods and empowered the development team. Stefan is also one of the founders of the Singapore DevSecOps group, a local community meetup that actively holds Singapore DevOpsDays events, DevOpsDays Jakarta, and DevsecCon Asia More on the founder story?
- An expert is a man who has made all the mistakes which can be made, in a narrow field.
- No matter if you are a one person startup, a heavily growing organization, or a unicorn. Balanced approach, based on what stage you are in. What are the risks you should care about, what are the measures you can take to improve your confidence. With security in place, how to leverage marketing/communication to earn the users trust and differentiate the offering.
- Origin of Software and Development, how it is tied to the proliferation of computer systems.
- How many will not exist in 2 years, and who will be the next unicorn (that may not be on that list).
- That’s like when you are preparing for an audit, and then suddenly not just one aspect but all aspects of your business will be reviewed. So one security slip can put the spotlight on a lot of other problems in a business. Loss of direct customer revenue Often, the true fallout of a data breach isn’t immediately visible, but attacks have huge repercussions. Cisco predicts that a company can expect to lose more than 20% of its customer base and all the revenue that this entails, following an attack, and it’s relatively easy to see why a customer would choose to spend their money elsewhere. If a company can’t even see to it that their personal information is kept safe, why should they receive their repeat custom? Easy to change app.
- How important do you think reputation is in a digital economy, where it’s all about reviews and digitial branding? What do you think? Potential customers shopping for mobile banks or direct lenders won’t click on a company if reviews warn them not to. When public trust in a startup wanes, it directly affects its bottom line. Reputational damage Following directly on from the previous point comes damage to one of the most important currencies a business can have: reputation. Analysis carried out by Deloitte following TalkTalk’s high profile data breach in 2014, showed the company’s reputation took a tremendous hit following the attack, with negative sentiment lingering for more than four months after the incident, and negativity was particularly pronounced on social media, an area in which it can be particularly difficult to attenuate ill feeling. Ultimately, damage to TalkTalk’s reputation ended up costing the company dearly, including a drop of 11% to its share price. Legal implications Legal culpability is undoubtedly the biggest issue a business will face following a data breach. Enormous fines await companies that fail to protect their customers’ data, and on May 25 2018 the EU’s GDPR comes into force, bringing with it fines of up to 4% of worldwide turnover for failure to protect and handle customer data adequately. Fines of this magnitude can quite easily destroy a company where it stands.
- Regulations can’t keep up with advancements. The innovations of the fintech world are happening at lightspeed and few competitors can keep up — including regulating bodies. Part of the fintech platform’s success relies on this rapid pace. Unlike their slow and laborious counterpart in the country’s biggest banks, startups can adapt and change on a dime to evolve alongside its users’ needs and expectations. Some fintechs follow a self-regulatory framework While many champions of fintech believe strict regulations would stifle the innovation powering the industry, others are already employing a self-regulatory framework to their platforms, so they can ensure risk-management and data privacy. Perhaps not for altruistic reasons Failure to offer these security measures promises imminent failure for careless fintech companies. The very nature of their convenient, online platforms makes it easy for its customers to leave. And don’t forget these companies service a plugged-in population who, with a few taps of their fingers, can leave an online review. Enough bad reviews can tarnish the company’s reputation. https://www.information-age.com/cyber-security-challenges-emerging-fintech-startups-123471506/
- For some established companies that can be ok, but for startups in fintech that rely on their brand and haven’t diversified yet, it could break them What do you think are differences? E.G Gojek has a breach, or a small company is hacked that no one knows yet Or a company that is just getting traction, or is trying to raise a round? What about the ecosystems and partners
- PII stuff, credit card data, Financial stuff, abusing wallets, crypto, etc Reward systems, Getting vouchers, etc Abusing the system Anything related to business logic Get in small groups and discuss what you think can happen. (5 minutes)
- This is just tools you have to use to get an application from an idea in someones head to code running in production. There are no security tools in that picture.
- Feels a little bit like this, doesn’t it.
- When googling security complexity to illustrate this problem, I stumbled over this little gem. We understand that it’s already too much to understand modern development workflows and tooling. Understanding the security implications is almost impossible. So what you see on this slide, is a AWS expert sitting down to understand the security areas they have to consider for their AWS account. This gentlemen is by no means a security expert, not even a self proclaimed one. The response he got on hackernews is a real eye opener.
- This is just tools you have to use to get an application from an idea in someones head to code running in production. There are no security tools in that picture.
- It used to be infrastructure, open ports, patch management, Then it was about building security in. And now it’s all about shifting left. We are getting closer to the developers and have more automation and give faster feedback. But I tell you one thing, developers probably liked it better when we only bothered them once at the end of every release, not now when it’s every time they are committing code. But has the quality improved? Or did we just get better at automating the nagging of developers.
- Think Application Performance monitoring for security Understanding how your app is abused and misused helps with prioritization.
