From 1c61cfcddff1bde5061a668c9b55f41259aafeb2 Mon Sep 17 00:00:00 2001 From: Itai Frenkel Date: Tue, 7 Mar 2017 21:56:22 -0600 Subject: [PATCH 1/8] move OWASP up, and a more broader link. prefer thrid party products though --- security.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/security.md b/security.md index 82e5655..384f184 100644 --- a/security.md +++ b/security.md @@ -69,13 +69,17 @@ Remember that SSL encrypts network traffic, but does not supply authentication. ### Hash your customer's passwords with a proper password hashing function -This might seem to technical and for your developers eyes mostly but you need to be prepared for that data breach and this is low effort - high reward! If your database was breahed and published it's much worse when your customers' passwords are included and easily cracked - folks reuse passwords. [It's true](http://mashable.com/2017/02/28/passwords-reuse-study-keeper-security). + +If you can afford it, use a [third party authentication service](#idaas_customers) to handle password storage, password management and password recovery. + +However, if you decide to develop your own password implementation, try doing it according to the [OWASP authentication guidelines](https://www.owasp.org/index.php/Authentication_Cheat_Sheet) . + +* If your database was breached and published it's much worse when your customers' passwords are included and easily cracked - folks reuse passwords. [It's true](http://mashable.com/2017/02/28/passwords-reuse-study-keeper-security). * Use a well known hashing algorithm to store customers passwords in your database: bcrypt, PBKDF2 or scrypt with a work factor that takes [about 1 second for the password hash](http://security.stackexchange.com/a/3993/69959). * Do not use MD5, SHA1 or other hashes that are *not specifically designed for passwords*. Passwords stored like this are cracked in seconds usually. -* [Follow the OWASP guidance](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) and demand your developers hash passwords using one of the above. ### Picking a SaaS vendor @@ -234,7 +238,7 @@ Using git would allow you to add outsource/freelance developers for a limited ti ## Phase 4: Signing a large customer, or rapid market growth -### Customer user's management +### Customer user's management There are a number of Identity as a Service vendors that supply login and customer's password management services. If such a vendor is SOC2 Compliant they probably do a better job than you saving the customer's password in your database. From b16558d7579a93b50265bfc721a2615a4a15dedf Mon Sep 17 00:00:00 2001 From: Itai Frenkel Date: Tue, 7 Mar 2017 22:01:44 -0600 Subject: [PATCH 2/8] fix link --- security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security.md b/security.md index 384f184..363d486 100644 --- a/security.md +++ b/security.md @@ -70,7 +70,7 @@ Remember that SSL encrypts network traffic, but does not supply authentication. ### Hash your customer's passwords with a proper password hashing function -If you can afford it, use a [third party authentication service](#idaas_customers) to handle password storage, password management and password recovery. +If you can afford it, use a [third party authentication service](#Customer user's management) to handle password storage, password management and password recovery. However, if you decide to develop your own password implementation, try doing it according to the [OWASP authentication guidelines](https://www.owasp.org/index.php/Authentication_Cheat_Sheet) . @@ -238,7 +238,7 @@ Using git would allow you to add outsource/freelance developers for a limited ti ## Phase 4: Signing a large customer, or rapid market growth -### Customer user's management +### Customer user's management There are a number of Identity as a Service vendors that supply login and customer's password management services. If such a vendor is SOC2 Compliant they probably do a better job than you saving the customer's password in your database. From a2fe0b77de8fbe1a9fe9d13fe1e13c434fb9effb Mon Sep 17 00:00:00 2001 From: Itai Frenkel Date: Tue, 7 Mar 2017 22:03:38 -0600 Subject: [PATCH 3/8] fix link again --- security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security.md b/security.md index 363d486..6710a93 100644 --- a/security.md +++ b/security.md @@ -70,7 +70,7 @@ Remember that SSL encrypts network traffic, but does not supply authentication. ### Hash your customer's passwords with a proper password hashing function -If you can afford it, use a [third party authentication service](#Customer user's management) to handle password storage, password management and password recovery. +If you can afford it, use a [third party authentication service](#customer-users-management) to handle password storage, password management and password recovery. However, if you decide to develop your own password implementation, try doing it according to the [OWASP authentication guidelines](https://www.owasp.org/index.php/Authentication_Cheat_Sheet) . From 