Rootconf 2019

Rootconf 2019

On infrastructure security, DevOps and distributed systems.

About Rootconf 2019:

The seventh edition of Rootconf is a two-track conference with:

  1. Security talks and tutorials in audi 1 and 2 on 21 June.
  2. Talks on DevOps, distributed systems and SRE in audi 1 and audi 2 on 22 June.

Topics and schedule:

View full schedule here: https://hasgeek.com/rootconf/2019/schedule

Rootconf 2019 includes talks and Birds of Feather (BOF) sessions on:

  1. OSINT and its applications
  2. Key management, encryption and its costs
  3. Running a bug bounty programme in your organization
  4. PolarDB architecture as Cloud Native Architecture, developed by Alibaba Cloud
  5. Vitess
  6. SRE and running distributed teams
  7. Routing security
  8. Log analytics
  9. Enabling SRE via automated feedback loops
  10. TOR for DevOps

Who should attend Rootconf?

  1. DevOps programmers
  2. DevOps leads
  3. Systems engineers
  4. Infrastructure security professionals and experts
  5. DevSecOps teams
  6. Cloud service providers
  7. Companies with heavy cloud usage
  8. Providers of the pieces on which an organization’s IT infrastructure runs – monitoring, log management, alerting, etc
  9. Organizations dealing with large network systems where data must be protected
  10. VPs of engineering
  11. Engineering managers looking to optimize infrastructure and teams

For information about Rootconf and bulk ticket purchases, contact info@hasgeek.com or call 7676332020. Only community sponsorships available.

Rootconf 2019 sponsors:

Platinum Sponsor

CRED

Gold Sponsors

Atlassian Endurance Trusting Social

Silver Sponsors

Digital Ocean GO-JEK Paytm

Bronze Sponsors

MySQL sumo logic upcloud
platform sh nilenso CloudSEK

Exhibition Sponsor

FreeBSD Foundation

Community Sponsors

Ansible PlanetScale

Hosted by

Rootconf is a forum for discussions about DevOps, infrastructure management, IT operations, systems engineering, SRE and security (from infrastructure defence perspective). more

Himanshu Kumar Das

@himanshudas

Implementing security from day 1 at a fintech startup

Submitted Jun 6, 2019

In this presentation we want to showcase how we simplified, prioritized and implemented security from day 1 to a product idea going to production at CRED.

Outline

Information security domain has become vast with lots of industry standards, frameworks, tools, etc. However, all business at the end of the day cares about is releasing a product securely with minimal friction and enabling tech to move fast while having security in place.

In this talk, we will touch base on the approaches as well as key decisions we took to ensure we have security in place from day 1 of our product launch. To keep understanding simple, I have segmented security into 3 following buckets

  1. A cloud approach

  2. A compliance approach

  3. A product approach

A cloud approach: Most of our founding team members were well versed with a public cloud (AWS), hence, this was a no brainer decision to adapt an AWS heavy infrastructure.

Challenges(Security):

  1. Due diligence of shared responsibility: All managed workloads would need to have a policy defined. E.g. An IAM role must not have an excess permissions or an admin user should not be able to delete a running ECS cluster.

  2. Lifecycle of workloads/resources: E.g. Security groups for enabling temporary access across AWS resource needs to be revoked asap.

  3. Secret/Key Management: E.g, Because secrets are not meant to be hardcoded.

  4. Incident Response: E.g. Bitcion miner on a hacked EC2.

Approach:

  1. Least Principle - OKTA as SSO on separate AWS accounts(dev,stage,prod,PCI, central) with distinguished user groups.

  2. Continuous AWS Monitoring - https://www.cloudconformity.com/conformity-rules/

  3. AWS Guardduty - Monitors Cloudtrail, VPC Flow logs and Route53 logs - SNS to Email for all alerts.

A Compliance Approach: Fintech is regulated business and industry standards are its consequence. During the first month of our product launch, we were required to become compliant to NPCI guidelines for a UPI launch. Followed by RBI’s data localization requirement(SAR) and then ISO 27001:2013

Challenges:

  1. Onboarding independent auditors to the concept of credit card bill payments.

  2. Onboarding consultants to view product/business from a different angle.

  3. Creating a process oriented culture to adhere to various compliance requirements.

A Product Approach: Our founder wanted our product to be as secure before we launch.

Challenges:

  1. Dealing with rapid code+design changes.

  2. Defensive versus offensive.

  3. Proposing secure solutions for end user application flow.

Approach:

  1. Keeping track of changes in every alpha build. Sit next to developer and start with a simple code review. Need not be a tool based approach, for every API call, check the corresponding codebase and think what could go wrong.

  2. Too many tools and framework to attack. Think on how to make every attack difficult. E.g. SSL Pinning, Code obfuscation( Proguard followed by Dexguard)

  3. Review all application flow, look at application having user inputs. E.g. OTP flow in our app.

Speaker bio

Himanshu is currently repsponsible for overall security at CRED. He has spend most of his career into fintech domain at GrabPay, Flipkart, PayPal in building in-house security platforms and products, hence, his domain expertise. Having started his early career with security consulting for some of the well-known passport-visa processing firm, government organizations, start-ups in Indian e-commerce space. Himanshu has later lead bug bounty programme for PayPal. He participates in CTF with team SegFault, has won Nullcon JailBreak 2012 and been an architect for managing and hosting HackIM CTF. While away from computer, he spends his time playing console and enjoys cooking.

Links

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

Rootconf is a forum for discussions about DevOps, infrastructure management, IT operations, systems engineering, SRE and security (from infrastructure defence perspective). more