The document discusses the security challenges faced by the social network diaspora*, emphasizing the importance of privacy for its value proposition. It highlights lessons from Microsoft's experience, such as engaging the security community, integrating security throughout development, and forming an advisory board. The author warns that neglecting security could jeopardize the platform's success.

1. What Diaspora* can learn about security from Microsoft Jon Pincus / @jdp23 http://talesfromthe.net October 15, 2010

2. Diaspora* the “privacy-aware, personally-controlled, open-source, do-it-all social network” A Facebook alternative like Appleseed, OneSocialWeb, … founded in May by four NYU students Raised $200K on Kickstarter http: //joindiaspora .com

3. September: first source code release On schedule! Basic functionality in place! Profiles and aspects Status updates Photos Security: umm …

4. Does it matter? “ It’s no worse than most web startups …” Yeah, but: Privacy is key to their value proposition A reputation for insecurity will doom them So while they’ve made the right tradeoff so far, they’ll need to start taking security more seriously

5. I’m flashing! Remember back in 2001/2002? Gartner advisor about IIS MikeHow’s SQL injection demo to Bill SWI and “the Security Push” Substantial investment and progress since then - although significant challenges remain

6. What can we learn?

7. Reach out to the security community

8. Add security experts to the team

9. Review the code

10. Document security properties and do threat modeling

11. Use the tools (and develop new ones)

12. Bake security in at every stage of development

13. Create a security and privacy advisory board.

14. The longer you wait the tougher it gets

15. What Diaspora* can learn about security from Microsoft Jon Pincus / @jdp23 http://talesfromthe.net October 15, 2010