 Hello everybody. Hello. We're here to hack you for your benefit We have here a most amazing hacker in France the most amazing director of product security in Jesse and Jesse a first question to you if you are a startup a new startup, maybe a five employees, maybe 10, maybe 15 should Cyber security be a concern for you. Should you do something or? Or is it okay to ignore it? Yeah, so I think from the get-go, right? Whether you're a small company or a large company, you know one founder or five You need to start thinking about security from the very beginning. So build a culture From day one that everybody in the team knows that security is important, right? You don't need to be a security person to know that security is important You we say this but if you have a startup with 10 people 10 good friends who started and nobody knows what cyber security is or How it is spelled? How do you get going? Where do you start? Yeah, so I think by making security like a core value of your company I think it's gonna encourage people to take that extra, you know 30 minutes to research How did the best practices about how to build things and how to make things secure and that will pay dividends You know the hack may be three years later that you prevented but it'll pay off if you take care of that now so it just takes a lot of research and Reach out to the community. The security community is great. You can reach out and ask people for help. We're all in this together France you've hacked every company in this planet Meaning found ways to break in and then you report the vulnerabilities to them What do startups look to like to you do they look secure? I think what Jesse says regarding like thinking about security in the beginning as you're building up the company I think that has been Clear sign that not all of the startups have done that from the start meaning basically you can find some Sometimes even down to like how they design their app or how they Constructed like how it's supposed to work is actually wrong from from from the start So it's actually like developed wrong in the beginning. So I think most of the time when approaching startups you kind of see Some of the very simple and easy vulnerabilities being there and it could be all from like exposing credentials on GitHub It's like a super super easy way to expose some internal app or or whatever just because people didn't think of not committing Code like credentials to your source code So let's be specific when you say exposing credentials You mean somebody wrote soft software code where they wrote out the password. Yeah, exactly in language in the code Yeah, exactly, and maybe open source it or made it public and then accidentally have those credentials in that It's a super common thing and you can you can see that often in teams where you didn't have like a Structure around talking around security or how you should do like the best practices around how to keep stuff safe So I think I think that's that's a common mistake for for startups. Also when it comes to Like how to store data or like how to actually retrieve data regarding multiple customers or there's a lot of like Patterns, you can see with startups when it's all about like building as fast as possible Getting it out there as fast as possible So I think what as like like I said that like Jesse said like focus on Talking around security make security fun. Like I think that's a core Point you need to like try to figure out like if it's about sending your developers to a security conference paying for that or or Taking a security person to come talk with your developing team. It doesn't matter It's just about like getting it in there into the discussion Some parts into the sprint and like make it fun make it a part of the of the building process But don't you now sound like a dentist who will say make it fun to go to the dentist? I mean sure, but it's it's it is fun like when I like I sit in actually three chairs here I should have no No, so I'm partly like doing hacking for companies. Also, I I build startups I create a bunch of startups so without security people At all and then I'm I'm doing talks together with developing teams So I meet developer team developer teams and try to engage them in security and every time you go and speak with developers And you talk around security you notice you have like two or three people that is like you can see their eyes shine up And you see like the glimmering lights in their eyes and you realize that there's a lot of people in these companies That actually think of security read about security thinks it's actually super interesting But they maybe don't have the the tools in that company to actually show their capabilities or their their Properties prop so that's what you work with Jesse because you are direct or product security So you go and talk to your software engineers and say please please please be mindful of security aspects Yeah Yeah, so my goal is to be their asset right to work for them and make sure that they're doing everything that they can and answer Any questions they have to build these products securely so how do you make it fun for them like France said? Yeah, so you can do that in various ways you can have you know internal capture the flag Assessments that you can get people really excited about Have them try to break into things right and then also, you know when you have like penetration assessments and stuff like that as your company grows Work with the developers and show them how the hackers could actually get in right let them read those reports and be Transparent because that's gonna energize them about how to fix these things and be proactive So like when you think of hackers you think of a like very complex set of tools that they've built that could just break into anything But a lot of times it's the most basic things that you have in your organization that can actually defend these right so before you start Building any kind of product to go to the whiteboard draw it out figure out how things are connected together That's like one of the biggest mistakes startups make is they just start deploying And they don't understand what data touches what and what things are on the perimeter So go to the whiteboard think through it have your developers write up RFC's that talk about the features that they're building and how How it's gonna be used by the customers and then write security considerations into that So it's like instant threat modeling by the people that are actually gonna be building these features for your product company So then when they make a mistake and you have a security vulnerability or a weakness in your software How do you avoid it becoming an issue of pride and shame and how do you avoid the shaming of the one guilty? Yeah, I think by by having that core value of security from