How a startup can start itself to be at-par with contemporary cyber-security measures and standards ? While it is true that a startup cannot afford bug bounty programs or the cost of conducting pen-testing. At recent Techfestival Copenhagen's Cyber Security & Infomation Warefare Summit organized by Sven Weizenegger & Marisa Hinrichs I had opportunity to speak about Good old DREAD framework where a startup can begin assessing and start itself on the journey of meeting cyber-security standards, sustain itself from vulnerabilities, and answer those tough questions coming from integration partners and investors at the same time
2. GOOD OLD DREAD FOR A STARTUP - ERNIT APS
WHAT IS YOUR WHY?
▸ Why are you here ?
▸ Why you care for security ?
▸ After all what is there for secure ?
▸ What the fuss it is all about ?
▸ Is it really needed ?
▸ What is net yield of my efforts to secure ?
4. GOOD OLD DREAD FOR A STARTUP - ERNIT APS
DREAD
▸ Damage Potential
▸ Reproducibility
▸ Exploitability
▸ Affected Users
▸ Discoverability
Risk = (Reproducibility + Exploitability) x (Damage Potential + Affected Users + Discoverability)
5. GOOD OLD DREAD FOR A STARTUP - ERNIT APS
INTRODUCTION TO ERNIT (Q2, ’17 OFFERING)
▸ Physical IoT PiggyBank connected to Internet
▸ App available on Appstore with Parent Profile as Primary
user, and Child login as sub-account accessible with PIN
▸ App user profile optionally connected to Bank Account
6. APPLYING DREAD AT ERNIT
▸ Application Threat Modelling
▸ Entry Points i.e. each HTTP / HTTPS endpoint
▸ Assets i.e. Kid, Adult, Goal images
▸ Trust Levels i.e. Parent, Patron, Kid
▸ External Dependencies
GOOD OLD DREAD FOR A STARTUP - ERNIT APS
7. GOOD OLD DREAD FOR A STARTUP - ERNIT APS
1. THREAT RANKING
▸ Threat Ranking
Type Security Aspect
Spoofing Authentication
Tampering Data Integrity
Repudiation Non-repudiation
Inf Disclosure Confidentiality
Denial of Service Availability
Elevation of
Privilege
Authorization
8. GOOD OLD DREAD FOR A STARTUP - ERNIT APS
2. AUTHENTICATION & CORRECTIVE ACTIONS
▸ Log every attempt
▸ Log every 401
▸ Implement Blockout Strategy
9. GOOD OLD DREAD FOR A STARTUP - ERNIT APS
3. ACCESS CONTROL - CORRECTIVE ACTIONS
▸ All POST / PUT /PATCH API calls to server must define the
span of control of such operations limited to User’s data
graph (and no more for users and kids he is not associated
with )
10. GOOD OLD DREAD FOR A STARTUP - ERNIT APS
4. COMMAND INJECTION CORRECTIVE ACTIONS
▸ Mostly a cloud service provider makes the claim to prevent
▸ Having appropriate ORM and avoiding raw SQL as much
as possible
▸ Define your “Known bad inputs”
11. GOOD OLD DREAD FOR A STARTUP - ERNIT APS
5. SESSION MANAGEMENT & CORRECTIVE ACTIONS
▸ Alert: UX versus Security Fights Expected Most Here
▸ Define
▸ when to invalidate app user session
▸ when to block user access
▸ checks to verify token abuse attempt
▸ when forced token invalidation should happen
12. GOOD OLD DREAD FOR A STARTUP - ERNIT APS
6. SECURE DATA TRANSMISSION & CORRECTIVE ACTIONS
▸ Identify Data to Encrypt
▸ Proper Encryption Implementation
▸ Pig-Server Communication
▸ App-Server Communication
▸ Server-GW-Bank Communication
13. GOOD OLD DREAD FOR A STARTUP - ERNIT APS
SOME OTHER COUNTER MEASURES
▸ TAMPERING
▸ All PUT/PATCH API call implementations to check if action is valid on set
of data, before making the action
▸ Goes hand-in-hand with “Elevation of Privilege” threat
▸ INFORMATION DISCLOSURE
▸ Have your invitation module, not send out excessive inviting user
information, and invitee to begin from “apply to access”
▸ DENIAL OF SERVICE
▸ Appropriate Rate Limiting of your Backend APIs as part of Implementation
14. GOOD OLD DREAD FOR A STARTUP - ERNIT APS
ERNIT Q3, 2017
AES
COPPA Compliant
Image store
15. GOOD OLD DREAD FOR A STARTUP - ERNIT APS
ERNIT SECURITY - ROAD AHEAD
▸ UL2900-1 being studied by
consortium of ERNIT, Delta
Systems, Eficode, and Alexandra
Institute
▸ Vulnerability Assessment & Port
Scanning Completed
▸ Audit-ability of each PI item as
digital audit of GET endpoints
(GDPR Compliance)
▸ More Details by Q4, 2017