Customer service · Food Delivery

What are the best ways for a startup with limited resources to protect customer data?

reetika maheshwari ISTQB Certified Quality Assurance Engineer.

May 22nd, 2017

This week, Zomato, a food guide and delivery service, announced it suffered a hack and that 6.6 million of its users had been compromised. As an entrepreneur, this is horrifying to imagine. As someone with only a modest amount of funds that are earmarked for growth, I’m wondering how you can protect your customers’ data on a budget?

Dave Lemley Consulting Technologist

May 23rd, 2017

You should start by being more selective in your hiring process.


Secure coding practices to address these sorts of attacks are veritably textbook these days (literally, just google "secure coding practices textbook"), yet we still build insecure systems because folks wing it. Secure coding is different than conventional coding in at least one major way:


a) in convention coding, you can hack on failing code until it eventually works the way you expect, and then call it 'done'. Obviously not a disciplined approach, but folks get by because the failing case is patent (e.g. 'user cannot log in'). In this scenario, you are coding to pass just the positive test cases (e.g. 'feature X works')

a') in secure coding, the 'jiggle the handle' approach does not work, because a system with broken security behaves same as a system with properly functioning security in the positive cases. In this scenario, you have to test for the negative cases (e.g. 'submitting malformed/excessive data does not cause the system to barf out a stack trace with interesting info', etc.). This is a much more difficult task, and requires some relevant skills and discipline.


There are many other things to consider, of course, so I refer you to existing literature rather than attempting to summarize in this brief message. I do want to share an anecdote that comes from just last week:

*) a client has a system with passwords. The code for that had 'encrypt' in the name, so I was immediately curious. In fact, it was not encrypting (as it never should have been, it was just a poor name choice, which is an issue in itself).

*) it was hashing. With no salt. If you're not familiar, this is a rookie mistake from the 1980's. No salt, no PBKDF2, just sha1.

*) OK, it's one thing for folks to be inexperienced, and make errors. However, there was a lot of pushback from the developer, and a lot of psuedo-theoretical talk about how hashes are irreversible.

*) Logic did not seem to prevail, so I demonstrated how trivial it was to reverse such 'encrypted' passwords by actually reversing their passwords. NOTE: I did this with their development database -- NOT production. That would be rude, and potentially litigious (q.v. Randal Schwartz). Anyway, I was able to:

1) reverse passwords with both numbers and symbols in their name

2) nonsense words

3) even without reversing passwords, it was obvious to the eye who had the same password because the hashes were identical. So about 30k test accounts were easily correlated -- crack one, you crack 'em all

*) all this was done with absolutely no coding on my part; I simply used existing web based tools). If I were serious about it, I would at a minimum write some Javascript to automate the webby stuff, but almost certainly just run the tools locally. Almost no skill required!


I would have thought that was indisputable proof of the insecurity of their system, but arguments continued, so I chose to terminate that client as being beyond hope. If I had chosen to keep them, I would have moved to terminate the engineer (I still did recommend considering doing that).


So my point is:

1) forget about OS-related arguments in this particular context. It's YOUR CODE in YOUR PRODUCT that is broken. If the password database was implemented correctly, you could publish it read-only as a text file over plain http and still be secure (OK, no you don't want to actually do this).

2) your first line of defense is the front door where your engineers come in to interview. Resist the temptation to cheap out.


P.S. I guess the breach you mention got worse since your writing; googleing, I see it is at 17MM now. Of course, that is in the non-technical press, and they refer to 'encrypted passwords', which I certainly hope is an inaccurate statement.

Dane Madsen Organizational and Operational Strategy Consultant

May 24th, 2017

@Gabor - I stand corrected; yes, Win 7 was the most affected IF they were not updated when the vulnerability patch was released in March. The technical term for those not auto updating is "idiot".

Anonymous

May 25th, 2017

.

