Mobility and security are important factors that need to be prioritized by fintech startups in building user trust.
This presentations shares how to build, develop, and improve these two things so that your business can grow.
5. What are we going to cover?
And also, how security and developer experience are related.
How to find a
balanced approach
Why Mobility and Security
are important factors
How businesses can
leverage security
6. Some Statistics
As of June 2017,
51% of the world's population
has internet access.
That’s close to
4,000,000,000 people
As of October 2018,
there are 31,000,000
developers on Github alone.
7. Mark Andreessen
Renowned VC
Software is eating the world,
in all sectors.
In the future
every company will become
a software company
“The Wall Street Journal” in 2011
11. Exercise: Impact of Security Breaches?
22%
lost customers
because of attacks
49%
experienced public
scrutiny after a breach
29%
lost revenue as a
result of attacks
https://www.cisco.com/c/m/en_au/products/security/offers/annual-cybersecurity-report-2017.html
https://www.cisco.com/c/dam/m/digital/en_us/Cisco_Annual_Cybersecurity_Report_2017.pdf
12. The Impact of Security Breaches (cont)
Reputational damage
TalkTalk’s high profile
data breach in 2014,
showed the company’s
reputation took
a tremendous hit.
Legal implications
The biggest issue a business
will face following a data
breach. Enormous fines await
companies that fail to protect
their customers’ data.
https://medium.com/fintech-weekly-magazine/counting-the-costs-of-a-data-breach-8ac2327aee0d
13. Fintech Indonesia Regulatory Environment
Self-Regulation
http://fintechnews.sg/20712/indonesia/fintech-indonesia-report-2018/
vs
20. AWS Security Primer
https://news.ycombinator.com/item?id=14628108
https://cloudonaut.io/aws-security-primer/
I have worked extensively with AWS over the last 4 years,
and I can barely wrap my head around the scope of
managing security in AWS.
We have an entire department dedicated to security in
our company, and none of them are remotely close to
being experts in AWS security either.
I’m starting to get curious if there even is an expert who
could set up and maintain a bulletproof AWS account.
22. The Evolution of Security
Secure SDLCPenetration Testing DevSecOps
23. Automated Security Defense
Do you know if you are
under attack at this
current moment?
Can you automatically
defend against attacks?
Do you know what the
attackers are going after?
25. Exercise: Where can you add security?
https://gist.github.com/rasheedamir/7da0145ae1b5d9889e4085ded21d1acb
26. Where do these tools live?
Source: https://twitter.com/djschleen
27. Be aware of the vicious cycle
Tools compound
the issue.
There is too much
security debt
Developers “comply”
28. “The first rule of any technology used in a business is that
automation
applied to an efficient operation will magnify the efficiency.
Bill Gates
The second is that automation applied to an inefficient
operation
will magnify the inefficiency. ”
32. Signals vs Noise
Focus on high-impact
issues
Don’t add to the noise Ensure the issues have
high accuracy
Security Trivia #213: What is the largest security tool report that has been recorded?
13,000 pages
33. Lost in Translation
Speak the same language
as developers
Issues are useless
until they are fixed
Leverage the right
communication channel
Security Trivia #937: What is the official CWE title for a SQL Injection?
Improper Neutralization of Special Elements used in an SQL Command
34. Make it easy
Tightly integratedAllow developers to
get started in minutes
Provide all the needed
functionality
Security Trivia #23: How many of the 12 leading AST companies - according to
the Gartner Magic Quadrant – have clear pricing information on their website?
1
36. Exercise: How can businesses leverage security?
Use Security to
Differentiate
Yourself
Acknowledge
that Security is
Important
Earn the Trust
and Loyalty of
Users and Investors
37.
38. Get a curated list of security resources
Consisting of:
• Awesome lists
• Developer trainings
• List of great tools
• Security Page templates
• Free digital copy of my book
• the slides
• … and more
Then send an email to:
iwant@guardrails.io
Mobility and security are important factors that need to be prioritized by fintech startups in building user trust.
Come on, find out how to build, develop, and improve these two things so that your business / business grows.
If you are passionate in ditching traditional security and helping companies in Asia getting into the age of DevSecOps then drop me a line.
At GuardRails we are working on a very different approach to security, which puts developers first and I’m excited to announce that we have launched last week.
CEO & Founder at GuardRails Stefan has been focusing on information security since 2003. He has worked at Numisec and integrated security through the Agile and DevOps work methods and empowered the development team. Stefan is also one of the founders of the Singapore DevSecOps group, a local community meetup that actively holds Singapore DevOpsDays events, DevOpsDays Jakarta, and DevsecCon Asia
More on the founder story?
An expert is a man who has made all the mistakes which can be made, in a narrow field.
No matter if you are a one person startup, a heavily growing organization, or a unicorn.
