The Cyber Security Survival Guide for Startups

[Music] hello everybody hello we're here to hack you for your benefit we have here a most amazing hacker in France a most amazing director of product security in Jesse and Jesse a first question to you if you are a start-up a new startup maybe of five employees maybe ten maybe fifteen should cybersecurity be a concern for you should you do something or or is it okay to ignore it yeah so I think from the get-go right whether you're a small company or a large company you know one founder or five you need to start thinking

about security from the very beginning so build a culture from day one that everybody in the team knows that security is important right you don't need to be a security person to know that security is important you we say this but if you have a start-up with ten people ten good friends who started that nobody knows what cybersecurity is or how it is spelled how do you get going where do you start yes so I think by making security like a core value of your company I think it's gonna encourage people to take that extra

you know thirty minutes to research how did the best practices about how to build things and how to make things secure and that will pay dividends you know either hack maybe three years later that you prevented but it'll pay off if you take care of that now so it just takes a lot of research and and reach out to the community the security community is great you can reach out and ask people for help we're all in this together Francis you've hacked every company in this planet meaning found ways to break in and then you

report the vulnerabilities to them what do startups look to like to you do they look secure I think what jesse says regarding like thinking about security in the beginning as you're building up the company I think that has been clear sign that not all of the startups have done that from the start meaning basically you can find some sometimes even down to like how they design their app or how they construct it like how it's supposed to work it's actually wrong from from from the start so it's actually like developed wrong in the beginning so

I think most of the time when approaching startups you kind of see some of the very simple and easy donor abilities being there and it could be all from like exposing credentials on github it's like a super super easy way to expose some internal or or whatever just because people didn't think of not committing like credentials to your source code so let's be specific when you say exposing credentials you mean somebody wrote software code where they wrote out the password in explain language and the code yeah exactly it may be open sourced it or made

it public and then accidentally have those credentials in that it's a super common thing and you can you can see that often in teams where you didn't have like a structure around talking around security or how you should do like the best practices around how to keep stuff safe so I think I think that's a common mistake for for startups also when it comes to like how to store data or like how to actually retrieve data regarding multiple customers or there's a lot of like patterns you can see with startups when it's all about like

building as fast as possible getting it out there as fast as possible so I think what as like like I said that like Jesse said like focus on talking around security make security fun like I think that's a core point you need to like try to figure out like if it's about sending your developers to a security conference yeah paying for that or or or taking a security person to come talk with your developing team it doesn't matter it's just about like they're into the discussion some parts into the sprint and like make it fun

make it a part of their of the building process but don't you now sound like a dentist who will say make it fun to go to the dentist I mean sure but it's it's it is funny like when I I like I sit in actually three chairs here I should have no no so I'm partly like doing hacking for companies also I I build startups I create a bunch of startup so without security people at all and then I'm doing talks together with developing teams so I meet developer team developer teams and try to engage

them in security and every time you go and speak with developers and you talk around security you notice you have like two or three people that is like you can see their eyes shine up and you see like the glimmering lights in their eyes and you realize that there's a lot of people in these companies that actually think of security read about security thinks it's actually super interesting but they maybe don't have the the tools in that company to actually show their capabilities or their their properties props that's what you work with Jesse because you

are direct or product security so you go and talk to your software engineers and say please please please be mindful of security aspects yeah yes so my goal is is to be their asset right to work for them and make sure that they're doing everything that they can and answer any questions they have to build these products securely so how do you make it fun for them like France said yeah so you can do it out of various ways you can have you know internal capture-the-flag assessments that you can get people really excited about have

them try to break into things right and then also you know when you have like penetration assessments and stuff like that as your company grows work with the developers and show them how the hackers could actually get in right let them read those reports and be transparent because that's going to energize them about how to fix these things and be proactive so like when you think of hackers you think of a like very complex set of tools that they've built I could just break into anything but a lot of times it's most basic things that

you have in your organization that can actually defend these right so before you start building any kind of product to go to the whiteboard draw it out figure out how things are connected together that's like one of the biggest mistakes startups make is they just start deploying and they don't understand what data touches what and what things are on the perimeter so go to the whiteboard think through it have your developers write up rfcs that talked about the features that they're building and how how it's going to be used by the customers and then write

security considerations into that so it's like instant threat modeling by the people that are actually going to be building these features for your product company so then when they make a mistake and you have a security vulnerability or a weakness in your software how do you avoid it becoming an issue of pride and shame and how do you avoid the shaming of the one guilty yeah I think by by having that core value of security from the leadership at the top the developer is gonna be okay taking the time and acknowledge e and there's an

