I've spent over 2 years at Skyscanner 'doing security stuff'. There have been lots of successes, but also some failure - here's a whistle-stop run-down!
2. Skyscanner 2017
@StuHirstinfosec
A bit about me;
Former RBS mainframe procrastinator, turned
excited internet security bloke
Head of Security
Squad Lead
Product Owner
PCI Manager
Security Manager
SecOps Lead
“Doing
Security
things at
Skyscanner
”
15. Skyscanner 2017
2 week scheme – glut!
365 scheme – needs constant
researcher rotation, refuse to pay
for crap bugs, weed out the XSS
guys!
@StuHirstinfosec
16. Skyscanner 2017
Ideal outcomes;
• Weed out certain types of bug in
your code altogether
• Make researchers work harder
for their cash!
• Scale the scheme &
make it more valuable
over time
@StuHirstinfosec
38. Skyscanner 2017
@StuHirstinfosec
• Get rid of credentials in code; GitHub/GitLab etc
• Credstash
• Git Secrets
• GitLeaks (have fun!)
Q. What’s the best way to protect
credentials in code?
A. Don’t have any
I like memes – here is my obligatory Ive Just Had A Baby meme.
(like I’m the only guy who has ever had a baby!)
I don’t really know what I’m doing.
I don’t say that flippantly or because I have a bad dose of imposter syndrome, but rather I work at a company which does things a bit differently, and I include Security in that.
There aren’t too many companies I can look to, to understand the right thing to do.
Major global travel brand – meta search engine for flights, hotels and car hire, inc mobile app.
Security shouldn’t exist merely to clean up the unicorn sh*t from DevOps engineers
I deal with enough of that at home at the moment!
Today I’m going to talk a little bit about DATA
I made this meme especially and I’m particularly proud of it, which probably doesn’t say much for my current social life.
We all work for companies that are essentially data driven
The two main questions you should concern yourself with, are:
What data do you store?
How valuable is it to you?
By valuable, I mean, how does it define your business, but also from a security point of view, what would be the implications of it not being available, or it being breached in some way?
We’re obviously very data driven at Skyscanner
All manner of data (this isn’t an exhaustive list)
User
Employee
Financial
Flights, hotel, car data
And then code and credentials, which is just data, right?
We use data for all manner of reasons – including metrics across the business
One of the drivers for tightening up on data security and Skyscanner is no different, is GDPR.
Now I know it’s a pretty dry subject and you’ll have heard lots already, but the consequences of breaches are about to increase massively and a lot of businesses are simply unprepared.
So perhaps I can help with a few ideas today
2nd disclaimer;
I will talk about some cryptographic principles.
But I am not a cryptography expert! Mr Buchanan is!
Most engineers are not cryptography experts either, so when I hear people talk about creating ‘custom crypto’…..
…..custom crypto….
Please don’t.
We have some wonderful, well established cryptographic protocols in the industry today, we don’t really need individuals creating their own.
So let’s have a look at two of the simple ones, but widely not yet fully explored;
This will be old news to many of you, but sadly not all!
You really should be designing systems to use TLS and not SSL.
I’ve seen companies implement TLS but then not get rid of their old ciphers – you can check using SSLLabs for websites.
Google now flag websites which either don’t use HTTPS as standard, or have weak ciphers.
Data At Rest
There’s only really one standard – AES256 – that’s the recognised industry standard for encryption at rest
SOMEWHERE ELSE!
And rotate keys; 90 days is good practice