Every company has to deal with the topic of security. Depending on the product/service, security might be more or less important, but it doesn’t matter if the product is moving money or sending disappearing pictures, if the company grows, it will have to deal with security sooner or later. Unfortunately, not all security mistakes are created equal. This talk will go over some security mistakes are several orders of magnitude harder to fix later in the lifecycle of a company, helping people prioritize their decisions when trying to keep the fine balance between security and product.

1. From 0 to 0xDEADBEEF:
The security mistakes that will haunt your startup
@diogomonica

2. Agenda
List of mistakes that are painful to remediate
‣TLS
‣Web Security
‣Passwords
‣Infrastructure
‣Corporate Environment
Not an exhaustive list

3. Target audience
‣Companies just starting up or in their initial growth phase
‣Every company will hit these issues at some point

4. Real Security
Engineers Ship

5. TLS Mistakes

6. Not having TLS
from day 1
‣There is no reason to have HTTP endpoints
•Most TLS performance issues are a myth
‣One HTTP link compromises the security of your whole application (sslstrip)
https://github.com/diogomonica/py-cookieJsInjection

7. SSLv3 enabled
‣There are essentially no legitimate clients without TLS support
•No, IE6 on SP2 is not a legitimate client
‣A lot of pressure from PCI Council to be strict about disabling SSLv3
[ insert favorite POODLE link here ]

8. Crappy certificates
‣Choose a good issuer
•If you have an app you will be pinning to it
‣Make sure you are not using MD5 or SHA1 for the signature
https://github.com/diogomonica/gocert

9. Lack of security
headers
‣Even if you are 100% https, the first connection is still vulnerable
•The HSTS header fixes that
‣Tons of important headers. Start every application by using Twitter’s Secure
headers gem/list.
https://github.com/twitter/secureheaders

10. Not keeping up to
date w/ attacks
https://www.ssllabs.com/ssltest/

11. Web Security Mistakes

12. Everything under
the same domain
‣Use a completely different domain for all trusted activity
•Example: trustedsite.com VS usercontentsite.com
‣Host all of your static files from a different domain
•Scopes the TLS certificates you will have to give to CDNs
‣Host all javascript from yet another different domain
•Allows you to set CSP policies on where Javascript is loaded

13. Cookie scoping as
an afterthought
‣The site blog.diogomonica.com can set cookies with scope diogomonica.com
•Cookie Stealing
•Cookie Eviction
•Session Fixation
‣Make sure you only use Secure and HttpOnly cookies
http://bit.ly/18fet3L

14. Not enabling CSP
in reporting mode
‣The objective is to eventually enable CSP in enforce mode
•Helps track the addition of in-line and foreign Javascript
•On that note: host all of your Javascript
http://mzl.la/1B3GPZT

15. Internal admin
dashboard as part
of the same app
‣Applications usually start off by having admin dashboard built-in
•Accessible from the Internet
‣If something is supposed to be internal, make sure you:
•Make it internal only from day 1
•Deploy it on a different host/vm/container
•Don’t use origin IP for authorization (Header injection issues)

16. Logging blacklists
‣Logging should work in a white-list model
‣Very easy to end up with PII or other sensitive information in logs
•Good luck getting it out of hadoop
•Good luck getting it out of Splunk
•Good luck cleaning all of your backups

17. Password Mistakes

18. Checking-in secrets
‣Build a secret-distribution story early
•People commit AWS credentials to github repositories all the time
‣Check for leaked keys daily (gitrob)
https://github.com/michenriksen/gitrob

19. Sharing passwords
around
‣Laptops get stolen/lost all the time
•Full-disk encryption won’t save you against DMA Attacks
•Laptop compromise means all credentials get leaked
‣Use centralized secret storage applications instead (e.g. Bitium, Onelogin)
•Enable multi-factor authentication to access

20. Hashing passwords
‣Use bcrypt
‣Use bcrypt
‣Use bcrypt
http://codahale.com/how-to-safely-store-a-password/

21. Infrastructure Mistakes

22. Not making your
application
deployment nimble
‣Run all your applications in containers*
•Allows you to update the underlying Operating System easily
‣Use SELinux: helps with some classes of application-level vulnerabilities
https://www.docker.com/
*I’m obviously very biased on this subject

23. Production access
without 2FA
‣Create choke-points for production access
•SSH access should require TOTP token through a Bastion host
•Internal dashboard access should go through a 2FA SSO
SSH Bastion
Host
Datacenter
Front-end
Server
Back-end
Server
Corporate
Network
SSO Portal Internal
Dashboard

24. Trust from the
corporate network
‣Corporate network should have no trust relations with production (or minimal
trust)
SSH Bastion
Host
Datacenter
Front-end
Server
Back-end
Server
Internet
SSO Portal Internal
Dashboard

25. No centralized
logging
‣Create a new service/application check-list for with two items:
•Enable centralized logging
•Ensure NTP is being synced
‣Are you using AWS? Go enable Cloudtrail now!
•Seriously, do it now, I’ll wait.
http://aws.amazon.com/cloudtrail/

26. Not having root
use as an alertable
event
‣#people with the root password should be < #fingers in your hand
‣Log all uses of sudo -s ; sudo -i ; su - ; su root ; etc
•These should not be common events
http://knowyourmeme.com/memes/sad-panda

27. HTTP for your S2S
communication
‣All S2S communication should be HTTPS
Datacenter
Front-end
Server
Back-end
Server
Application
Server

28. Corporate Environment Mistakes

29. Not having a self-
service check-list
‣Create a self-service security check-list with the following items:
•Download, install and set Chrome as the default browser
•Install the Adblock extension
•Java must be disabled
•Flash must be set as click to play
•Full-disk encryption is mandatory
•Enroll the laptop in Find my Mac
•Passwords are generated and stored in 1Password

30. Summary
‣There are security issues that every company will eventually have to deal with
‣Some mistakes will be a lot more costly than others
‣Bring in someone in whose job is to worry about Security early on
•Remember: real security engineers ship!

31. Q&A
@diogomonica