it security for all. bootcamp slides
TRANSCRIPT
IT security for startups all
Bootcamp, MIPT, 21/12/2013
BIO
• Whitehat (Facebook, Google, Yandex rewards)
• Security researcher
• CEO
• @d0znpp
Security?
• Not for our budget now
• Not affected revenue
• We are not interesting for hackers
• No one had hacked us before
• Rocket science
• QA job
Security!
• We have firewall
• We have admin
• We have antivirus
• All is OK
Security!
• External network level
• Application layer
• Internal network layer
• Staff awareness
Best practice!
Security like bookkeeping
• A process
• Nondiscrete
• You can not start it retroactively
Enterprise way
• SDL - security development lifecycle
• Works but hard to implement
All in clouds! !
For what i need security?
Typical cases
• Marketing site (almost static content)
• Cloud CRM
• Cloud mail
• Cloud dev (github/bitbucket private reps)
• And what about DNS?
• What about integration between it?
• What about client-side security?
PCI DSS! !
Our payments protected
Typical cases
• «These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step»
• And what about other information?
• What about MY data/money?
• Nothing...
Platform (CMS, framework, etc) based
application !
Our security depends from platform security
Typical cases
• On what basis did you choose the platform?
• Is your platform have security guide?
• Are you read it?
• Do you all understand there?
• Whether your application can run on the new version of the same?
A little from history
• HTTP - 1991 for links at science articles
• PHP - Personal Home Pages
• ...
Typical questions after security audit
• Why so easy to hack us?
• Why this has not been done before?
• How do we know whether it's someone did earlier?
What i can do now?
• Scan your addresses using nmap -p1-65535
• Add nmap scanning to QA tests
• Create «Security basics» page in your Wiki
• http://en.wikipedia.org/wiki/Cross-site_scripting
• http://en.wikipedia.org/wiki/Cross-site_request_forgery
• ...