issue because I know my leadership team would want that fixed right that's gonna be a priority over new feature work I think you can also put the like the point where like what was actually fixed and how will you make sure this will never happen again like if you put the focus more on like not not who to blame but more on like this is what we actually did like how did you actually how did you figure it out and how did you like follow the process of like identifying what was if something was leaked

was leaked how did it happen when did it occur and then like how how can we build something that actually prevents this from happening ever again like if you if you put your focus as like the leader leadership in the company if you put your focus more towards those things than to who to blame I think that will also create like a better environment to get people to raise the flag and say I found the vulnerability like if you can get your team to actually go to you and say I found a vulnerability this is

what I did and this is what we need to do that's like the perfect case then you know you have a pretty good environment when it comes to being transparent internally about issues yeah make it fun I mean a heavier if somebody finds a vulnerability right have them do a show-and-tell get up in front of the company show them the cool hack that they found yeah so now people are getting exciting about this they're going to do all the security stuff but you said you must have the top management to approve and bless and endorse

it how do you do that if you are an engineering manager here how do you get your CEO to take security seriously when it is a cost item another revenue opportunity yeah I mean I mean one hack can ruin a company right and I think that's powerful and enough that a CEO should recognize that this is important this should be top priority even in a start-up yeah and your developers your engineering team your infrastructure they're all gonna need your support going through this how would you go to a CEO and say dear CEO I would

like to influence you on this topic what would you say I mean it's hard to put a kind of a ROI on security right because it's it's a it's an interesting topic because you know a vulnerability that's introduced today may not impact you for 10 years from now right when you realize that you left some Debb instance their database exposed on the internet from when the company was founded right so it's really hard to wrap a number around that so I think you need to show them examples of other companies and breaches that have happened

to show them evidence and then CEOs are thinking about compliance too and that plays a piece of it right we're all in charge of keeping the company responsible for other people's data so compliance plays a big piece in it but when you look at sorry foreigners when you look at the breaches most breaches are with big companies like we had Equifax and with others and it's not startups so how may you start up here we'll think oh we are not at risk so that's interesting and this is something that's becoming more popular right because yeah

you may be a start-up and you have the small product but you're more than likely leaning on these other large companies that are having these breaches you know if it's a Facebook whatever it may be right you've probably implemented some third-party feature within your codebase to make your product more robust and now you've got to worry about not only your company but that other company as well absolutely I think what I was I actually dropped around like how to convince your CEO it's more on like we had the discussion before outside like being more secure

than your peers and your competitors I think that's also one of the because nowadays I see it like when when companies approached us trying to buy our service or not only detective I but the other startups I'm involved in it security comes up as an argument or a question at least like how do you work with security how do you implement like how do you do patching how do you announce if you had a vulnerability and like customers tend to be more and more interested in how to how you're actually working with security and I

see it myself whenever I am going to use third parties I ask them like house do you have a responsibility OSHA policy are people from the outside able to actually contact your security team and tell you about vulnerabilities in your product and if they say no I'm I'm more reluctant into picking them as a vendor and and I think also trying to communicate I think the CEO might have seen those things when customers approached them seen the things and the questions around security so coming from the CTO perspective to the CEO telling them that we

can actually be better at this than our competitors and we have an option here to to actually make a stance in terms of security I think that's that's a valid the argument towards the CEO as well okay I'll have another objection for you to deal with them somebody might say okay we're talking software vulnerabilities and putting the systems in shape and I say but the weak link is always the human being the criminal or the gullible employee who clicks on a phishing link or maybe even an a person inside who is intentionally doing harm so

why would you care about vulnerabilities if humans still are the big biggest risk they always going to take the easiest path it's it's all about that so if the easiest path is through like a software they will take that path it doesn't doesn't necessarily mean that like humans this is one of these paths nowadays because it's there's such so much noise in that channel anyway but a lot of people are trying to like there's like free tools today to make like fake phishing emails to your employees to make them to make at least the discussion

start internally around like why are you giving out the Google credentials to third party and like all these 2fa things and and the multi-factor authentication is it's like one step in the proper direction I think but I mean I I I kind of feel the same way like every time I sit them back and I'm like okay the easiest way to hack this company is probably to send an email to customer support and I'm like why am I doing this so if someone asked that answer direct question I'm happy to listen as well but I

think it's like it's all about like trying to eliminate your your your threats basically and and deal with it Jesse yeah well I feel like we kind of take a layered approach right so we make sure that we have multiple layers of security controls in place like two-factor authentication right so if a password is breached or a laptop is stolen right we don't have to worry about it because there's multiple layers protecting that data and those are those are usually is as easy as flipping a switch or you know paying a small monthly fee to