20fe5f3567a7dc4514795fbe5c64f0611080c2f0 Mon Sep 17 00:00:00 2001 From: Itai Frenkel Date: Tue, 7 Mar 2017 22:05:41 -0600 Subject: [PATCH 4/8] added more info to the idaas --- security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security.md b/security.md index 6710a93..1d02cf3 100644 --- a/security.md +++ b/security.md @@ -242,7 +242,7 @@ Using git would allow you to add outsource/freelance developers for a limited ti There are a number of Identity as a Service vendors that supply login and customer's password management services. If such a vendor is SOC2 Compliant they probably do a better job than you saving the customer's password in your database. -They also provide self service and apis to provision and de-provision users. Although, large customers might want integration with their own Identity management solution. +They also provide self service and apis to provision and de-provision users, enforce password policies, and recover lost passwords. Although, large customers might want integration with their own Identity management solution. ### Sensitive Data Leaks From 336a95d956970b016092ab7f7d3fe6169294322a Mon Sep 17 00:00:00 2001 From: Itai Frenkel Date: Tue, 7 Mar 2017 22:46:24 -0600 Subject: [PATCH 5/8] Update security.md --- security.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/security.md b/security.md index 1d02cf3..b6e80b5 100644 --- a/security.md +++ b/security.md @@ -74,11 +74,7 @@ If you can afford it, use a [third party authentication service](#customer-users However, if you decide to develop your own password implementation, try doing it according to the [OWASP authentication guidelines](https://www.owasp.org/index.php/Authentication_Cheat_Sheet) . -* If your database was breached and published it's much worse when your customers' passwords are included and easily cracked - folks reuse passwords. [It's true](http://mashable.com/2017/02/28/passwords-reuse-study-keeper-security). - -* Use a well known hashing algorithm to store customers passwords in your database: bcrypt, PBKDF2 or scrypt with a work factor that takes [about 1 second for the password hash](http://security.stackexchange.com/a/3993/69959). - -* Do not use MD5, SHA1 or other hashes that are *not specifically designed for passwords*. Passwords stored like this are cracked in seconds usually. +* If your database was breached and published it's much worse when your customers' passwords are included and easily cracked - folks reuse passwords. [It's true](http://mashable.com/2017/02/28/passwords-reuse-study-keeper-security). Therefore, always use a well known hashing algorithm to store customers passwords in your database: bcrypt, PBKDF2 or scrypt with a work factor that takes [about 1 second for the password hash](http://security.stackexchange.com/a/3993/69959). Do not use MD5, SHA1 or other hashes that are *not specifically designed for passwords*. Passwords stored like this are cracked in seconds usually. ### Picking a SaaS vendor From ca7d186afbd2d7878da3ecd73cf1fee857305a5a Mon Sep 17 00:00:00 2001 From: Itai Frenkel Date: Wed, 8 Mar 2017 21:17:40 -0600 Subject: [PATCH 6/8] move hash passwords to second pahse --- security.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/security.md b/security.md index 434dee8..ae71c00 100644 --- a/security.md +++ b/security.md @@ -67,15 +67,6 @@ Monitor your endpoint's public certificate expiration date, to detect prevent ce Remember that SSL encrypts network traffic, but does not supply authentication. SSL is also not a replacement for 2FA. -### Hash your customer's passwords with a proper password hashing function - - -If you can afford it, use a [third party authentication service](#customer-users-management) to handle password storage, password management and password recovery. - -However, if you decide to develop your own password implementation, try doing it according to the [OWASP authentication guidelines](https://www.owasp.org/index.php/Authentication_Cheat_Sheet) . - -* If your database was breached and published it's much worse when your customers' passwords are included and easily cracked - folks reuse passwords. [It's true](http://mashable.com/2017/02/28/passwords-reuse-study-keeper-security). Therefore, always use a well known hashing algorithm to store customers passwords in your database: bcrypt, PBKDF2 or scrypt with a work factor that takes [about 1 second for the password hash](http://security.stackexchange.com/a/3993/69959). Do not use MD5, SHA1 or other hashes that are *not specifically designed for passwords*. Passwords stored like this are cracked in seconds usually. - ### Picking a SaaS vendor @@ -149,6 +140,16 @@ Using git would allow you to add outsource/freelance developers for a limited ti * There are extra protection products on top of an antivirus called EDR (Cyberreason, BlackCobalt) but these are usually costly. +### Hash your customer's passwords with a proper password hashing function + + +If you can afford it, use a [third party authentication