Bootstrapping Security

hello everybody thank you for coming to besides I'd like to remind you all that there are t-shirts on sale all the proceeds go to charity a charity of your choice so this is great also there's a raffle that's and tomorrow at 12:30 make sure to go and see the sponsors and thanks to the sponsors to enable us to do this I like sorry help me welcome rob and Jared all right thank you all right welcome everyone thank you for being here with us today real quickly before we get started how many of you are spending six hundred million dollars this year on security lots of hands all right cool know this talk is not for people that are spending

six hundred million dollars this year on security in fact it's not for people that are even spending six hundred thousand maybe not even six thousand dollars on security right we're talking about day one when you get your security program started you might not even have received funding for your startup yet you just want to get that security program off the ground I'm Jared kesner I run engineering at c-note I'm Rob Shaw and I'm a principal engineer c-note is an impact investing platform where you can invest in women and minority-owned businesses low-income housing and community to develop community development initiatives across the u.s. we are a FinTech we do care about security we care about privacy we're dealing with

money we're dealing with a lot of PII so we had to start up that security program on day one even before we had funding we had to have some way of protecting our customers protecting our data and protecting your money so today we're going to talk about security tools and ideas for a big impact with a small budget all right we did ask that they can doubt popcorn on the way in so you guys could throw it at us it looks like that didn't happen so that's gonna make this a lot more pleasant for us so thank you for whoever didn't pass off the popcorn some caveats here we're gonna talk about a lot of tools today that are

these are things that we used several years ago when we first got started that does not mean a that we are still using them although in many cases we are it also does not mean that they are the only tools available right we're going to talk just about what we used and the idea is that it would have worked for us really isn't means of springboarding a conversation so that we can get things out in the open and talk about things that worked and ideally can see that conversation afterwards with everybody here about things that have worked for you so we can help other people as they start their companies move forward with that Thank You Terry so as a software startup

it's easy to focus solely on security within the engineering part of your organization however from day one I really believe that the rest of the organization should also be focused on security as engineers you know security happens to be a byproduct of doing our work but the things that we build are used by others within the company and our users and without the proper policies and focus on security it can be hard to truly protect yourself if you think back to the opening keynote flea discussed that the engineering and security can feel outnumbered and outgunned and one thing that we have done is started security from day one for everybody in our organization and when you do that on day

one it makes it a lot easier to have it continually be done if you try to wait till three or three or four it's gonna be a bit hard so as a part of this you know we have made it a priority that everyone at c-note has an understanding of security the areas in which their jobs could be affected and added this as additional expectations via job descriptions and we don't just say it's everyone's we don't just say it's everyone's job it is everyone's job and just a quick caveat related to their role we're not gonna ask a marketer to you know parts are gain ask query logs and try to find the attacker so real

quick before we go forward we're we're pretty sure we've heard this Job Description idea from B sides before we could not find the presentation if any of you happen to have given it or no gave it please let us know we'd love to give the proper attribution so by putting security in the job description it really helps us scale with our culture Jarrod talks our you know we're talking about it from day one right and so giving that opportunity for people to understand what that means it means from our side everyone from an engineer to a customer service representative to the CEO partakes insecurity practicing and so some of the things that we do we discuss training

which I have a pretty funny story about later we also discuss maybe recent articles that are happening in our industry for example the ring security measures and some of the articles that came out about that and by doing that we are educating everyone within the company and as a byproduct we're hoping not only are they understanding security internally and what they can do for c-note but also maybe their own security at home in thinking about privacy so I'll make a quick assumption that most people understand security from an engineering and kind of QA perspective in this room so I'm going to jump over that but if we were to take a quick look at marketing

let's say they're out there they find a brand new tool that they want to use and it's a third-party tool they go ahead and they hook it up to your email system you know they put their email in it and now it's able to read all of their emails but it's going to make their workflows great then they decide hey you know what let's throw that on CEOs email as well because that's going to really improve their job well now you have a shadow IT problem and if you add security in the job description there's things that you can do that make them maybe not do that right away so you know that's a marketing example but that can

happen in engineering as well so I don't want to just pick on marketing I like to peruse Reddit producthunt hacker news there's a lot of great tools that I just want to sign up for and play around with but I need to be more careful about that so you know we've been having a process for those kind of things and we're going to talk a little bit on the next slide but I just want to leave you with the fact that put by putting it in the job description it ensures that every single member of our company does their part in understanding security and by that it becomes the cost of doing business everyone must hold each other