- This still looks fairly simple, you have git your scm, Jenkins your bukld system, docker as containers, and kubernetes as the orchestration layer. That’s not too bad, is it?
- Security Debt is huge Because security wasn’t a part of it and the tooling didn’t make it appealing for the reasons stated earlier. Tools compound the issue, because they just make devs fix the issues they get, without actually taking ownership. They point to the debt and show huge amounts of issues, over and over again. They don’t actually fix any issues, at all. Most of them have been developed For the wrong audience And boy does it show.They are not proactively doing these things, whatever gets put on their desks, they take care of it. Security tools should be made for developers. Yet, most of them are designed for security analysts. And it shows in many areas, such as setup, user experience, and workflow integration.
- This may sound mean, but I think realizing this is an important step in the evolution of our industry. But yeah to continue, with the advance of new technologies and automation the answer was as always more security tools. The most humbling experience was switching from an advisor/consultant to an implementer and being responsible for the Security of a high profile product (large team).
- Fintech doesn’t mean well funded Fintech startup sizes can range from 1 founder & 0 funding to unicorns with 1000s of people How does security fit in there How much money would you spend? Security champions, ownership etc Some things are the same
- Let’s explore the term developer experience. Usability can be modeled as the question “Can the user accomplish their goal?” whilst user experience can be phrased as “Did the user have as delightful an experience as possible?” Usability is concerned with the “effectiveness, efficiency and satisfaction with which specified users achieve specified goals in particular environments Bring up the apple example, Apple is priding themselves with the high level of usability they have created for their devices. Using the iphone is supposed to be so simple and nice, and effective (your mileage may vary, but let’s just take this as an example, and not start an android vs ios war). User Experience on the other hand starts already in the apple store, when you look a the device that you fancy, when you open the box for the first time (there are thousands of hours of people unboxing their gadgets on youtube) and how much joy it brings you in your daily life. DX describes the experience developers have when they use your product, be it client libraries, SDKs, frameworks, open source code, tools, API, technology or service.
- Nowadays, there are too many distractions that are fighting for our attention. That’s by design, product designers know how to addict us in the race to dominate the attention economy. Security tools only add to these distractions. They find everything that could be a possible issue. Most of the tools running against your codebase produce thousands of results. Security is already intimidating enough. Let’s not make it worse by flooding developers with lots of security issues. Security tools have to report issues that have a high impact if left unfixed. Less is more. Don’t give them 1000s of user input is printed in command. Maybe focus on only dependencies With a csvss score of 7 or higher. Ignore dev dependencies. Don’t value the devs time, lots of issues, vague descriptions and solutions (sad devs) Value the devs time -> relevant results -> actionable feedback (happy devs)
- Security experts have developed a very specific and unique language over the years. (XSS, CSRF, SAST) But if you haven’t spent a good part of your career in application security, these terms are confusing. Don’t try to sounds important Especially traditional security tools produce hundreds of pages of PDF reports. Have you ever been on the receiving end of one of those reports? Or even worse, the one responsible for fixing those issues? Imagine looking at hundreds of security issues with lots of cryptic details. Details about how attackers can abuse your app full of references that don’t make sense. But the key sections on how to fix the issues are thin. There is rarely any actionable, framework-specific content — if there is anything at all. Let us use plain, easy language and give useful instructions on how to fix issues.
- Get started in minutes. Doesn’t matter if they are curious and want to try it out. Or if they want to deploy it for dozens of their apps. That means no scheduling of demos with sales reps. That means clear pricing on the website. If spacex can do it, so can you. (This includes clear pricing ) Typical Security Tools are clearly targeting enterprise sales, typically as part of the CISO organisation. If developers can’t easily take security software for a spin, then that’s a red flag already. No developer is going to click on that book a demo button. Workflow integration (understand your audience) Out of workflow (IDE plugins are not enforceable and manageable, plus too many IDEs out there) I don’t just mean make it part of the CI/CD pipelines, I’m not talking about IDE plugins. I’m talking about right there where the review happens in the PR comments. If you are doing it right, then no developer is ever going to look at your dashboards. All in one, Don’t make them look For tool a for this, tool b for that If it’s already hard to wrap your head around SASt, dAST iast, rasp, ngwaf, secret management and all of these things. Then nobody is going to have time for that.
- Acknowledge that security Is taken seriously Have a security page Make it easy for people To report security issues (security@uni.corn). that shows you have a plan (templates) Use Security as part of your Value proposition and Differentiator that The more things you do, the more You can talk about and the more confidence you can give your users and investors
- And no matter where you are on your journey, reach out to me anytime I can help you make the right decisions no matter if you are a one person startup or a unicorn that’s rocking it already!
- And no matter where you are on your journey, reach out to me anytime I can help you make the right decisions no matter if you are a one person startup or a unicorn that’s rocking it already!