The Welcome Email wherein I try to get the Whole Team thinking about Security.
We recently hired our 23rd employee (!!!). Part of the standard on-boarding process is for me to send along an email explaining that we take security seriously, and encourage the person to use unique, complex passwords (or better yet, join our 1Password account), and to avoid phishing attacks, and to use 2-factor auth literally everywhere, and et cetera and so on.
As I was sending this email, I realized that even I found it boring. Important, sure. Full of great tips, fine. But boring.
I think part of the problem is that when you arrive at an office full of people, it feels like security has just been… Taken care of? The lights are on, your laptop automatically needs a password to unlock the screensaver, you got a fancy key fob to get through the front door.
But security is a process. It is a collection of actions you’ve taken in the past (like using a secure password) combined with a disposition (such as not send around flat files full of sensitive information).
And this should be exciting, because the internet is terrifying.
So this post, then, is an attempt to explain to everyone, from a new DevOps engineer to a new Sales rep, how to get nervous about security.
So… what is security?
The key to security (as I understand it) is to become increasingly paranoid. You have to assume that at every point of access for your app, there is a way for it to be compromised.
And for each paranoia you come up with, you have to come up with an anti-paranoia.
Is there a chance that user will get sloppy with their passwords? Then you need to add two-factor authentication.
Is there a chance of a cloud barbarian stealing your database? Then keep your database encrypted at rest.
Is there a chance of someone sniffing traffic? Then everything has to happen over SSL.
Getting more paranoid — hiring a villain
So you ask yourself, or you ask the company, “What else could go wrong? Where else could information leak? Where else could we be vulnerable?”
To answer that, we hired (the truly excellent) Cobalt.io to run penetration testing.
This found a few legitimate (although small) ways to improve our app. I look forward to doing more of these in the future.
But how do big companies do it?
We’ve also passed a SOC2 Type 1 audit.
This showed me how process could keep a company secure, but it also showed how security turns into a baffling piece of theatre that serves only to flatter itself.
Imagine you were trying to secure a liquor store using only Excel. You could have sensible questions like, “Are the doors locked?” but that’s meaningless if you never verify that you haven’t left the doors totally open. That’s a SOC2.
So I guess you can’t rely on other people to do it for you?
And that brings me back to my email. I spent some time editing it today. I kept in my tips. But I tried to make it more of a series of questions.
What data do you have access to?
What would happen if that data as insecure?
How do I know I’m secure?
Can I honestly say I’ve taken reasonable precautions?
What about my coworkers?
We have a smart team. I want the full force of our combined intelligence and curiosity to be relentless improving security.