accountable and reinforce security and I think one more thing we haven't had to hire a full-time security professional yet in our three years we've been bootstrapped and we're you know Jer have been running it from the engineering side but by having the entire company doing it it's made us more protected as a whole so building on job descriptions with security being a core component you can expect everyone to be able to discuss threats risks as a company and make the right decisions hopefully this is security by design there are broad enough that they can be used while working on new feature development updating an existing process and customer service or really any other piece of work that your business faces

so here's what helped us from day one we adopted a very simple one-page RFC process that anybody has to fill out to get something implemented and because it is a one-page document we make sure that everyone does that and yes it seems a little anti agile it might seem like a little bit of extra work but this small extra amount of planning allows us to start thinking about the solution from a higher level within this RFC document we have a section focused on risks and securities that we use to define things that could go wrong how we will handle it finding the level of acceptable risk and measuring whether we did well or need to

rethink it the next time around and once this document is built and I want to preface real quick but we really ask in time box it to less than two hours because we really don't want a lot of time we can spend on it we then share that with the entire company and then anybody and what some founder down to customer service can read about it throw in their two cents it gives us a wider breadth of a potential threat now we are a small team or less than 20 people so you might question whether if you were 5,000 if you could send that document out to everybody I would say yes because at the very least you're getting people

outside of your you know small team or in your area to potentially be able to give you thoughts basically at the end of the day what do I want to get from that is everyone should review everything if possible because you know at a company it's important to understand what's going on and a quick anecdote that we ran into so you know the marketing team decided that they wanted to add Google tag manager and if you're not too familiar with that basically script injection inside of your website and so after that process was for that RFC was posted Jared and I kind of went back and you know showed the trade offs and we ended up going a different

direction and you know one last thing opening up this process not only has been great for security but it's also been able to allow us as a distributed team to have documentation and that has been vital especially down the line when something goes wrong or something needs to be changed we can all go back and look at how we got here so keeping up to date with the best security practices is challenging even for most engineering teams we're not Bank of America sounds like nobody else in here really has six hundred million dollars to spend or twelve thousand employees so since that's not an option here's kind of what's worked for us what I'm going what

we have my hair up behind us on the slide are some of the tools that we've used that are free or have some type of freemium option I'm sorry not freeing them up and a paid option to be able to access the content so pager duty it publishes slide decks of security training materials not just for the technical side but also for the functional and then in youtube you can obviously get videos of past b-sides talk Def Con talks tutorials there's a lot of great content if you're looking to you know make sure you're building a secure server or if you want to teach somebody about privacy and security and then obviously besides of course thanks

for having us here and helping us keep our costs low the reason we wanted to give a talk is we got to where we are today by some of the stuff that we've learned here and with those adopted security practices from day one we were able to educate our staff during onboarding but we also were able to do it continually and so as I mentioned before we recently were discussing as a company the ring stuff that has been recently going about and kind of explaining what we do to mitigate some of those concerns but also to help educate everybody on the team about what they should be thinking about when they log in and create accounts on different

platforms outside of our own lastly I'm gonna I'm going to tell a kind of slightly embarrassing story fish me free is a great tool that you can use to do fishing training in your email system so a couple of months in and when I joined cenote I saw an email that looked suspicious my immediately thought I'm gonna look into this and report back to Jared as soon as I clicked it you can probably imagine my horror when it said this has been a test jared has been notified of their grave misjudgment you're still employed right so that is true I'm the whale employed for now but it's super embarrassing mainly because I was the only person in that round to

have opened the email and maybe the only one that's ever done that it's you know so but just speak on top of fishing real quick it is a great opportunity for those outside of the technical realm to get tested as well and Jared's pretty cunning he did it around the holidays so he made sure that it was something about hey your package was shipped you know so it was very kindly as well so there's obviously tons of content within each of the resources that we've just talked about if you guys have suggestions that we could add to the slide to help others please pull us aside after the talk - tomorrow or on Twitter we'd love to add

them because we really want to help companies that are you know bootstrapping their security so to this point we have discussed how you and your entire company can make changes to your job descriptions and think through attacks that it could occur and then improve upon that with education about security well let's discuss building a little bit more of a defense-in-depth security stack there are lots of free tools out there and here are some of them that we recommend that are free from day one and have a freemium model to help you grow so for detecting vulnerabilities we use sneak we use sonar cube antivirus we have clam Navy for Linux we use silence on our

