What Diaspora* can learn  about security from Microsoft Jon Pincus / @jdp23 http://talesfromthe.net October 15, 2010
Diaspora* the “privacy-aware, personally-controlled, open-source, do-it-all social network” A Facebook alternative like Appleseed, OneSocialWeb, … founded in May by four NYU students Raised $200K on  Kickstarter http: //joindiaspora .com
September: first source code release On schedule!  Basic functionality in place! Profiles and aspects Status updates Photos Security: umm …
Does it matter? “ It’s no worse than most web startups …” Yeah, but: Privacy is key to their value proposition A reputation for insecurity will doom them So while they’ve made the right tradeoff so far, they’ll need to start taking security more seriously
I’m flashing! Remember back in 2001/2002? Gartner advisor about IIS MikeHow’s SQL injection demo to Bill SWI and “the Security Push” Substantial investment and progress since then  - although significant challenges remain
What  can we learn?
Reach out to  the security community
Add security experts  to the team
Review the code
Document security properties and do threat modeling
Use the tools (and develop new ones)
Bake security in  at every stage  of development
Create a security and privacy  advisory board.
The longer you wait the tougher it gets
What Diaspora* can learn  about security from Microsoft Jon Pincus / @jdp23 http://talesfromthe.net October 15, 2010

What Diaspora can learn from Microsoft

  • 1.
    What Diaspora* canlearn about security from Microsoft Jon Pincus / @jdp23 http://talesfromthe.net October 15, 2010
  • 2.
    Diaspora* the “privacy-aware,personally-controlled, open-source, do-it-all social network” A Facebook alternative like Appleseed, OneSocialWeb, … founded in May by four NYU students Raised $200K on Kickstarter http: //joindiaspora .com
  • 3.
    September: first sourcecode release On schedule! Basic functionality in place! Profiles and aspects Status updates Photos Security: umm …
  • 4.
    Does it matter?“ It’s no worse than most web startups …” Yeah, but: Privacy is key to their value proposition A reputation for insecurity will doom them So while they’ve made the right tradeoff so far, they’ll need to start taking security more seriously
  • 5.
    I’m flashing! Rememberback in 2001/2002? Gartner advisor about IIS MikeHow’s SQL injection demo to Bill SWI and “the Security Push” Substantial investment and progress since then - although significant challenges remain
  • 6.
    What canwe learn?
  • 7.
    Reach out to the security community
  • 8.
  • 9.
  • 10.
    Document security propertiesand do threat modeling
  • 11.
    Use the tools(and develop new ones)
  • 12.
    Bake security in at every stage of development
  • 13.
    Create a securityand privacy advisory board.
  • 14.
    The longer youwait the tougher it gets
  • 15.
    What Diaspora* canlearn about security from Microsoft Jon Pincus / @jdp23 http://talesfromthe.net October 15, 2010