the leadership at the top the developer is gonna be okay Taking the time and acknowledging there's an issue because I know my leadership team would want that fixed, right? That's gonna be a priority over new feature work. I think you can also put the the Like the point where like what was actually fixed and how will you make sure this will never happen again? Like if you put the focus more on like not not who to blame But more on like this is what we actually did like how did you actually how did you figure it out? And how did you like follow the process of like identifying what was if something was leaked was leaked? How did it happen? When did it occur and then like how how can we build something that actually prevents this from happening ever again? Like if you if you put your focus as like the leader leadership in the company If you put your focus more towards those things than to who to blame I think that will also create like a better environment to get people to Raise the flag and say I found a vulnerability like if you can get your team to actually go to you and say I Found a vulnerability. This is what I did And this is what we need to do. That's like the perfect case Then you know you have a pretty good environment when it comes to being transparent internally about issues Yeah, make it fun. I mean have your if somebody finds a vulnerability, right? Have them do a show and tell get up in front of the company show them the cool hack that they found All it's sharing. Yeah, exactly. So now people are getting exciting about this They're going to do all this security stuff, but you said you must have the top management to Approve and bless and endorse it. How do you do that if you are an engineering manager here? How do you get your CEO to take security seriously when it is a cost item and not a revenue opportunity? Yeah, I mean I mean one hack can ruin a company, right? And I think that's powerful and enough that a CEO should recognize that this is important This should be top priority even in a startup. Yeah, and your developers your engineering team your infrastructure They're all gonna need your support going through this So how would you how would you go to a CEO and say dear CEO? I would like to influence you on this topic What would you say? I mean, it's hard to put kind of a ROI on security, right? Because it's it's a it's an interesting topic because you know a Vulnerability that's introduced today may not impact you for ten years from now, right? When you realize that you left some dev instance or database exposed on the internet from when the company was founded, right? So it's really hard to wrap a number around that So I think you need to show them examples of other companies and breaches that have happened show them evidence and then CEOs are thinking about compliance too, and that plays a piece of it, right? We're all in charge of keeping the company responsible For other people's data, so compliance plays a big piece in it Yeah, but when you look at sorry for when you look at the breaches Most breaches are with big companies like we had equifax and with others and it's not startups So how maybe a startup here will think oh, we are not at risk So that's that's interesting and this is something that's becoming more popular, right? Because yeah, you may be a startup and you have the small product But you're more than likely leaning on these other large companies that are having these breaches You know if it's a Facebook or Google whatever it may be right You've probably implemented some third-party feature within your code base to make your product more robust And now you've got to worry about not only your company, but that other company as well Absolutely, I think what I was I actually dropped there No, but what I was thinking around like how to convince your CEO It's more on like we had the discussion before Outside like being more secure than your peers and your competitors I think that's also one of the because nowadays I see it like when when companies approach us trying to buy our service or not only Detectify but the other startups I'm involved in the security comes up as an argument or a question at least like how do you work with security? How do you implement? Like how do you do patching? How do you announce if you had a vulnerability and like Customers tend to be more and more interested in how to how you're actually working with security And I see it myself whenever I am going to use third parties I ask them like how do you have a responsible disclosure policy are people from the outside able to actually contact your security team and Tell you about vulnerabilities in your product and if they say no I'm I'm more reluctant into picking them as a as a vendor and and I think Also trying to communicate I think the CEO might have seen those things when customers approach them seen the things and the questions around security So coming from the CTO perspective to the CEO telling them that we can actually be Better at this than our our competitors and we we have an option here to To actually make a stance in terms of security. I think that's that's a valid argument towards the CEO as well Okay, I'll have another objection for you to deal with them Somebody might say okay We're talking software vulnerabilities and putting the systems in shape and then say but the week the weak link is always the human Being the criminal or the gullible employee who clicks on a phishing link or maybe even a Person inside who is intentionally doing harm. So why would you care about software vulnerabilities if humans still are the big biggest risk? They are always going to take the easiest path. It's it's all about that So if the easiest path is through Like a software they will take that path. It doesn't doesn't necessarily mean that like humans is is one of the easy paths nowadays because it's There's such so much noise in that channel anyway But a lot of people are trying to like there's like free tools today today to make like fake phishing emails to your employees To make them to make at least the discussion start Internally around like why are you giving out the Google credentials to a third party and like all these two of a things and and the multi-factor authentication is is like one step in the proper direction I think but I mean I Kind of feel the same way like every time I sit in the hack and I'm like, okay The easiest way to hack this company is probably to send an email to customer support and I'm like, why am I doing this? So so if someone has to answer to a question, I'm happy to listen as well But I think it's like it's all about like trying to eliminate your your Your threats basically and and how do you deal with it? Jesse? I mean Life will make we kind of take a layered approach, right? So we make sure that we have multiple layers of security