From the perspective of offense and defense, start-up security experience sharing

foreword

Security has long been one of the most overlooked key points for businesses. Before the security problem occurs, the sense of existence is low; however, after the occurrence, the loss is irreversible.

"Soundnet Developer Entrepreneurship Lecture • Phase 4丨How can the entrepreneurial team ensure the safety and compliance of product business? " The event specially invited Hu Jinyong, director of security research and development of Baishan Cloud, to share the practical experience of start-up security from the perspective of attack and defense. topic to share.

Hu Jinyong has ten years of experience in cloud security product research and development, and has presided over the development of SCDN, anti-DDoS, cloud WAF, SoC, zero trust and other security products, and has rich experience in the field of attack and defense.

This article shares common attacks that may be encountered after the business goes online from the perspective of offense and defense, and shares practical experience such as security research and development specifications, security inspections before going live, and security protection after going live, and gives some security suggestions.

This article is reorganized based on the content shared by Hu Jinyong.

01 Some misunderstandings in safety construction

1. Several typical security mistakes

■Figure 1

First, let me introduce the common misunderstandings of safety construction, as shown in Figure 1.

The first misunderstanding is: It is generally believed that the probability of a startup being attacked is relatively small, and security always costs money, so whether security construction can be saved, put it aside first to ensure that the project is launched. But in fact, there is no difference in hacker attacks. The target of the attack may be a large enterprise or a small enterprise, so I think start-ups should have a minimum awareness of security construction at the beginning.

The second misunderstanding is that many people think that as long as they install a firewall and buy security services, they can sit back and relax. This is actually wrong. Whether it is a firewall, WAF, or other security products, their functions are relatively limited, and they may only be protected at one point, but security construction is a very deep and very wide field. Relying on one or two security products to solve all security problems may not be very realistic either.

The third misunderstanding is: some companies think that the industry is safe without losses. This is actually wrong. Maybe some attacks have already occurred, but we don’t know it, such as data leakage, dragging libraries, etc. These security risks may all of us Not perceived.

2. Network security issues determine the ceiling of future development

In fact, many well-known companies have been hit hard because they do not pay attention to network security issues. Zoom, which you may be familiar with, was listed in the United States, and its market value used to be very high, but because of some security issues, the stock price fell sharply. Clubhouse is also a company in the United States. It developed very rapidly at the beginning, but it also declined later due to some network security issues. Weimeng also had problems because its internal security construction was not done well.

This may not only be a normative issue of internal management, but also a lack of security awareness. To some extent, network security issues may determine the ceiling of future development.

3. The importance and necessity of safety construction

The impact of network security incidents is relatively large, especially in recent years, the country has paid more and more attention to network security, and has also issued a series of security regulations, clarifying the legal responsibilities of enterprise practitioners, and emphasizing the importance of security construction. importance and necessity. Many companies focus on business over safety. There may be no problems at first, and safety seems to be irrelevant. When problems occur, they feel that safety construction has no effect. However, such consequences are often disastrous.

Therefore, start-ups should pay attention to safety construction from the beginning. Although safety construction requires money, at least some high-priority safety construction can be done first to establish a safety baseline. In addition, policies and regulations such as the Data Security Law, the Personal Information Protection Law, and the Cybersecurity Law also clarify the responsibilities of network operators, and start-ups are no exception.

4. Common security threats

Today I mainly introduce common security threats from two aspects, the first is external security threats, and the second is internal security threats. External security threats are relatively common, such as DDoS, CC, etc. These attacks are actually very mature in the entire industry chain. From the gold owner to the platform receiving the order, the entire link is very complete, and the attack cost is very low. Because the network is becoming more and more developed, many devices have many vulnerabilities, especially IoT devices, etc., there are many attacks against them, the attack surface is also relatively wide, and the destructive power is very strong. But protection is not so easy, it has a serious problem of asymmetric attack and defense.

■Figure 2

Figure 2 shows a network platform, which can be attacked for only 100 yuan. This kind of attack has a low cost and is a common threat we face. Web security is also a common security threat, such as search injection, XSS, remote command execution, etc. I pulled some data from a well-known report from 2017 to 2021, as shown in Figure 3, you can see the changes in the overall attack type and the trend of the attack.

■Figure 3

The third common threat is API security. In fact, there is basically no business that does not use APIs. Whether it is the number of APIs or the overall number of API calls, there are more and more. Therefore, APIs will also have many security problems, such as horizontal unauthorized access, sensitive data exposure, code loopholes, authentication, configuration errors, and business logic flaws. The fourth type of business security, for example, when we were promoting activities in the early stage of the business, we were faced with the threat of scouring the wool, in addition to data leakage, App security, host security, information hijacking, crawlers, etc.

