basic security for digital companies - #marketersunbound (2014)
DESCRIPTION
Speaking about how to go about taking security seriously in a digital company. Be it from scratch, or fixing a legacy codebase, learn from Canada Revenue Agency's Heartbleed mess-up and advice from a white-hat hacker.TRANSCRIPT
![Page 1: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/1.jpg)
Security for Digital Companies
Observations, lessons, and advice from a hacker
Presented by Justin Bull!September 9th, 2014
![Page 2: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/2.jpg)
Who am I
![Page 3: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/3.jpg)
Who am I• Justin Bull
• Software developer at
• Security nutbar
• Ethically curious
• @f3ndot on Twitter
![Page 4: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/4.jpg)
Outline
• Canada Revenue Agency: A Case Study
• Responsible disclosure
• Security 101 for a digital company
• Q & A, time permitting
![Page 5: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/5.jpg)
–Quinn Norton, 2014
“Everything is broken.”
![Page 6: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/6.jpg)
–Quinn Norton, 2014
“Everything is broken.”
It's all about risk management & incident response
![Page 7: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/7.jpg)
Canada Revenue Agency:A case study
![Page 8: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/8.jpg)
Canada Revenue Agency:A tale of woe
![Page 9: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/9.jpg)
Think of the word “Government”
![Page 10: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/10.jpg)
Think of the word “Government”
What comes to mind?
![Page 11: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/11.jpg)
Think of the word “Government”
• Slow
What comes to mind?
![Page 12: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/12.jpg)
Think of the word “Government”
• Slow
• Inefficient
What comes to mind?
![Page 13: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/13.jpg)
Think of the word “Government”
• Slow
• Inefficient
• Lots of red tape
What comes to mind?
![Page 14: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/14.jpg)
Think of the word “Government”
• Slow
• Inefficient
• Lots of red tape
• Bureaucratic
What comes to mind?
![Page 15: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/15.jpg)
Yeah…
We have a problem
![Page 16: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/16.jpg)
The heartbleed bug affected 17.5% of all
website servers.
–Netcraft, 2014
![Page 17: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/17.jpg)
That’s around half a million websites
–Netcraft, 2014
![Page 18: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/18.jpg)
Who was affected
![Page 19: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/19.jpg)
Who was affected
• My personal servers
![Page 20: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/20.jpg)
Who was affected
• My personal servers
• Banks
![Page 21: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/21.jpg)
Who was affected
• My personal servers
• Banks
• Almost every, single digital company
![Page 22: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/22.jpg)
Who was affected
• My personal servers
• Banks
• Almost every, single digital company
• …and the Government of Canada
![Page 23: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/23.jpg)
Was CRA self aware?
![Page 24: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/24.jpg)
Was CRA self aware?Nope.
![Page 25: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/25.jpg)
Was CRA self aware?F A I LNope.
![Page 26: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/26.jpg)
Could CRA be notified?
![Page 27: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/27.jpg)
Could CRA be notified?
Nope, nope, nope!
![Page 28: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/28.jpg)
![Page 29: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/29.jpg)
Could CRA be notified?
Nope, nope, nope!
![Page 30: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/30.jpg)
Could CRA be notified?F A I LNope, nope, nope!
![Page 31: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/31.jpg)
Was CRA at least quick when they did know?
![Page 32: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/32.jpg)
Was CRA at least quick when they did know?
Sorta, not really
![Page 33: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/33.jpg)
![Page 34: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/34.jpg)
![Page 35: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/35.jpg)
![Page 36: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/36.jpg)
![Page 37: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/37.jpg)
![Page 38: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/38.jpg)
Was CRA at least quick when they did know?
Sorta, not really
![Page 39: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/39.jpg)
Was CRA at least quick when they did know?
Sorta, not reallyF A I L
![Page 40: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/40.jpg)
We all know about the 900 SIN’s !
But were there other attacks? !
![Page 41: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/41.jpg)
We all know about the 900 SIN’s !
But were there other attacks? !
