In this blog post
A session by Mr. Kannan Srinivasan at the NASSCOM Event
When you think of startups the first things that come to your mind are Uber, Airbnb, Lyft, Paytm, etc. They all had a unique idea supported by an application that is simple to use, reliable, and most of all secure. There are other startups that started with great ideas but failed miserably due to poor information security practices.
Startups have very limited to no time to focus on information security due to a lack of skilled resources and/or additional funds to invest in security tools. At a high level, their reasons for not following information security are justifiable however regulations such as GDPR, HIPAA, PDPA, etc. are very stringent on the data security requirements and they levy a huge penalty for not adhering to the security and privacy principles.
Larger companies are no exception, as any lapse in the security process even once can lead to major breaches leading to penalties and a dent in their reputation. British Airways recently paid a hefty 183 million penalty for breaching client data. SQL injection vulnerability in Starbucks code resulted in the loss of one million financial data records. Well, the list goes on and on but the attack vector is mostly similar. Increased adoption of microservices, cloud, and DevOps have all increased the threat vectors of the application.
We recently conducted a session at the NASSCOM Centre of Excellence IoT & AI to guide startups on how to build and deploy secured products. It was recommended to have the following structure for security process
Threat modeling: Think Ahead on what can go wrong, weigh the risks and act accordingly. The following aspects are taken care as part of threat modelling:
- Structured process to identify and enumerate potential threats
- Help security team with an analysis of what security controls are to be put in place
- Collaboration between Security Architects, Security Operations, Network Defenders, SOC
- Threat modeling helps threat intelligence analysts identify, classify, and prioritize threats
Coding and Testing: Create and enforce developers to use secure coding practices. Secure coding practices should address the following areas:
- Input validation
- Logging and Auditing
- Output Encoding
- Session Management
Static Application Security Testing (SAST) software inspects and analyzes an application’s code to discover security vulnerabilities without executing code. These tools are frequently used by companies with continuous delivery practices to identify flaws prior to deployment.
Dynamic application security testing (DAST) is a method of AppSec testing that examines an application while it is running, without knowledge of the application’s internal interactions or designs at the system level, and with no access or visibility into the source program.
Testing should consider the following OWASP Top 10 Vulnerabilities
- Broken authentication
- Sensitive data exposure
- XML external entities (XXE)
- Broken access control
- Security misconfigurations
- Cross site scripting (XSS)
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring
Deploy & Monitor: Perform Vulnerability Assessment of the infrastructure and Penetration Testing to ensure that there are no vulnerabilities in the production environment that can be exploited.
The best part is there are multiple open-source tools that are available to address the above-mentioned process.
A few pictures from the recent Nasscom event: