logging my thoughts on technology, security & management

Category: Security

Learnings from 5 years of tech startup code audits

82044
Views
Points
Comments

While I was at PKC, our team did upwards of twenty code audits, many of them for startups that were just around their Series A or B (that was usually when they had cash and realized that it’d be good to take a deeper look at their security, after the do-or-die focus on product market fit).

It was fascinating work – we dove deep on a great cross-section of stacks and architectures, across a wide variety of domains. We found all sorts of security issues, ranging from catastrophic to just plain interesting. And we also had a chance to chat with senior engineering leadership and CTOs more generally about the engineering and product challenges they were facing as they were just starting to scale.

It’s also been fascinating to see which of those startups have done well and which have faded, now that some of those audits are 7-8 years ago.

Continue reading

The Unreasonable Effectiveness of Secure-by-default

This is one in a series of deeper-dives into various Learnings from 5 years of tech startup code audits. In that article, I list several observations I had during the course of doing code audits fro 20-30 tech startups at or around the Series A / B mark.

Security seems to be on the up-and-up, despite all the bad news you hear in the media. What’s driven this improvement? Well, frameworks, cloud infrastructure, and the big cloud platforms have been hard at work creating the ”pit of success” — places where users just fall into being secure rather than having to fight to be secure — as a way to discourage the most severe security practices has by and large been an enormous success. This article is about our on-the-ground observations of these success stories.

We started doing code audits in 2014.

Continue reading

Core Control #6: Log Everything

The core principle is this: fish nets over fishing lines. In the case of security monitoring, fish nets are alerting on anomalies, where anomalies are defined as universal constants that have been broken. Fishing lines are manual search procedures. Phrase this principle like this addresses the two seemingly intractable problems with security monitoring:

Continue reading

Core Principle #2: Know Your Software

The same Golden Rule that applies to hardware applies to software: know what you have. No user on your systems should be able to install an executable onto a company device without the approval of security. This may seem like a draconian policy (and a short-circuit process does have to be in place for certain technology-heavy teams like R&D or the dev team), but it’s necessary.

Continue reading

Core Principle #1: Know Your Hardware

There are only six controls in the Top 20 list that are designated “Basic,” and an inventory of your hardware is number one. I actually would like to rephrase this control slightly, so it better fits the core principle I wanted to highlight: if there was ever a Golden Rule in enterprise security, it’s this: know what you have.

Continue reading

© 2024 Ken Kantzer's Blog

Theme by Anders NorenUp ↑