employees laptops and then for development we're using a Wasa's app to be able to manually test you know our responses and handling them between the browser we also use security tools so that we're checking that everything that we return is being protected from clickjacking and cross-site scripting and if you're a team or if you happen to know JavaScript are working on JavaScript I'm sure you're familiar with NPM audit but if you're not in your protecting teams that are this is a great tool to be running constantly on your codebase and checking your dependencies to make sure anything that's out of date or as open vulnerabilities that have been patched it'll let you know what those

are so one recommendation is constantly be running that because once you get behind especially with the way the JavaScript ecosystem is you might have to spend a lot more time to catch up take over here to talk a little bit of kind of next level of this defense-in-depth right logging and reporting the forensics the ability to understand what's going on your system as the slide says it's just do it right having that central logging system is gonna be a critical component you know it's great to have ephemeral ephemeral boxes which is something that we designed from day one but if you don't have that centralized logging system you're not gonna be able to do anything

with those logs as soon as that box disappears right so choosing tools whether it's log Lee or one of the other ones it has a freemium model or one of the more expensive ones like Splunk having that centralized logging system it's great we actually put some redundancy into the system by also logging things to cloud watch likewise just having the logs there doesn't do you a lot of good unless you can actually report on that and understand what's going on in your system right so we can access effectively built a DIY sim on top of Wagle in the early days to give ourselves some additional security logging and some additional reporting tools we pipe that into slack into pater

duty we've also got our CSP reports going into century and you know actually speaking of CSP getting that content security policy and on day one of your organization that will save you a huge amount of headaches later on probably over the last few years I've heard many talks that b-sides about from people saying how difficult it is to implement a content security policy after the fact you started on day one much easier but again unless you're reporting on that through something like sentry or report URI that I was on the last slide you're not really doing yourself any good so having that reporting feedback loop is critical and that feedback loop also goes into things like Demark right it's

again more than just the application security how do you make sure that your customers are protected and that they're not getting spoofed emails allegedly from your organization putting Demark into place again on day one making sure that as you add those additional third-party email providers whether it's Zendesk or anything like that you're actually thinking about that from the very beginning and making sure that you've got that configuration set up and then reporting on it in addition to the logging and reporting that we really need to have some forensic tools right so the first thing I did when I joined c-note called a buddy of mine who one of my fraternity brothers happens to be in

the cyber task force the FBI and I said hey Dave how do I stop myself from getting hacked and he laughed because as we all know in cybersecurity there's the adage that you've either been hacked already or you haven't been hacked yet right so he just kind of laughed at me and I said okay so let's assume I'm calling you because I had been hacked he said okay great the first thing I'm gonna ask you for your dns career log so I immediately jump down to my box and said look for idea is great logs and lo and behold there were none so I wrote a very simple DNS law query logger it's just a simple wrapper around TCP dump

it's actually available on our github page for those of you again getting started if you're using something like elastic Beanstalk it's really easy we've got the eb extension so you can go ahead and get that deep TCP dump query logger in place right away it's a critical piece of forensics that you're gonna need to have but then we also needed to have things like data provenance right we again we're a fin tech company so we've got regulatory reasons why we need to have data provenance we've got just the ability to again from a forensic standpoint if we ever get act or when we get hacked I should say how do we know what X is what data was

accessed who accessed it when it was access where was access from so we built a full data provenance in an audit log using tools like SNS and AWS lamda which allow us to give guarantee deliverability as long as you're invoking your lambda function asynchronously it also gives you a dead letter Q through SQS which means not only you're getting are you getting that guarantee deliverability but you're also getting effectively built-in error handling because you can then in the early days before you have a chance to automate that error handling at least you're getting notified and the ability to go and take action on that automatically it's a very simple way of building out that auto logging from day

one let's talk about some other tools right again if you're playing the AWS ecosystem there are some excellent tools through the AWS marketplace Trend Micro deep security as a service was when we started using very early on that gave us host based IDs and IPS right from the very getting at a very low cost i I think it's one cent to six cents an hour per server depending on the size of the server so super super low cost but even better than that they provided effectively enterprise level customer service on day one even though we were paying one cent hour for the service and I was able to have them come in look at my configuration teach

me how to use the system make sure was configured properly even more importantly to show me how to test it and get value out of it to make sure that what was being winner was finding things that we were getting alerted on it properly and that we weren't getting too many false positives also within the AWS Marko system this the security hub is relatively new but it's a huge resource and a huge place for you to be able to get additional information guard duty for example giving you actionable information about when you're I am - I am tokens are being used in a different way than normal right so it has some level of anomaly detection built into it