We will never know
![Page 42: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/42.jpg)
What could CRA have done?
![Page 43: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/43.jpg)
What could CRA have done?
• Have a competent security officer or sysadmin
![Page 44: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/44.jpg)
What could CRA have done?
• Have a competent security officer or sysadmin
• Inter-department cooperation with CSEC (they knew 1 day before Heartbleed went public)
![Page 45: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/45.jpg)
What could CRA have done?
• Have a competent security officer or sysadmin
• Inter-department cooperation with CSEC (they knew 1 day before Heartbleed went public)
• A way for people to tell them security issues
![Page 46: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/46.jpg)
What could CRA have done?
• Have a competent security officer or sysadmin
• Inter-department cooperation with CSEC (they knew 1 day before Heartbleed went public)
• A way for people to tell them security issues
• Be quick!
![Page 47: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/47.jpg)
–Almost any company
“We don’t have time or money to think about security right now.”
![Page 48: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/48.jpg)
Responsible Disclosure The bare minimum for security
![Page 49: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/49.jpg)
Responsible Disclosure
• Officially allows users/hackers/researchers to contact you about security issues
• Basically just a webpage
• Cheapest security investment you can make*
*depending who you talk you
![Page 50: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/50.jpg)
Who has a RD policy?•
• Microsoft
• GitHub
• Apple
• Tesla Motors… Yes, really
![Page 51: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/51.jpg)
Danger, Will Robinson!It’s surprisingly hard to get right
![Page 52: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/52.jpg)
Danger, Will Robinson!It’s surprisingly hard to get right
You need to set up proper encryption and decide on how to communicate with
researchers.
![Page 53: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/53.jpg)
Lessons learned
![Page 54: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/54.jpg)
Lessons learned
• It’s pesky and time consuming if you have security debt
![Page 55: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/55.jpg)
Lessons learned
• It’s pesky and time consuming if you have security debt
• Expect a lot of bullshit, entitlement, and comedy (See @CluelessSec)
![Page 56: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/56.jpg)
Lessons learned
• It’s pesky and time consuming if you have security debt
• Expect a lot of bullshit, entitlement, and comedy (See @CluelessSec)
• Expect to be humbled
![Page 57: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/57.jpg)
Responsible Disclosure: you should have it
The bare minimum:
![Page 58: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/58.jpg)
Responsible Disclosure: you should have it
• Offer no reward or swag
The bare minimum:
![Page 59: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/59.jpg)
Responsible Disclosure: you should have it
• Offer no reward or swag
• Tell people what’s acceptable, what’s not
The bare minimum:
![Page 60: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/60.jpg)
Responsible Disclosure: you should have it
• Offer no reward or swag
• Tell people what’s acceptable, what’s not
• Provide a special email or a direct phone number
The bare minimum:
![Page 61: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/61.jpg)
Security 101 for Digital Companiesaka “How to not get hacked within a year”*
![Page 62: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/62.jpg)
* no promises 😜
![Page 63: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/63.jpg)
Encrypt your passwords!
![Page 64: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/64.jpg)
No excuses.
Encrypt your passwords!
![Page 65: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/65.jpg)
No excuses.None.
Encrypt your passwords!
![Page 66: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/66.jpg)
Encrypt your passwords!The consequences
![Page 67: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/67.jpg)
Encrypt your passwords!
• Domino effect with other customer’s accounts
The consequences
![Page 68: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/68.jpg)
Encrypt your passwords!
• Domino effect with other customer’s accounts
• Permanent black mark on your company record
The consequences
![Page 69: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/69.jpg)
Encrypt your passwords!
• Domino effect with other customer’s accounts
• Permanent black mark on your company record
• You could be sued. Maybe even class-action
The consequences
![Page 70: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/70.jpg)
Encrypt your passwords!
• Domino effect with other customer’s accounts
• Permanent black mark on your company record
• You could be sued. Maybe even class-action
• It’s so cheap and easy to do now. Why not?