service](#customer-users-management) to handle password storage, password management and password recovery. + +However, if you decide to develop your own password implementation, try doing it according to the [OWASP authentication guidelines](https://www.owasp.org/index.php/Authentication_Cheat_Sheet) . + +* If your database was breached and published it's much worse when your customers' passwords are included and easily cracked - folks reuse passwords. [It's true](http://mashable.com/2017/02/28/passwords-reuse-study-keeper-security). Therefore, always use a well known hashing algorithm to store customers passwords in your database: bcrypt, PBKDF2 or scrypt with a work factor that takes [about 1 second for the password hash](http://security.stackexchange.com/a/3993/69959). Do not use MD5, SHA1 or other hashes that are *not specifically designed for passwords*. Passwords stored like this are cracked in seconds usually. + + ### Physical Security * Configure laptops to sleep after (at most) 5 minutes you are away from your desk, and require a password to re-open it. Ask employees to lock their laptops manually when they leave their desks, for example using [hot corners on macOS](https://support.apple.com/kb/PH18796), or by pressing logo key + L on Windows. From 87278c501857c2199374a48f9e211daaca26db52 Mon Sep 17 00:00:00 2001 From: Itai Frenkel Date: Wed, 8 Mar 2017 21:38:05 -0600 Subject: [PATCH 7/8] Update security.md --- security.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security.md b/security.md index ae71c00..5d602f0 100644 --- a/security.md +++ b/security.md @@ -143,11 +143,11 @@ Using git would allow you to add outsource/freelance developers for a limited ti ### Hash your customer's passwords with a proper password hashing function -If you can afford it, use a [third party authentication service](#customer-users-management) to handle password storage, password management and password recovery. +If you can afford it, use a [third party authentication service](#customer-users-management) to handle password storage, password management and password recovery. Some vendors offer Monthly Active Users pricing which can fit your budget. -However, if you decide to develop your own password implementation, try doing it according to the [OWASP authentication guidelines](https://www.owasp.org/index.php/Authentication_Cheat_Sheet) . +However, if you decide to develop your own authentication implementation, follow the [OWASP authentication guidelines](https://www.owasp.org/index.php/Authentication_Cheat_Sheet) . -* If your database was breached and published it's much worse when your customers' passwords are included and easily cracked - folks reuse passwords. [It's true](http://mashable.com/2017/02/28/passwords-reuse-study-keeper-security). Therefore, always use a well known hashing algorithm to store customers passwords in your database: bcrypt, PBKDF2 or scrypt with a work factor that takes [about 1 second for the password hash](http://security.stackexchange.com/a/3993/69959). Do not use MD5, SHA1 or other hashes that are *not specifically designed for passwords*. Passwords stored like this are cracked in seconds usually. +* If your database was breached and published it's much worse when your customers' passwords are included and easily cracked - folks reuse passwords. [It's true](http://mashable.com/2017/02/28/passwords-reuse-study-keeper-security). Therefore, always use hashing function *specifically designed for password storage* to store customers passwords in your database: bcrypt, PBKDF2 or scrypt with a work factor that takes [about 1 second for the password hash](http://security.stackexchange.com/a/3993/69959). Do not use MD5, SHA1 or other hashes that are *not specifically designed for passwords*. Passwords stored like this are cracked in seconds usually. ### Physical Security From db5d9afb59089fdb492079e44a0d832cff8e5f7f Mon Sep 17 00:00:00 2001 From: Itai Frenkel Date: Wed, 8 Mar 2017 21:39:24 -0600 Subject: [PATCH 8/8] Update security.md --- security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security.md b/security.md index 5d602f0..f583a40 100644 --- a/security.md +++ b/security.md @@ -143,7 +143,7 @@ Using git would allow you to add outsource/freelance developers for a limited ti ### Hash your customer's passwords with a proper password hashing function -If you can afford it, use a [third party authentication service](#customer-users-management) to handle password storage, password management and password recovery. Some vendors offer Monthly Active Users pricing which can fit your budget. +If you can afford it, use a [third party authentication service](#customer-users-management) to handle password storage, password management, password recovery, two factor auth and more. Some vendors offer Monthly Active Users pricing which can fit your budget. However, if you decide to develop your own authentication implementation, follow the [OWASP authentication guidelines](https://www.owasp.org/index.php/Authentication_Cheat_Sheet) .