which is great but there are a ton of tools in there if you get into Amazon may see it can get a little bit pricey for piping all of your logs in the cloud watch like we were so we had to do some additional configuration around that to keep our costs constrained in the early days but on the whole security hub is a great place to get started that it's very low cost gives you a lot of value also relatively new to the AWS ecosystem is Systems Manager if you're not familiar with that one of the best things about that tool is you can now go completely key free for your SSH access and have everything

be driven through I am roles and I am permissions where you can actually grant access to one of your developers for a very limited amount of time just be able to do one specific action on a bat on a box and then more importantly revoke that very quickly afterwards and every piece every keystroke that they do while they're in there is locked so you have a complete audit trail of what they were doing and then again thinking broader than just engineering and QA having tools like Google Authenticator or other LastPass as a free freemium model from a password management standpoint using those getting two-factor authentication and password management that notion built in their culture early on is a

huge and critical component and then for those of you who are starting a company there's a good chance you're doing it out of coffee shops and co-working spaces and places that you turi ously do not have great and secure Wi-Fi the tools like algo VPN that have free VPN service all you're paying for is the cost of the server allows you to scale that pretty significantly so now we're going to talk about some cost savings techniques I'm gonna give you two the two ideas that are not terribly intuitive or right so the first one is go to RSA and you're probably all laughing because that's a 2500 ticket it's super expensive however quick Google search will will help you find

that free expo hall pass that gets you on to the expo hall floor you can often find ones that include keynote speeches so you can actually go to the keynote talks as well but getting out into the expo hall floor is going to give you access to a huge amount of vendors now you can see what the trends are and security you can understand the new lingo that comes out because it changes from year over year but you can also get to see what people are selling and then you can go up and you know Rob talked about silence is an anti-virus solution earlier right or endpoint protection earlier that is not a free service and

in fact you and talk to their salespeople they'll tell you it's a hundred point minimum well we were for people who first got endpoint protection so how do we get something like that that gets counter intuitive point number two which is find an MSSP and again we think about MSSP is oftentimes is these large organizations trying to take over your entire security program there are a lot of specialty MSS piece however that focus just on reselling a single tool like silence that allowed us by four lights for seats and expand that over time to the our user base today really with the idea that we're gonna continue to save money and only pay for the

services that we need and then the last advice the last piece of advice here is negotiate you'd be surprised at how many companies will talk to you when you're an early stage startup and say oh you're precede your seed great we'd love to have you as a customer the the automated vulnerability scanning tool that we're using we actually kind of have gotten grandfathered into a contract with them but they're giving us something like 80% off of their rack rate just by having a simple phone call with their sales team right so you can you'd be surprised at how much you can get out of negotiating which is a very obvious and intuitive thing but it's also surprising just how

well that can work for you and finally the money shot right so let's talk real quickly about how you get that initial startup security so Rob talked about job descriptions is piece number one which helps build culture that security culture in from day one so culture is something that happens no matter what at an organization you can either be intentional about that culture or you can be unintentional about that culture but you are going to have a culture one way or the other and so by putting security into the culture from day one by putting that into everybody's job description you can go an awfully long way without hiring that first security professional and making sure that everybody is

thinking about the security of your organization the spirit of your customers the security of your data everything along the way understanding the threat modeling is all is a time-based exercise in large part and making that part of the your security culture also and making that part of the organizational culture where everybody is doing threat modeling on every business practice that they develop on every tool that they purchase understanding that threat modeling well if we put security into your job description and I'm not an accountant here so bear with me on the math here but as far as I'm concerned if it's part of your job the cost is free so it's gonna cost you is the time to do that

threat modeling and it's a critical piece likewise with the free tools the implementation caught time is the cost but those free free tools will eventually potentially turn into freemium or paid tools then we get an education hey 50 bucks each for b-sides that's a great deal logging reporting a call $120 a month IDs and IPS again if you're using that Trend Micro service through AWS marketplace up to six cents an hour per machine antivirus call it fifty dollars a year for per employee the security hub is going to be relatively low cost and then the servers for things like sonar cube and I'll go VPN call it 20 bucks a month because you don't need beefy

machines for those and so really if you assume less than 10 employees and less than 10 machines that first year a start-up cost is less than $5,000 for your security program and with that I think we are right on time so may or may not have time for questions but this is how to get a hold of us we'd be happy to have a conversation with you out in the hallway afterwards if you do have questions or feel free to tweet at us and we'd love to continue the conversation thanks so much [Applause]