No, the developers hadn’t gone on strike (unlike some of the transport companies they use to commute to work)! We had booked application security expert Troy Hunt to deliver a developer-focused security workshop…and it was awesome.
Most companies will say they take security very seriously, and of course we are no different. We have dedicated Security and Privacy teams, and are constantly investing resources to do what we can to ensure systems and data are kept safe. However, it is widely accepted that throwing money at technology solutions – and services such as penetration testing – will only get you so far, and that the bit that is often missing is the human element; namely awareness training and education.
We have already developed an internal awareness session that is delivered to our staff on matters such as password security, phishing, security updates, data protection, etc. However, as a SaaS company with a large tech team developing our product in-house, our risk profile differs somewhat to a company that simply consumes products and services. Our clients trust us to provide them with a secure and stable platform, so we must do what we can to ensure things are done the right way, right from the outset: when the code is written. Or, for those of you in the industry, we wanted to make sure we were moving security more to the left.
So, developer-specific security training was top of our agenda, and for both myself and our Head of Development there was only one person we wanted to bring in, a great thought leader: Troy Hunt with his ‘Hack yourself first’ workshop. Sure, there are off-the-shelf modules you can buy for this sort of thing, which would have been more convenient, and cheaper, but I personally am not a great fan of canned online training, and I really don’t like death by PowerPoint. I believe you only get real value when things are hands-on and interactive – which is exactly what this workshop was.
With minimal setup, we were off and running, looking at risks such as Cross-Site Scripting (XSS), SQL injection, Cross-Site Request Forgery (CSRF), information disclosure, session hijacking, password cracking, account enumeration, and so on. These were all things that we knew about, or had at least heard of, but not really things most of the team had had a chance to get their hands on before. We worked our way through finding vulnerabilities, exploiting them, and then went on to understanding what had caused these weaknesses, and what should be done to protect against them. Looking at some real-world examples of #securityfails was eye-opening, too!
This was a big investment for us. Taking two days out of our development sprints is a huge deal, and we also flew in 20 of our international development colleagues to join us in Croydon. Thankfully the management team were totally supportive, and it was all extremely worthwhile. We learnt a lot, we had fun, and we were fed pizza!
If you’d like to find out more about the lengths we go to to protect our customers’ data, visit our trust center.Reblogged 11 months ago from blog.dotmailer.com