controls in place like two-factor authentication, right? So if a password is breached or a laptop is stolen, right? We don't have to worry about it because there's multiple layers protecting that data And those are those are usually as as easy as as flipping a switch or you know Paying a small monthly fee to add an extra service and it's it's worth the cost up front Especially for a small startup, right? Because then you're gonna prevent things that can impact you down the road and do you do fishing? Training for your employees. Do you send out those? Yeah, we do we do some internal testing. Yeah But we also use octa to help prevent any kind of secondary attack to that so Yeah How do you deal both of you with people who are not from the security or the technical space like there's a lot of marketing people? Sales people admissity people who need to have a security understanding, but they don't have the technical background that you guys have Yeah So I think it's especially a point important for them to understand right because they're the ones that are going out there and Talking to customers and they're gonna get asked these hard questions way before the security team does right? That's it in the back. So they need to have a good understanding of how the system works and how we're preventing things, right? So your security team or you know your your core engineers need to tell them here The things we've done to protect data so they can go out and tell their customers How it works and and the customers are going to show them that that's important And hopefully they'll bring that back in-house and realize that it's important for them as well I think it comes down to what Jesse says like the knowledge sharing super important We also made like security sheet sheets internally so we can like answer the most common like FAQ for for security issues And then also try to get feedback from the like if the sales team are out and they like we've got the question around this Like how are we solving this? We try to keep that document updated. So it's always relevant to the the things that we're doing and Currently are working on yeah, and one interesting thing that we do at life Is all of our security policies that all employees must follow we put those right in bit bucket, right? So the employees themselves can collaborate and communicate on those. It's not some random PDF shoved in a drive somewhere Yeah, it's something that everybody can chime in and say hey, this doesn't make sense or yeah I really like this and give feedback so they're gonna be more apt to actually follow those policies I agree. So now we have we have endpoint protection. We have encryption. We have a vulnerability management We have a lot of security technologies that people need to use if you're a startup and you're just shipping product And you can afford just one thing in security way. What's the minimum you can do? What can you postpone? Because you can't do all at once Hey, I think two-factor authentication out of the boxes. You start there. Yeah, and also Thinking like if you're a startup, you're also thinking about scaling And I think when it comes to scaling you also need to think about what your investments will be today And what your investments are gonna be in two or three years. So if you think that Not putting the the like finding a person that actually are is dedicated internally around security It could be your developer. It could be your CTO could be the CEO For for all I know so it's having someone that actually has that in mind from start I think it's it's really valuable There was a discussion before around like creating a startup without having any tech people in the company and people are like Yeah, don't do that and it comes it's I'm not saying you should have that in the board or like have it from the initial start It helps, but I think you could probably find that That skill or that that interest in people in your team, even though you're only four or five people Yeah, excellent answer. This was actually a question for the old from the audience So please submit your question through slide. Oh, I will ask them here and while you do that I'll ask you to to share some amazing Cyber security story either a horror story or a joyful story of something you experienced And we'll start with Jesse and then go to France. Okay. Yeah So I was working with a small team doing a security assessment and it was a startup They had had a lot of turnover within their product a lot of engineers had left they had you know tried outsourcing that kind of thing and I was doing an assessment and I actually found that they had chained together a Bunch of EC2 instances and databases in the back end and things were all over the place and they didn't realize it And I was able to text in a malicious payload and get it to execute against the administrator on their portal and steal their credentials So it was using a text message. Yes all via a text message something you would definitely not expect right? You don't really think about that whenever you're thinking about a tax But these are the things that you got to think about whenever you're designing your architecture Did they love you or hate you for they were pretty impressed That's a good reaction. I think France. So I I thought of a Scenario that was actually one of my startups. I wouldn't was involved in for like seven years ago This was like pre bug bounty. So it was pre hacker one even and We we knew that we had a bunch of sequel in the action problems in our app We knew that from start So what we did was not to try to find all the see like sequel injections instead We know we knew that as soon as someone will try to make a sequel in action They will at some point trigger a sequel error So what we did was we made sure that all the errors that was triggered by the app when someone tried to hack it Would escalate into a channel in our chat software. It was like pre slack even and and alerts like a few of us So we knew that someone was actually successfully exploiting a sequel injection and this happened on a Saturday and we I saw it on my cell phone and I'm like went in I patched it in like less than 10 minutes and I could see the person was trying to like try it again But it couldn't like he was like what the hell why isn't this not working and I was like, okay Someone is trying to hack us. Who can this be and we had two employees in the company that I knew was like a bit hackery They were also the people starting to take to fight after that But they had a friend That was in Amsterdam and I saw the IP was in Amsterdam So I told them like do you know if this is like your friend like it seems suspicious So they went to him the day after like did you did you like look for vulnerabilities here? And he was like, yeah like but it disappeared on a Saturday. What