add an extra service and it's it's worth the cost upfront especially for a small startup right because then you're going to prevent things that can impact you down the road and do you do phishing training for your employees do you send out those yeah we do say we do some internal testing yeah but we also use octa to help prevent any kind of secondary attack to that so how do you deal both of you with people who are not from the security or the technical space like the sort of marketing people sales people admittedly people

who need to have a security understanding but they don't have the technical background that you guys have so I think it's especially a point important for them to understand right because they're the ones that are going out there and talking to customers and they're gonna get asked these hard questions way before the security team does right that's it in the back so they need to have a good understanding of how the system works and how we're preventing things right so your security team or you know your your core engineers need to tell them here are

the things we've done to protect data so they can go out and tell their customers how it works and and the customers are gonna show them that that's important and hopefully they'll bring that back in-house and realize that it's important for them as well I think it comes down to what justices like the knowledge-sharing super important we also made like security sheet sheets internally so we can like answer the most common like FAQ for for security issues and then also try to get feedback from the like if the sales team are out and they like

we got the question around this like how are we solving this we try to keep that document updated so it's always relevant to the things that we're doing and currently are working on yeah and one interesting thing that we do at like filmic is all of our security policies that all employees must follow we put those right in bitbucket right so the employees themselves can collaborate and communicate on those it's not some random PDF shoved in a drive somewhere yeah it's something that everybody who can chime in and say hey this doesn't make sense or

yeah I really like this and give feedback so they're gonna be more apt to actually follow those policies so now we have web endpoint protection we have encryption we have vulnerability management we have a lot of security technologies that people need to use if you're start-up and you're just shipping product and you can afford just one thing in security well what's the minimum you can do what can you postpone because you can't do all at once I think two-factor authentication out of the boxes you start there yeah and also thinking like if you're a startup

you're also thinking about scaling and I think when it comes to scaling you also need to think about what your investments will be today and what your investments aren't gonna be in two or three years so if you think that not putting that like finding a person that actually are is dedicated internally around security it could be your developer it could be your CTO could be the CEO for for all I know so it's having someone that actually has that in mind from start I think it's it's really valuable there was a discussion before around

like creating a start-up without having any tech people in the company and people are like yeah I don't do that and it comes it's I'm not saying you should have that in the board or like have it from the initial start it helps but I think you could probably find that that skill or that that interest in people in your team even though you're only four or five people yeah excellent answer this was actually a question for the orc from the audience so please submit your question through slide oh I will ask them here and

while you do that I'll ask you to share some amazing cybersecurity story either a horror story or a joyful story of something you experienced and we'll start with Jesse and then go to France okay yeah so I was working with a small team doing a security assessment and it was a start-up they had had a lot of turnover within their product a lot of engineers had left they had you know tried outsourcing that kind of thing and I was doing an assessment and I actually found that they had chained together a bunch of ec2 instances

and databases in the back end and things were all over the place and they didn't realize it and I was able to text in a malicious payload and get it to execute against the administrator on their portal and steal their credentials so it was just a fixed message yes all via text message something you would definitely not expect right you don't really think about that whenever you're thinking about attacks but these are the things that you got to think about whenever you're designing your architecture did they love you or hate you for they were pretty

impressed that's a good reaction I think France so I thought of a scenario that was actually one of my startups I when I was involved in for like seven years ago this was like pre bug bounties so it was pre hacker one even and we we knew that we had a bunch of sequel injection problems in our app we knew that from start so what we did was not to try find all the C's like sequel injections instead we know we knew that as soon as someone will try to make a sequel in action they

will at some point trigger a sequel error so what we did was we made sure that all the errors that was triggered by the app when someone tried to hack it would escalate into a channel in our chat software it was like pre slack even and alerts like a few of us so we knew that someone was actually successfully exploiting a sequel injection and this happened on a Saturday and we I saw it on my cell phone and I'm like wenting I patched it in like less than 10 minutes and I could see the person

was trying to like try it again but it couldn't like he was like what the hell why is this not working and I was like okay someone is trying to hack us who can this be and we had two employees in the company that I knew was like a bit hacker II and they were also the people starting detective I after that but they had a friend that was in Amsterdam and I saw the IP was announced them so I told them like do you know if this is like your friend like it seems suspicious