The consequences
![Page 71: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/71.jpg)
Encrypt your passwords!But, don’t roll your own crypto
![Page 72: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/72.jpg)
Encrypt your passwords!
• MD5, SHA1, etc. were not designed for passwords
But, don’t roll your own crypto
![Page 73: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/73.jpg)
Encrypt your passwords!
• MD5, SHA1, etc. were not designed for passwords
• Use a password hashing library for your language
But, don’t roll your own crypto
![Page 74: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/74.jpg)
Encrypt your passwords!
• MD5, SHA1, etc. were not designed for passwords
• Use a password hashing library for your language
• It should use bcrypt, scrypt, PBKDF2, or an algorithm designed for passwords
But, don’t roll your own crypto
![Page 75: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/75.jpg)
Encrypt your passwords!
• MD5, SHA1, etc. were not designed for passwords
• Use a password hashing library for your language
• It should use bcrypt, scrypt, PBKDF2, or an algorithm designed for passwords
• You want it to be slow to hash, maybe 1 second
But, don’t roll your own crypto
![Page 76: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/76.jpg)
Wat.
![Page 77: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/77.jpg)
You want something to run slowly? !
Why on earth…?
Wat.
![Page 78: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/78.jpg)
It’s a numbers gameMake it expensive for attackers to brute force your
passwords
–Colin Percival (scrypt), 2009
![Page 79: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/79.jpg)
Password Specifics
![Page 81: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/81.jpg)
Password Specifics• You’re gonna encrypt ‘em, right?
• Enforce password minimums (min. 8 chars, etc.)
![Page 82: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/82.jpg)
Password Specifics• You’re gonna encrypt ‘em, right?
• Enforce password minimums (min. 8 chars, etc.)
• Expire a login after 8 hours? a day? 2 months?
![Page 83: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/83.jpg)
Password Specifics• You’re gonna encrypt ‘em, right?
• Enforce password minimums (min. 8 chars, etc.)
• Expire a login after 8 hours? a day? 2 months?
• Changing/resetting password patterns
![Page 84: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/84.jpg)
Password Specifics• You’re gonna encrypt ‘em, right?
• Enforce password minimums (min. 8 chars, etc.)
• Expire a login after 8 hours? a day? 2 months?
• Changing/resetting password patterns
• Beware of bad security questions!See goodsecurityquestions.com
![Page 85: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/85.jpg)
Lock ‘em out.Guessed wrong too many times?
Wait 5 minutes, or longer.
![Page 86: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/86.jpg)
SSL/TLS aka
HTTPS aka
![Page 87: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/87.jpg)
SSL/TLS aka
HTTPS aka
![Page 88: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/88.jpg)
Why SSL/TLS, !
no matter what?
![Page 89: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/89.jpg)
![Page 90: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/90.jpg)
• Foreign & domestic governments
![Page 91: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/91.jpg)
• Foreign & domestic governments
• Them nasty hackers
![Page 92: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/92.jpg)
• Foreign & domestic governments
• Them nasty hackers
• Even that “innocent” person at the café
![Page 93: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/93.jpg)
• Foreign & domestic governments
• Them nasty hackers
• Even that “innocent” person at the café
• Your competitor?
![Page 94: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/94.jpg)
• Foreign & domestic governments
• Them nasty hackers
• Even that “innocent” person at the café
• Your competitor?
• Users find comfort in green padlocks…
![Page 95: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/95.jpg)
Get Auth & Auth Right!
![Page 96: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/96.jpg)
Get Auth & Auth Right!
• Research latest Authorization & Authentication practices or libraries
![Page 97: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/97.jpg)
Get Auth & Auth Right!
• Research latest Authorization & Authentication practices or libraries
• The most common languages or frameworks already have libraries available
![Page 98: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/98.jpg)
Get Auth & Auth Right!
• Research latest Authorization & Authentication practices or libraries
• The most common languages or frameworks already have libraries available
• A rock solid login mechanism is your foundation
![Page 99: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/99.jpg)
Have multi-level access?