is this? So then we knew who it was So we bought him a plane ticket and flew him to Sweden and he's spent the Christmas with us and he's now a really close friend So that was a fun like a good ending story of of hacking and a bug bounty plane ticket bug bounty pre bug bounties ever. That's a beautiful story We have somebody asking here. Could you please share some tips on on? Sorry, what's the best way to hack a company? How do you normally proceed? So France you hack companies. How do I? Yeah, I Start off by looking at all the disposable assets from my perspective often I get I don't get an internal access or credentials or anything. I get the same thing as I don't know Russian Russian hacker would get Not to say that they'd hack more But so I would look at what's exposed. Do they have any internal assets exposed? Do they maybe they have like company dot com maybe they have like company net with all their Internal infrastructure looking at their DNS how it's structured. Maybe they have now when you say look what do you mean by look? I search yeah, I search use a tool. There's a bunch of tools There's a bunch of services that actually tries to create a recon process out of figuring out where the company is Exposed like what kind of services they use do they have any open source and Just trying to collect all the assets out there to try to see how much I can get and then go into detail Yeah, I similar process right I use open source tools to go out and just see what's there Look for any potential vulnerable software that's that's running on these services any open ports that kind of thing and just start poking around A lot of times too I'll go out and if it let's say it's a website right a banking website I'll go out and pretend like I'm a standard user and start thinking about where that sensitive data is right and then I know That's probably where I want to try to get to first I'm not gonna waste my time looking at the other areas and and what's what's the most typical first Bug you find first vulnerability when you find that goodness. I think it depends on the asset There's no typical one. Yeah, well So one thing that I really like to do is to see if they've exposed their git repository of the root of the site Because that has their source code and if you can get to their source code a lot of times you can find credentials You can also see how the site's operating even if it doesn't have credentials And you can look for deeper vulnerabilities that you can exploit. I tend to look a lot around like infrastructure Where are they hosting it? Are they running it on AWS or GCP or Asia or or similar? Because if you know that you might also know where to look what to look for next and how do you know? So basically, let's say they use AWS for stuff then you can probably think okay They're probably using one service in AWS called S3, which is like the storage bucket storage and or object storage you can basically store as much as you want in one place So you would probably assume that they're using that as well in their in their service and like look more into like What kind of infrastructure? How how did they create this app? How was this app? Do they have load balancers in the way and how's that load balancer configured? And I mostly don't look at how the app actually works until later on when I know How the app was constructed and and put online from the start I want to know that first because that helps me a lot into moving forward So we talk about security hackers who break into systems And we talk about software developers who build systems and then some people say that the bus best developers Also know how to break it and the best breakers the best hackers also know how to build it. Is that true? Is that I think it's a it's absolutely a benefit. I come from the developer perspective I was a developer from from the start so me approaching security with a developer perspective was really valuable for me because Both I could be a better software engineer and build stuff better because I knew why I was building security Mitigations, but also I knew where to look in other applications because I was like this is a hard thing to solve I will see how they solved it and sometimes it turned out to them not solving at all And that was the vulnerability I found so I I really think it's a it's a valuable asset. Yeah, yeah If you're a developer you obviously know how to build you know, you know Where the risks are at and what things can be skipped over what corners can be cut and and those developers that that know that They can make some of the very bus security team members So when you're looking to start building out a security team You could recruit some of your own internal engineers that are really passionate about security along the way Yeah, that leads to the question of should the startup have a Dedicated security manager or like you are director of product security or at what stage should you have a Dedicated person Yeah, so I think that if you do a good job from the beginning of kind of layering security and getting everybody to understand that security is their Responsibility regardless of your role. You don't necessarily need a security person right off the bat, right? But you do need a security person eventually And I would hire somebody that's that's more of a senior level person that has has good product security Experienced from external and bring them in and then start using your internal resources your engineers that are passionate Bring them over to help support that product security team and then you can do it's kind of like a three-tier process Right build out your internal security team then you can start with a vulnerability disclosure program Roll that into a paid bug bounty program because with that you get a team of security researchers hackers That are essentially supplementing your product security team and then you pay them for their findings And then the third part of that in the very last component is to bring in an external team to do a pen test Maybe annually and this is to help you with your compliance checkboxes and coverage Cool my final question to you. What have you seen in the world is the best initiative to make cyber security a topic for everybody in the world Has it been done yet I Exactly no, I think It's a really hard question. I like do you have any Question, I mean I feel like I feel like we're getting there slowly, but surely I could there be more of course I think there's a lot of things happening like getting vulnerabilities into the mass media It's like a really good thing to actually get it up into the discussion And also like looking at frameworks popping up being secure from start is like a way of that Happening, but we're not there yet. I think Not yet Wonderful. Thank you. Jesse. Thank you France. Thank you audience. Thank you