Profile picture
, 19 tweets, 4 min read
My Authors
Read all threads
1/ Practically every startup ends up writing code, even if technology wouldn't be the main focus of the company. Here’s a checklist I made to help you and your hot new startup avoid the most common infosec pitfalls. [thread]
2/ Speed is the enemy of security.
The faster you move, the faster you develop, the faster you deploy — the less time you have for bug checking, quality assurance and testing. Security is not something you can add to a ready product, it has to be built in from the design phase.
3/ Do not invent stuff which has been invented already. There are trusted and tested principals that will save you time and make you safer. Definitely do not develop things such as encryption or hashing algorithms by yourself. Just don’t.
4/ Most startups today choose to go for cloud services such as AWS, Azure and GCE. Amazon, Microsoft and Google are investing hundreds of millions of dollars into their security. Breaking into the servers that run the largest cloud providers is hard...
5/ …but you need to use the cloud right. The easiest way to screw up with cloud servers or cloud storage is to lose credentials. Make sure your developers use strong, unique passwords on all cloud services.
6/ Actually, forget that. Just make sure all your developers use a password manager. Also, make sure everybody understands the risks of posting Private API keys to GitHub or pasting AWS Access keys to Pastebin.
7/ At the end of your next all-hands dev meeting, open shhgit.darkport.co.uk on the projector and let everybody watch for five minutes. That should do it.
8/ Make sure everybody has their mobile devices locked by default (Face ID / Touch ID is fine). Make sure your people enable two-factor authentication where possible, with an Authenticator app. And do not force regular password changes on your users for no reason.
9/ When I walk around startup events, everybody seems to be rocking a MacBook. Macs are great for security, but probably not for the reason most people think. As Mac market share hovers only around 10% , criminals keep focusing only on Windows with their attacks.
10/ Do note that Mac users fall for phishing just as easily as Windows users — and iPhone and Android users fall even better, as there are fewer safeguards on those, and detecting a fraudulent lookalike URL is harder on a smaller screen.
11/ Ransomware continues to be one of the biggest problems we see. Recovering from ransomware attacks would be easy if you’d always have an up-to-date backup of your data. Surprisingly, many companies cannot restore their data when they are attacked.
12/ This happens often because online backups are deleted or encrypted by the attacker. This is why cloud backup and Time Machine systems alone are not good enough for backup. Have regular off-line backups that will survive even if your office building burns down.
13/ Update prompts are annoying, but almost always the reason for the update is security. So update your OS. Update your applications. Update your apps. This seems obvious, but updating can fail for surprising reasons.
14/ In the fast-moving environment of a startup, people come and go all the time. Make sure your people do not take their access rights with them. Make sure you can lock people out of your repositories and cloud systems.
15/ Make sure you can change passwords and access rights as needed. It’s especially easy to get burned with shared passwords you use for your corporate social media accounts. Force a password change on public company accounts whenever someone who had access leaves the company.
16/ Make sure you exactly know who can move money in the company, and make sure they know how modern Business Email Compromise attacks work. These attacks are way more complex than traditional fake billing scams.
17/
Make sure your developers can identify and fix the common security vulnerabilities. Then have your app security tested. Have your network pentested. Have your code audited.
18/ And when you know your stuff is safe, your next challenge is to convince your customers that you can be trusted, even though you’re just a startup. One tip there is to get experienced advisors to join you, validating your security process and vouching for you. Good luck! /end
19/ PS. This thread was based on a blog post I made for the Maki.vc (@MakiVentures) blog: medium.com/maki-vc/the-te…
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with @mikko

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @mikko see all

Profile picture
@mikko
@mikko
A new search engine from NSA, apparently. captcha.nsa.gov
Aaand now it’s offline. It redirects to their front page. Hi NSA.
Read 4 tweets
Profile picture
@mikko
@mikko
Small thread on our our website, which was started on this day in 1994:
In 1994, there were 3 million people online. Today, there are 4353 million people online (according to IWS)
The Internet Archive did not yet exist in 1994, so the oldest copy of our site that they have is from 1996: web.archive.org/web/1996122214…
Read 11 tweets
Profile picture
@mikko
@mikko
#GPSrollover
GPS satellites transmit highly accurate date and time to navigation systems and smartphones. When the GPS system first began to keep track of time in the 1980s, they decided to count the number of weeks elapsed with a 10-bit counter.
A 10-bit counter can only count forward to a maximum of 1024 weeks, or about 19.7 years. After the first 1024 weeks had elapsed, this counter rolled over to zero, causing some date-related issues. After this, GPS systems started counting werks again from zero.
This first GPS rollover occurred in August 1999. The second GPS rollover will occur tomorrow.