Balanced approach, based on what stage you are in. What are the risks you should care about, what are the measures you can take to improve your confidence.
With security in place, how to leverage marketing/communication to earn the users trust and differentiate the offering.
Origin of Software and Development, how it is tied to the proliferation of computer systems.
How many will not exist in 2 years, and who will be the next unicorn (that may not be on that list).
That’s like when you are preparing for an audit, and then suddenly not just one aspect but all aspects of your business will be reviewed.
So one security slip can put the spotlight on a lot of other problems in a business.
Loss of direct customer revenueOften, the true fallout of a data breach isn’t immediately visible, but attacks have huge repercussions. Cisco predicts that a company can expect to lose more than 20% of its customer base and all the revenue that this entails, following an attack, and it’s relatively easy to see why a customer would choose to spend their money elsewhere. If a company can’t even see to it that their personal information is kept safe, why should they receive their repeat custom?
Easy to change app.
How important do you think reputation is in a digital economy, where it’s all about reviews and digitial branding?
What do you think?
Potential customers shopping for mobile banks or direct lenders won’t click on a company if reviews warn them not to. When public trust in a startup wanes, it directly affects its bottom line.
Reputational damageFollowing directly on from the previous point comes damage to one of the most important currencies a business can have: reputation.
Analysis carried out by Deloitte following TalkTalk’s high profile data breach in 2014, showed the company’s reputation took a tremendous hit following the attack, with negative sentiment lingering for more than four months after the incident, and negativity was particularly pronounced on social media, an area in which it can be particularly difficult to attenuate ill feeling.
Ultimately, damage to TalkTalk’s reputation ended up costing the company dearly, including a drop of 11% to its share price.
Legal implicationsLegal culpability is undoubtedly the biggest issue a business will face following a data breach. Enormous fines await companies that fail to protect their customers’ data, and on May 25 2018 the EU’s GDPR comes into force, bringing with it fines of up to 4% of worldwide turnover for failure to protect and handle customer data adequately. Fines of this magnitude can quite easily destroy a company where it stands.
Regulations can’t keep up with advancements.
The innovations of the fintech world are happening at lightspeed and few competitors can keep up — including regulating bodies. Part of the fintech platform’s success relies on this rapid pace.
Unlike their slow and laborious counterpart in the country’s biggest banks, startups can adapt and change on a dime to evolve alongside its users’ needs and expectations.
Some fintechs follow a self-regulatory framework
While many champions of fintech believe strict regulations would stifle the innovation powering the industry,
others are already employing a self-regulatory framework to their platforms, so they can ensure risk-management and data privacy.
Perhaps not for altruistic reasons
Failure to offer these security measures promises imminent failure for careless fintech companies. The very nature of their convenient, online platforms makes it easy for its customers to leave. And don’t forget these companies service a plugged-in population who, with a few taps of their fingers, can leave an online review. Enough bad reviews can tarnish the company’s reputation.
https://www.information-age.com/cyber-security-challenges-emerging-fintech-startups-123471506/
For some established companies that can be ok, but for startups in fintech that rely on their brand and haven’t diversified yet, it could break them
What do you think are differences?
E.G Gojek has a breach, or a small company is hacked that no one knows yet
Or a company that is just getting traction, or is trying to raise a round?
What about the ecosystems and partners
PII stuff, credit card data,
Financial stuff, abusing wallets, crypto, etc
Reward systems, Getting vouchers, etc
Abusing the system
Anything related to business logic
Get in small groups and discuss what you think can happen.
(5 minutes)
This is just tools you have to use to get an application from an idea in someones head to code running in production.
There are no security tools in that picture.
Feels a little bit like this, doesn’t it.
When googling security complexity to illustrate this problem, I stumbled over this little gem.
We understand that it’s already too much to understand modern development workflows and tooling. Understanding the security implications is almost impossible.
So what you see on this slide, is a AWS expert sitting down to understand the security areas they have to consider for their AWS account.
This gentlemen is by no means a security expert, not even a self proclaimed one.
The response he got on hackernews is a real eye opener.
This is just tools you have to use to get an application from an idea in someones head to code running in production.
There are no security tools in that picture.
It used to be infrastructure, open ports, patch management,
Then it was about building security in.
And now it’s all about shifting left.
We are getting closer to the developers and have more automation and give faster feedback.
But I tell you one thing, developers probably liked it better when we only bothered them once at the end of every release, not now when it’s every time they are committing code.
But has the quality improved? Or did we just get better at automating the nagging of developers.
Think Application Performance monitoring for security
Understanding how your app is abused and misused helps with prioritization.
This still looks fairly simple, you have git your scm, Jenkins your bukld system, docker as containers, and kubernetes as the orchestration layer.
That’s not too bad, is it?