Dane Madsen Organizational and Operational Strategy Consultant

May 23rd, 2017

@Gabor Nagy - I agree with the overall issue, personal and professional. The context of the question was user data for companies. If you are small the value has to be significant to warrant the hack. Hackers are business people also. WannaCry was not about MSFT, It was about MSFT old platforms they no longer supported. With Windows 7 or higher, there was no risk. iOS and Android have similar issues. The legend that iOS was not hackable was not accurate; it was that there were not nearly as many, pre-iPhone, for the cost/benefit for hacker to spend time.

Gabor Nagy Founder / Chief architect at Skyline Robotics

Last updated on May 23rd, 2017

@Dane Madsen - you are even more wrong this time: Almost all "wannacry" victims were using Windows 7!

https://www.theverge.com/2017/5/19/15665488/wannacry-windows-7-version-xp-patched-victim-statistics

And, hacking is so cheap nowadays, that no small company is safe.

Please, please stop this false security nonsense already.

You may be loose with your own computer security (I'd rather that you weren't, as it makes computing less safe for everyone), but please don't tell other people that it's ok to do that.


JP Harvey Helping Secure Businesses via Virtual Information Security Teams

May 24th, 2017

@reetika the highest value for cheapest cost you can implement to protect against security threats is "security hygiene", security awareness, having a plan for how you're going to secure things, and having a plan for what you're going to do if you get hacked. This still comes at a cost, but it's your biggest bang for buck. As others have commented, it's the norm for startups to adopt a "hope for the best" approach until their MVP is proven. I'm not judging this as good or bad, it's a risk management decision that the leaders make (either explicitly or implicitly). If it's not fixed later though by paying back some security debt, it's only a matter of time until something gets hacked. As an entrepreneur you are familiar with risk, this is simply another risk and you should accept that at some point you are going to have some kind of security incident - deal with this risk the same way as any other that you face.

Dane Madsen Organizational and Operational Strategy Consultant

May 23rd, 2017

Until you are big enough to hack, you will not be. Plan for that day, build the security into your platform plans, and sleep with one eye open. Know what you will do the day you can "afford" it, ad at what point (users and data) it is crucial. Saving money on this is not the right thing to do.

Gabor Nagy Founder / Chief architect at Skyline Robotics

May 23rd, 2017

@Dane - that could not be farther from the truth! You don't need to be a big company to be a target for cyber attacks.

Hell, you don't even need to be a company!

Even residential internet connections are constantly under attack. My router firewall log at home shows a break-in attempt every 10 seconds or so!

Thankfully, I'm behind several layers of firewalls, and I use only Linux and Mac OS.

Please, be careful spreading a false sense of security like that!


Dave Lemley Consulting Technologist

May 25th, 2017

minor point not-completely-off-topic: before we get to excited about not using windows, and thinking that Linux/OSX/what-have-you will materially improve things simply by switching platforms, consider Linux Sambacry,

http://hackaday.com/2017/05/25/linux-sambacry/


OS vulnerabilities are a fact of life, and you have to be on top of patches, but none of that is a substitute for secure coding practices in your own creations (and even the wanna cry reference is a little off topic, because that doesn't compromise data. if anything it makes it more secure because noone can access it, haha, only serious).


But the OP did ask about how to do it on the cheap. While I don't reccomend taking that approach, one could use consultants do design or at least review the work. They'll be expensive in their hours, but not a FTE, so possibly cheaper in the long run. Just make sure they thoroughly document their work, so staff engineers can understand the critical bits in ongoing maintenance activities.


Gabor Nagy Founder / Chief architect at Skyline Robotics

May 25th, 2017

@Dave - yes, there have been attacks on Linux etc. But, for every Linux attack or malware, there are abou 50 thousand Windows attacks / malware.

To say, it's not in the same ballpark, would be a massive understatement.

You are comparing the safety of driving a modern car at a low speed, to skydiving off a cliff.

Sure, things could happen in either case, and sure, both situations allow for safety improvements, but putting them under the same umbrella, is dishonest.