It’s not going to be a big deal. We hope.
Read 5 tweets

Related threads

Profile picture
G. Elliott Morris
@gelliottmorris
#NEW from me: What would happen if the Democrats instituted a national primary using ranked-choice voting? I got the data from @YouGovUS and crunched the numbers:

economist.com/graphic-detail…
@YouGovUS We had YouGov ask over 2,000 Democratic voters to rank all the 2020 candidates over the past month. We used those responses to simulate ranked-choice voting in the primary.

How does RCV work, you ask? Just a reminder....
@YouGovUS 0. Count up all the ballots
1. Did someone win a majority of the vote? If yes, they win. If not....
2. Anyone who listed the last-place candidate gets their votes redistributed to their next-ranked option.
3. Re-tally the votes and repeat 1-2 until someone gets a majority.
Read 10 tweets
Profile picture
Jonny Geller
@JonnyGeller
Here is a thread about What Literary Agents are looking for in New Writers:

1/ A clear idea. However complex the story, a debut novel must offer a simple proposition of author, pitch and market.
#writing
#publishing
#literaryagent
2/ the pitch must promise the potential of moving the readership to a new place, but not by completely ditching what has been proven already to have worked.
I call it a bridge from somewhere familiar to somewhere new and unexpected.
3/ a debut novel must showcase talent and voice, but not at the expense of story. Self- confidence in the voice, editorial discipline and a certain degree of risk taking must all be evident.
Read 6 tweets
Profile picture
Mango_Lioncat
@MLioncat
AU idea I've been toying with writing, kinda blurry on the details. Might take me a while to type it all out since I'm kind of preoccupied atm

NurseConnor gets hired by Hank because he needs extra help taking care of Cole.
Being Lieutenant and on the homicide division leaves him with unpredictable hours, and he feels bad having to call his neighbors at 2 or 4 in the morning if he gets called in, especially with Coles unpredictable condition and with the type of care he requires.
Cole is epileptic, has been since he was a baby, and Hank's ex-wife is less than helpful when it comes to helping her husband and caring for her son. Hank just wants someone to be with Cole when he can't, in case there's an emergency.
Read 1196 tweets
Profile picture
Jeffrey Peterson🇺🇸
@realJeffreyP
Does AUSA Moira Kim Penza, prosecutor in the fed. #NXIVM #RICO criminal racketeering case, realize that her indictments of #NXIVM leader, Keith Raniere aka "Vanguard," last March, may have affected the outcome of the 2018 Mexican Presidential Election? #ArizonaMafia #Democrats
Moira Kim Penza is 1 of the main prosecutors in the federal #NXIVM #RICO criminal case. A #RICO case is very serious; it is 1 of the most complex types of prosecutions the U.S. Government can initiate. Moira's boss is Richard P. Donoghue, U.S. Atty for the Eastern District of NY.
Penza is a smart lawyer. According to publicly available information, she studied at Cornell Law School, a private Ivy League University located in Ithaca, New York. Cornell was ranked the #13 law school in America, out of 203 law schools, by U.S. News & World Report, in 2018.
Read 117 tweets
Profile picture
Tessa
@ClacesShadow
Shane is fangirling about meeting Rebekah and Kol, the Original vampires, and bragging about not being able to be compelled. Then Bex tells Kol to beat the location of the cure out of him. Lol. Imagine meeting your idols and they beat the shit out of you.
Back to this. "Truth or dare, Elena?"
"Dare." Damn that's brave.
"I dare you to tell Stefan the truth about Damon."
Sweetie, that's truth not dare, but I am here for this.
"Seriously?!" Caroline being there for Stefan again.
Bex is being really childish though
"Being with Damon makes me happy." HSHDFLK YES IT DOES.
"Makes you happy? Clowns make you happy Elena. Dig a little deeper."
Actually, clowns do quite the opposite of making me happy, but to each their own Rebekah. 🙈
Read 1801 tweets
Profile picture
Rob Spectre
@dN0t
#mylastpc

Ever since I was a kid, I've always built my main rig myself.

The time when that was practical or necessary passed a long while ago, but it was an eccentricity I couldn't ever let go.
Some of it was borne out of the DIY punk rock impulse, some of it out of a sense of craftsmanship, some of it out of overindulgence of a control complex, I always preferred writing code on something that I built myself.
My main rig right now has lasted since 2009 and its retirement is nigh. While Sandy Bridge proved to be a durable platform, the models are finally getting too big to train in a timely fashion.

And this was the first time I paused before starting to look at components.
Read 178 tweets

Trending hashtags

#ICYMI #Constitution #Leeds #SiliconValley #HitPiece #Censorship #mps #dla #rights #debt #Abundance #entrepreneurs #REDFLAG #wowcampaign #ERA #KAGA #OOPS #Corruption #Disney #Startups #toriesout #dreams #FanEngagement #Phoenix #assessments
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!