Security Debt is huge
Because security wasn’t a part of it and the tooling didn’t make it appealing for the reasons stated earlier.
Tools compound the issue, because they just make devs fix the issues they get, without actually taking ownership.
They point to the debt and show huge amounts of issues, over and over again. They don’t actually fix any issues, at all.
Most of them have been developed For the wrong audience
And boy does it show.They are not proactively doing these things, whatever gets put on their desks, they take care of it.
Security tools should be made for developers. Yet, most of them are designed for security analysts.
And it shows in many areas, such as setup, user experience, and workflow integration.
This may sound mean, but I think realizing this is an important step in the evolution of our industry.
But yeah to continue, with the advance of new technologies and automation the answer was as always more security tools.
The most humbling experience was switching from an advisor/consultant to an implementer and being responsible for the
Security of a high profile product (large team).
Fintech doesn’t mean well fundedFintech startup sizes can range from 1 founder & 0 funding to unicorns with 1000s of peopleHow does security fit in there
How much money would you spend?
Security champions, ownership etc
Some things are the same
Let’s explore the term developer experience.
Usability can be modeled as the question “Can the user accomplish their goal?” whilst user experience can be phrased as
“Did the user have as delightful an experience as possible?”
Usability is concerned with the “effectiveness, efficiency and satisfaction with which specified users achieve
specified goals in particular environments
Bring up the apple example, Apple is priding themselves with the high level of usability they have created for their devices.
Using the iphone is supposed to be so simple and nice, and effective (your mileage may vary, but let’s just take this as an example, and not start an android vs ios war). User Experience on the other hand starts already in the apple store, when you look a the device that you fancy, when you open the box for the first time (there are thousands of hours of people unboxing their gadgets on youtube) and how much joy it brings you in your daily life.
DX describes the experience developers have when they use your product, be it client libraries, SDKs, frameworks,
open source code, tools, API, technology or service.
Nowadays, there are too many distractions that are fighting for our attention.
That’s by design, product designers know how to addict us in the race to dominate the attention economy.
Security tools only add to these distractions. They find everything that could be a possible issue.
Most of the tools running against your codebase produce thousands of results.
Security is already intimidating enough. Let’s not make it worse by flooding developers with lots of security issues.
Security tools have to report issues that have a high impact if left unfixed. Less is more.
Don’t give them 1000s of user input is printed in command. Maybe focus on only dependencies With a csvss score of 7 or higher. Ignore dev dependencies.
Don’t value the devs time, lots of issues, vague descriptions and solutions (sad devs)
Value the devs time -> relevant results -> actionable feedback (happy devs)
Security experts have developed a very specific and unique language over the years. (XSS, CSRF, SAST)
But if you haven’t spent a good part of your career in application security, these terms are confusing.
Don’t try to sounds important
Especially traditional security tools produce hundreds of pages of PDF reports.
Have you ever been on the receiving end of one of those reports?
Or even worse, the one responsible for fixing those issues?
Imagine looking at hundreds of security issues with lots of cryptic details.
Details about how attackers can abuse your app full of references that don’t make sense.
But the key sections on how to fix the issues are thin.
There is rarely any actionable, framework-specific content — if there is anything at all.
Let us use plain, easy language and give useful instructions on how to fix issues.
Get started in minutes.
Doesn’t matter if they are curious and want to try it out.
Or if they want to deploy it for dozens of their apps.
That means no scheduling of demos with sales reps. That means clear pricing on the website. If spacex can do it, so can you. (This includes clear pricing
) Typical Security Tools are clearly targeting enterprise sales, typically as part of the CISO organisation.
If developers can’t easily take security software for a spin, then that’s a red flag already.
No developer is going to click on that book a demo button.
Workflow integration (understand your audience)
Out of workflow (IDE plugins are not enforceable and manageable, plus too many IDEs out there)
I don’t just mean make it part of the
CI/CD pipelines, I’m not talking about IDE plugins.
I’m talking about right there where the review happens in the PR comments.
If you are doing it right, then no developer is ever going to look at your dashboards.
All in one, Don’t make them look
For tool a for this, tool b for that
If it’s already hard to wrap your head around SASt, dAST iast, rasp, ngwaf, secret management and all of these things.
Then nobody is going to have time for that.
Acknowledge that security Is taken seriously
Have a security page Make it easy for people To report security issues
(security@uni.corn).
that shows you have a plan
(templates)
Use Security as part of your
Value proposition and
Differentiator that
The more things you do, the more
You can talk about and the more
confidence you can give your users
and investors
And no matter where you are on your journey, reach out to me anytime I can help you make the right decisions no matter if you are a one person startup or a unicorn that’s rocking it already!
And no matter where you are on your journey, reach out to me anytime I can help you make the right decisions no matter if you are a one person startup or a unicorn that’s rocking it already!