so they went to him the day after like did you did you like look for vulnerabilities here and it was like yeah like but it disappeared on a Saturday what is this so then we knew who it was so we bought him a plane ticket and flew into Sweden and he spent the Christmas with us and he's now a really close friend so that was a fun like a good ending the story of hacking and a bug bounty plane ticket bug bounty pre bug bounties ever that's a beautiful story we have somebody asking here could

you please share some tips on on sorry what's the best way to hack a company how do you normally proceed so France you hack companies how am i I start off by looking at all expose alas 'it's from my perspective often I get I don't get an internal access or credentials or anything I get the same thing as I don't know Russian Russian hacker would get not to say that they hack more but so I would look at what's exposed do they have any internal assets expose to do they maybe have like company comm maybe

they have like company dotnet with all their internal infrastructure looking at their DNS how its structured maybe they have a search tool there's a bunch of tools there's a bunch of services that actually tries to create a recon process out of figuring out where the company is exposed like what kind of services they use do they have any open source and just trying to collect all the assets out there to try to see how much I can get and then go into detail yeah it's a similar process right I use open source tools to go

out and just see what's there look for any potential vulnerable software that that's running on these services any open ports that kind of thing and just start poking around a lot of times to all go out and if it let's say it's a web site or a baking website I'll go out and pretend like I'm a standard user and start thinking about where that sensitive data is right and then I know that's probably where I want to try to get to first I'm not gonna waste my time looking at the other areas and what's what's

the most typical first bug you find first vulnerability when you when you fine your goodness I think it depends on the asset there's no typical one yeah well so one thing that I really like to do is to see if they've exposed their git repository on the root of the site because it has her source code and if you can get to their source code a lot of times you can find credentials you can also see how the site's operating even if it doesn't have credentials and you can look for deeper vulnerabilities that you can

exploit I tend to look a lot around like infrastructure where are they hosting it are they running it on AWS or GCP or Asia or similar because if you know that you might also know where to look what to look for next how do you know so basically let's say they use AWS for stuff then you can probably think okay they're probably using one service in AWS called s3 which is like storage every bucket storage and our object storage you can basically store as much as you want in one place so you would probably assume

that they're using that as well in their in their service and like look more into like what kind of infrastructure how how did they create this app how was this app do they have load balancers in the way and the house that load balancer configured and I I mostly don't look at how the app actually works until later on when I know how the app was constructed and and put online from the start I want to know that first because that helps me a lot into moving forward so we talked about security hackers who break

into systems and we talk about software developers who build systems and then some people say that the best developers also know how to break it and the best breakers the best hackers also know how to build it is that true I think it's absolutely absolutely a benefit I come from the developer perspective I was a developer from from the start so me approaching security with the developer perspective was really valuable for me because both I could be a better software engineer and build stuff better because I knew why I was building security mitigations but also

I knew where to look in other applications because I was like this is a hard thing to solve I will see how they saw and sometimes it turned out to them not solving at all and that was the vulnerability I found so III I really think it's a it's a valuable asset yeah yeah yeah if you're a developer you obviously know how to build you know you know where the risks are at and what things can be skipped over what corners can be cut and and those developers that know that they can make some of

the very best security team members so when you're looking to start building out a security team you could recruit some of your own internal engineers that are really passionate about security along the way yeah that leads to the question of should startup have a dedicated security manager or like you are director of product security or at what stage should you have a dedicated person yes so I I think that if you do a good job from the beginning of kind of layering security and getting everybody to understand that security is their responsibility regardless of your

role you don't necessarily need a security person right off the bat right but you do need a security person eventually and I would hire somebody that's that's more of a senior level person that has has good product security experience from external and bring them in and then start using your internal resources your engineers that are passionate bring them over to help support that product security team and then you can do it's kind of like a three-tier process right build out your internal security team then you can start with a vulnerability disclosure program roll that into

a paid bug bounty program because with that you get a team of security researchers hackers that are essentially supplementing your product security team and then you pay them for their findings and then the third part of that and the very last component is to bring in an external team to do a pen test maybe annually and this is to help you with your compliance check boxes and coverage yeah cool my final question to you what have you seen in the world is the best initiative to make cybersecurity a topic for everybody in the world has

it been done yet exactly no I think I'd say it's a really hard question but like do you have any question I mean I feel like I feel like we're getting there certainly but surely I could there be more of course I think there's a lot of things happening like getting vulnerabilities into the mass media is like a really good thing to actually get it up into the discussion and also like looking at frameworks popping up being secure from start is like a way of that happening but we're not there yet I think not yet

wonderful thank you Jesse Thank You Franz Thank You audience thank you [Applause]