Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
C days2015
1. Este documento é propriedade intelectual da PT e fica proibida a sua utilização ou propagação sem expressa autorização escrita
Building a Secure Startup
Nuno Loureiro
SAPO Security Team
07.10.2015
C-Days 2015
nuno@co.sapo.pt
2. 2
Who am I? Timeline
•Dez 2009: Got a dual Masters degree: MSIT-IS from CMU and MSI
from FCUL
• Jan 2010-now(): Founded and lead SAPO’s Security Team
•2012-now(): Head of Security and Fraud at PT Pay (Meo Wallet)
•1997-2002: System and Network administrator,
Programmer, a little of Security, Student, Entrepreneur …
•2002-2008: Web Programmer at SAPO,Technical Lead
of SAPO’s Email Platform
3. 3
Summary
• Security
Awareness
• Steps
to
improve
Security
within
your
organization
• Security
Culture
• Risk
Analysis
• Secure
Infrastructure
• Application
Security
4. 4
Context
Let’s
imagine
John
co-‐founded
a
small
Startup.
Between
founders
and
employees
there’re
10
people.
They’re
focused
on
a
single
product:
A
collaborative
and
integrated
project
management
platform
Their
Business
Model
is
SaaS.
They’re
on
a
tight
budget.
5. 5
Invest in Security?
We’re
too
small
to
be
an
attractive
target…
Why
should
I
care?
Should
I
invest
in
Security
from
the
beginning?
14. 14
Invest in Security?
You
can
argue
about
the
probability
of
a
successful
attack
but
the
impact
of
just
one
attack
can
put
you
out
of
business…
Conclusion
18. 18
Security
should
be
part
of
your
culture
• Starts
at
the
C-‐level
• 2nd-‐factor
for
VPN,
email
(from
new
devices)
and
critical
operations/
accounts
Steps to improve Security
19. 19
Security
should
be
part
of
your
culture
• Setup
VPN
(e.g.
OpenVPN)
for
remote
accessing
your
infrastructure
• Adopt
“corporate
network
=
home
network”
model,
no
privileged
access
from
corporate
network
to
your
infrastructure
Steps to improve Security
20. 20
Security
should
be
part
of
your
culture
• Use
Full
Disk
Encryption
on
your
laptops
• Use
password
managers
Steps to improve Security
FileVault
21. 21
Security
should
be
part
of
your
culture
• Give
periodic
security-‐awareness
sessions
(phishing,
do’s
and
don’ts,
…)
• Invest
on
E-‐mail
security
(to
prevent
malware,
phishing,
etc)
• Don’t
forget
Periodic
updates,
AV,
Firewall,
Screensaver
with
password
• Use
strong
cryptography
on
your
wifi,
VPN,
HTTPS
sites
Steps to improve Security
22. 22
Access your risk
Risk
Analysis
• There
are
many
frameworks
to
perform
Risk
Management:
• ISO27005
• OCTAVE
• NIST
SP
800-‐37
• There
are
many
frameworks
to
perform
Threat
Modeling:
• Stride
• Dread
• For
the
purpose
of
this
talk
we’ll
do
a
very
basic
approach
23. 23
Risk
Analysis
• What
are
your
main
assets?
• Customer’s
data:
code,
project
ideas,
status
of
development,
business
plan,
employee’s
information,
confidential
information
• Business
Information:
Sales,
business
plan,
list
of
customers,
etc
• Availability
of
the
service
• What
are
the
main
threats
you
want
to
prevent?
• (account,
customer,
business)
Data
breach:
could
lead
to
bankruptcy
• DDoS
attacks:
Availability
is
core
to
our
business;
customer
churn
• What
vehicles
(vulnerabilities)
could
be
used
to
turn
threats
into
successful
attacks?
• Vulnerabilities
in
the
Web
Application
• Vulnerabilities
in
the
systems
• Public
IP
addresses
• Employee
PC
• Employee
• Email
• Physical
access
to
systems
•
(…)
Access your risk
25. 25
Infrastructure
Security:
On-‐Premises
or
In
the
cloud
• Setup
different
subnets
for
each
one
of
the
layers
of
your
infrastructure
(at
least
one
for
Web
frontend
servers
and
one
for
backend
servers)
• Control
all
traffic
between
the
subnets
with
firewall
ACLs
(also
inbound/outbound)
• If
there’s
traffic
that’s
not
allowed
between
a
frontend
and
a
backend
server
then
have
your
Intrusion
Detection
System
raise
an
alarm
• Use
GRSecurity
if
you
run
Linux,
use
EMET
if
you
run
Windows
• Update
all
your
systems
periodically
• Install
a
Host
Intrusion
Detection
(HIDS),
e.g.
OSSEC
Secure your Infrastructure
26. 26
Infrastructure
Security:
On-‐Premises
or
In
the
cloud
• If
you
decide
to
go
to
the
cloud:
• Be
careful
with
the
account
with
admin
privileges,
choose
a
strong
and
unique
password
plus
2-‐FA
or
if
possible
require
VPN
to
access
the
management
console.
• Choose
one
of
the
top
cloud
providers,
where
security
has
been
scrutinized
• Cloud
providers
offer
some
sort
of
network
DDoS
protection
• Can
offer
email
protection
(malware,
spam,
phishing)
too
• You
can
have
a
mixed
solution
(cloud
and
on-‐premises)
• Weigh
the
Pros
and
Cons
of
each
Secure your Infrastructure
27. 2
Build Secure Software
Adopt
SSDLC
My
advice
from
almost
6
years
of
experience
in
this
area:
• If
you
have
a
security
team,
they
should
be
close
to
developers.
When
developers
go
to
the
security
team
ask
for
advice
on
a
regular
basis
you
know
you
got
it
right.
• Training
developers
on
Secure
Programming
really
works
• Introducing
security
early
in
the
project
saves
everyone
time
at
the
end
• Do
Pentesting
before
going
live
and
periodically
(at
least
1x
year)
30. 30
Build Secure Software
• A
significant
part
of
Data
Leaks
today
are
due
to
SQLi
vulnerabilities
• If
you
use
Prepared
Statements
when
writing
your
SQL
queries,
say
bye-‐bye
to
SQLi
• Encrypt
your
sensitive
data
before
storing
it
in
the
database
(do
not
store
the
encryption
key
there!)
• There’s
no
excuse
these
days
for
introducing
new
SQLi
vulnerabilities
in
code
32. 32
Build Secure Software
Some
advice:
• Use
HTTPS
• Hash
the
password
before
storage
(hint:
HMAC)
• If
authentication
fails
don’t
say
that
it’s
the
username
that
does
not
exist
or
that
it’s
the
password
that
is
wrong,
give
a
generic
message
instead
• Re-‐authentication
should
be
required
before
any
application-‐
specific
sensitive
operations
are
permitted,
such
as
for
changing
the
password
Authentication
et
al.
33. 33
Build Secure Software
Some
advice:
• Do
you
allow
“a
single
account
tested
against
all
possible
passwords”?
(vertical
bruteforcing)
• What
about
“all
accounts
tested
with
the
same
password
e.g.
123456”?
(horizontal
bruteforcing)
• Use
an
outbound
channel
for
account
recovery
and
apply
the
same
security
controls
as
for
authentication
(like
when
storing
the
recovery
token,
throttling,
re-‐authentication
for
changing
the
recovery
elements,
etc)
• Avoid
using
security
questions
for
account
recovery
Authentication
et
al.
36. Este documento é propriedade intelectual da PT e fica proibida
a sua utilização ou propagação sem expressa autorização escrita.
SAPO Security Team
The
END
Nuno
Loureiro
nuno@co.sapo.pt