About Rootconf 2019:
The seventh edition of Rootconf is a two-track conference with:
- Security talks and tutorials in audi 1 and 2 on 21 June.
- Talks on DevOps, distributed systems and SRE in audi 1 and audi 2 on 22 June.
Topics and schedule:
View full schedule here: https://hasgeek.com/rootconf/2019/schedule
Rootconf 2019 includes talks and Birds of Feather (BOF) sessions on:
- OSINT and its applications
- Key management, encryption and its costs
- Running a bug bounty programme in your organization
- PolarDB architecture as Cloud Native Architecture, developed by Alibaba Cloud
- SRE and running distributed teams
- Routing security
- Log analytics
- Enabling SRE via automated feedback loops
- TOR for DevOps
Who should attend Rootconf?
- DevOps programmers
- DevOps leads
- Systems engineers
- Infrastructure security professionals and experts
- DevSecOps teams
- Cloud service providers
- Companies with heavy cloud usage
- Providers of the pieces on which an organization’s IT infrastructure runs – monitoring, log management, alerting, etc
- Organizations dealing with large network systems where data must be protected
- VPs of engineering
- Engineering managers looking to optimize infrastructure and teams
For information about Rootconf and bulk ticket purchases, contact firstname.lastname@example.org or call 7676332020. Only community sponsorships available.
Rootconf 2019 sponsors:
Implementing security from day 1 at a fintech startup
In this presentation we want to showcase how we simplified, prioritized and implemented security from day 1 to a product idea going to production at CRED.
Information security domain has become vast with lots of industry standards, frameworks, tools, etc. However, all business at the end of the day cares about is releasing a product securely with minimal friction and enabling tech to move fast while having security in place.
In this talk, we will touch base on the approaches as well as key decisions we took to ensure we have security in place from day 1 of our product launch. To keep understanding simple, I have segmented security into 3 following buckets
A cloud approach
A compliance approach
A product approach
A cloud approach: Most of our founding team members were well versed with a public cloud (AWS), hence, this was a no brainer decision to adapt an AWS heavy infrastructure.
Due diligence of shared responsibility: All managed workloads would need to have a policy defined. E.g. An IAM role must not have an excess permissions or an admin user should not be able to delete a running ECS cluster.
Lifecycle of workloads/resources: E.g. Security groups for enabling temporary access across AWS resource needs to be revoked asap.
Secret/Key Management: E.g, Because secrets are not meant to be hardcoded.
Incident Response: E.g. Bitcion miner on a hacked EC2.
Least Principle - OKTA as SSO on separate AWS accounts(dev,stage,prod,PCI, central) with distinguished user groups.
Continuous AWS Monitoring - https://www.cloudconformity.com/conformity-rules/
AWS Guardduty - Monitors Cloudtrail, VPC Flow logs and Route53 logs - SNS to Email for all alerts.
A Compliance Approach: Fintech is regulated business and industry standards are its consequence. During the first month of our product launch, we were required to become compliant to NPCI guidelines for a UPI launch. Followed by RBI’s data localization requirement(SAR) and then ISO 27001:2013
Onboarding independent auditors to the concept of credit card bill payments.
Onboarding consultants to view product/business from a different angle.
Creating a process oriented culture to adhere to various compliance requirements.
A Product Approach: Our founder wanted our product to be as secure before we launch.
Dealing with rapid code+design changes.
Defensive versus offensive.
Proposing secure solutions for end user application flow.
Keeping track of changes in every alpha build. Sit next to developer and start with a simple code review. Need not be a tool based approach, for every API call, check the corresponding codebase and think what could go wrong.
Too many tools and framework to attack. Think on how to make every attack difficult. E.g. SSL Pinning, Code obfuscation( Proguard followed by Dexguard)
Review all application flow, look at application having user inputs. E.g. OTP flow in our app.
Himanshu is currently repsponsible for overall security at CRED. He has spend most of his career into fintech domain at GrabPay, Flipkart, PayPal in building in-house security platforms and products, hence, his domain expertise. Having started his early career with security consulting for some of the well-known passport-visa processing firm, government organizations, start-ups in Indian e-commerce space. Himanshu has later lead bug bounty programme for PayPal. He participates in CTF with team SegFault, has won Nullcon JailBreak 2012 and been an architect for managing and hosting HackIM CTF. While away from computer, he spends his time playing console and enjoys cooking.