it security for all. bootcamp slides
TRANSCRIPT
![Page 1: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/1.jpg)
IT security for startups all
Bootcamp, MIPT, 21/12/2013
![Page 2: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/2.jpg)
BIO
• Whitehat (Facebook, Google, Yandex rewards)
• Security researcher
• CEO
• @d0znpp
![Page 3: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/3.jpg)
Security?
• Not for our budget now
• Not affected revenue
• We are not interesting for hackers
• No one had hacked us before
• Rocket science
• QA job
![Page 4: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/4.jpg)
Security!
• We have firewall
• We have admin
• We have antivirus
• All is OK
![Page 5: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/5.jpg)
Security!
• External network level
• Application layer
• Internal network layer
• Staff awareness
![Page 6: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/6.jpg)
![Page 7: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/7.jpg)
Best practice!
![Page 8: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/8.jpg)
Security like bookkeeping
• A process
• Nondiscrete
• You can not start it retroactively
![Page 9: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/9.jpg)
Enterprise way
• SDL - security development lifecycle
• Works but hard to implement
![Page 10: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/10.jpg)
All in clouds! !
For what i need security?
![Page 11: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/11.jpg)
Typical cases
• Marketing site (almost static content)
• Cloud CRM
• Cloud mail
• Cloud dev (github/bitbucket private reps)
• And what about DNS?
• What about integration between it?
• What about client-side security?
![Page 12: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/12.jpg)
PCI DSS! !
Our payments protected
![Page 13: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/13.jpg)
Typical cases
• «These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step»
• And what about other information?
• What about MY data/money?
• Nothing...
![Page 14: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/14.jpg)
Platform (CMS, framework, etc) based
application !
Our security depends from platform security
![Page 15: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/15.jpg)
Typical cases
• On what basis did you choose the platform?
• Is your platform have security guide?
• Are you read it?
• Do you all understand there?
• Whether your application can run on the new version of the same?
![Page 16: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/16.jpg)
A little from history
• HTTP - 1991 for links at science articles
• PHP - Personal Home Pages
• ...
![Page 17: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/17.jpg)
Typical questions after security audit
• Why so easy to hack us?
• Why this has not been done before?
• How do we know whether it's someone did earlier?
![Page 18: IT security for all. Bootcamp slides](https://reader034.vdocument.in/reader034/viewer/2022042614/55838fe7d8b42a8e0c8b51a3/html5/thumbnails/18.jpg)
What i can do now?
• Scan your addresses using nmap -p1-65535
• Add nmap scanning to QA tests
• Create «Security basics» page in your Wiki
• http://en.wikipedia.org/wiki/Cross-site_scripting
• http://en.wikipedia.org/wiki/Cross-site_request_forgery
• ...