![Page 100: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/100.jpg)
Have multi-level access?
Guest, User, Moderator, Admin?
![Page 101: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/101.jpg)
Have multi-level access?
Guest, User, Moderator, Admin?
Research or build ACL into foundations of your code.
![Page 102: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/102.jpg)
Got money, but no time? !
Don’t know how screwed you are?
![Page 103: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/103.jpg)
Got money, but no time? !
Don’t know how screwed you are?
Hire a pen tester!
![Page 104: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/104.jpg)
Got money, but no time? !
Don’t know how screwed you are?
Hire a pen tester!
Beware the snakeoil.
![Page 105: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/105.jpg)
![Page 107: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/107.jpg)
Top 10
• Get every dev into it, until they dream about it
![Page 108: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/108.jpg)
Top 10
• Get every dev into it, until they dream about it
• Covers most common & most dangerous web app security issues(XSS, CSRF, SQLi, etc.)
![Page 109: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/109.jpg)
Top 10
• Get every dev into it, until they dream about it
• Covers most common & most dangerous web app security issues(XSS, CSRF, SQLi, etc.)
• Print out OWASP’s guide books too. (They’re tomes, but good desk references)
![Page 110: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/110.jpg)
Operational Security
![Page 111: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/111.jpg)
Operational Security• Don’t email passwords
![Page 112: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/112.jpg)
Operational Security• Don’t email passwords
• Don’t email passwords
![Page 113: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/113.jpg)
Operational Security• Don’t email passwords
• Don’t email passwords
• Use a password management application
✦ 1Password
✦ KeePass
✦ LastPass
![Page 114: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/114.jpg)
Operational Security• Don’t email passwords
• Don’t email passwords
• Use a password management application
✦ 1Password
✦ KeePass
✦ LastPassHell, even use sticky notes
Just don’t email passwords.
![Page 115: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/115.jpg)
Some security is about good PR…
![Page 116: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/116.jpg)
Public Relations
• Got social? Use it."
• Got blog? Use it."
• Got email base? Use it."
• Got media attention? Use it.
![Page 117: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/117.jpg)
Public Relations
• Got social? Use it."
• Got blog? Use it."
• Got email base? Use it."
• Got media attention? Use it.
See a pattern?
![Page 118: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/118.jpg)
Public Relations
• Give the facts & truth
• Try not to spin too much
• Transparency & honesty is key
![Page 119: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/119.jpg)
Do it right, !
and you might escape unscathed
![Page 120: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/120.jpg)
That’s all folks!
This presentation has been a
Attribution–ShareAlike 4.0 International licensed work.C
![Page 121: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/121.jpg)
Questions?
![Page 122: Basic Security for Digital Companies - #MarketersUnbound (2014)](https://reader033.vdocuments.net/reader033/viewer/2022051820/55381d7b4a79598e758b46fe/html5/thumbnails/122.jpg)
C Credits• “Anonymous Hacker” by Brian Klug (CC BY-NC 2.0) (Slide 1, 43)
• “Heartbleed” by Leena Snidate/Codenomicon (CC0 1.0) (Slide 9)
• “The Secret” by Cedward Brice (CC BY-NC 2.0) (Slide 24)
• “Pure Mathematics” by Ed Brambley (CC BY-SA 2.0) (Slide 31)
• “Widget, confused as ever” by Anna Pickard (CC BY-NC-SA 2.0) (Slide 36, 37)
• “The Big E Day 2 2011” by RustyClark (CC BY 2.0) (Slide 40)
• “EFF version of NSA logo” by EFF (CC BY 2.0) (Slide 43)
• “Bryant Park, Nov 2009 - 52” by Ed Yourdon (CC BY 2.0) (Slide 43)
• “Owasp logo” by OWASP (CC BY-SA 3.0) (Slide 47, 48)
• “Day 342 - Hacker” by Christophe Verdier (CC BY-NC 2.0) (Slide 54)
• “Question Box” by Raymond Bryson (CC BY 2.0) (Slide 55)