Rootconf 2019

In this presentation we want to showcase how we simplified, prioritized and implemented security from day 1 to a product idea going to production at CRED.

Outline

Information security domain has become vast with lots of industry standards, frameworks, tools, etc. However, all business at the end of the day cares about is releasing a product securely with minimal friction and enabling tech to move fast while having security in place.

In this talk, we will touch base on the approaches as well as key decisions we took to ensure we have security in place from day 1 of our product launch. To keep understanding simple, I have segmented security into 3 following buckets

1. A cloud approach

2. A compliance approach

3. A product approach

A cloud approach: Most of our founding team members were well versed with a public cloud (AWS), hence, this was a no brainer decision to adapt an AWS heavy infrastructure.

Challenges(Security):

1. Due diligence of shared responsibility: All managed workloads would need to have a policy defined. E.g. An IAM role must not have an excess permissions or an admin user should not be able to delete a running ECS cluster.

2. Lifecycle of workloads/resources: E.g. Security groups for enabling temporary access across AWS resource needs to be revoked asap.

3. Secret/Key Management: E.g, Because secrets are not meant to be hardcoded.

4. Incident Response: E.g. Bitcion miner on a hacked EC2.

Approach:

1. Least Principle - OKTA as SSO on separate AWS accounts(dev,stage,prod,PCI, central) with distinguished user groups.

2. Continuous AWS Monitoring - https://www.cloudconformity.com/conformity-rules/

3. AWS Guardduty - Monitors Cloudtrail, VPC Flow logs and Route53 logs - SNS to Email for all alerts.

A Compliance Approach: Fintech is regulated business and industry standards are its consequence. During the first month of our product launch, we were required to become compliant to NPCI guidelines for a UPI launch. Followed by RBI’s data localization requirement(SAR) and then ISO 27001:2013

Challenges:

1. Onboarding independent auditors to the concept of credit card bill payments.

2. Onboarding consultants to view product/business from a different angle.

3. Creating a process oriented culture to adhere to various compliance requirements.

A Product Approach: Our founder wanted our product to be as secure before we launch.

Challenges:

1. Dealing with rapid code+design changes.

2. Defensive versus offensive.

3. Proposing secure solutions for end user application flow.

Approach:

1. Keeping track of changes in every alpha build. Sit next to developer and start with a simple code review. Need not be a tool based approach, for every API call, check the corresponding codebase and think what could go wrong.

2. Too many tools and framework to attack. Think on how to make every attack difficult. E.g. SSL Pinning, Code obfuscation( Proguard followed by Dexguard)

3. Review all application flow, look at application having user inputs. E.g. OTP flow in our app.

Speaker bio

Himanshu is currently repsponsible for overall security at CRED. He has spend most of his career into fintech domain at GrabPay, Flipkart, PayPal in building in-house security platforms and products, hence, his domain expertise. Having started his early career with security consulting for some of the well-known passport-visa processing firm, government organizations, start-ups in Indian e-commerce space. Himanshu has later lead bug bounty programme for PayPal. He participates in CTF with team SegFault, has won Nullcon JailBreak 2012 and been an architect for managing and hosting HackIM CTF. While away from computer, he spends his time playing console and enjoys cooking.

Links

• https://github.com/himanshudas