02 Business protection methods and best practices

1. Safe construction of startups

So in the face of these security threats, how should we guard against it? The security construction of start-ups is very different from that of large companies. The resources of start-ups are relatively scarce in all aspects, and it is impossible to carry out large-scale security construction, but it still needs to meet the requirements of the security baseline. I mainly introduce from three directions.

First of all, when developing, we must have a very strong sense of security, and strictly verify all external inputs, and development must be standardized, such as code specifications, release specifications, and code review specifications. Then, after the development and testing, preparations should be made before the launch. At this time, security protection planning should be made, and corresponding security planning should be carried out according to the tool type.

The types of attacks faced by different business types may be different. If it is a game capability business, the probability of encountering CC and DDoS attacks is very high; if it is an App business, the probability of being reversed, cracked, and hacked higher. Before going online, security inspections are also required, such as whether there is a weak password, whether the key is placed in the code, etc. Finally, after going online, it is necessary to formulate a protection plan and conduct safe operations.

2. Business system development life cycle

From a development perspective, the entire business development cycle starts from requirement analysis, then to solution design, to development, testing, launch, and operation. In fact, each link involves corresponding security specifications, as shown in Figure 4.

■Figure 4

For example, in the stage of requirement analysis, security factors may be taken into consideration and relevant requirements analysis and research are conducted; in the stage of program design, corresponding security design should be made, such as modeling the types of attacks that may be faced by business types, and analyzing the attack surface. In the development phase, the development specification may be more important; in the testing phase, relevant security baseline tests may be performed; in the online phase, relevant security checks, configurations, and corresponding checklists should be performed; in the online operation phase, continuous Paying attention to the latest security vulnerabilities and responding to related vulnerabilities is the entire business development cycle.

■Figure 5

We need to do a lot of development specifications in the development stage. As shown in Figure 5, database access specifications, related file operations, related code specifications, buffers, exception handling, etc. are all we need to pay attention to.

Figure 6 shows the CI/CD process, and we must introduce relevant security mechanisms throughout the process.

■Figure 6

3. Protection methods and best practices

I combed the security protection methods based on practice, mainly including program code security, code warehouse security, password security, communication security, log security, component usage security, App security, security testing, etc. Because the security field covers a very wide range, only a few points that are easier for start-ups to implement are introduced here.

1) Program code security

Program code security is a very important link. As shown in Figure 8, for common SQL injections, XSS vulnerabilities, and whether user input is legal, we must perform corresponding verification. Sometimes we also need to check the input length and input content. Escape, etc. In addition, the corresponding specifications for the database include always using the lowest authority to operate the database, and confidential information cannot be stored in the program code; for special scenarios, we also need to do related processing and reasonably set the same-origin policy. to take into account.

2) Code repository security

For start-ups, the process system in all aspects may not be very standardized, and the code and working documents will be uploaded to the public Internet, such as GitHub and GitLab, which does not follow good open source specifications. In addition, it is a bad habit to write sensitive information such as username, password, token, etc. directly in the code, which can easily lead to information leakage.

3) Password security

Password security is a very common problem, and programs must be able to take corresponding precautions against brute force cracking. For example, brute force cracking problems can be solved through mechanisms such as verification codes or two-factor authentication. Moreover, an encrypted link is required during the entire transmission process, and weak passwords are not allowed. If these issues are not noticed during development, they can lead to significant risks after going live.

4) Communication security

I also mentioned just now that all data transmissions should be encrypted end-to-end as much as possible. In particular, the transmission of external data on the Internet must be encrypted transmission through https, which is also the most basic security guarantee. It is recommended that everyone take such safety measures.

5) Log Security

All system-related accesses must be kept traces, including operation time, operator, IP, URL, access content, etc. We must record as detailed as possible. Of course, the company's own data security may also be considered, and some information is not recorded, which must meet relevant policies and regulations. The purpose of recording data is to facilitate fault analysis, handling of security events, and even security forensics. Now basically the requirement for logs is to keep the logs for a minimum of six months, especially for some important log data.

6) Component safety

In the process of development, various open source components from third parties will be widely used. Some time ago, the vulnerability of Log4j affected a wide range of parties, because it is a very basic log component, which is used by many applications. Redis and MySQL technical components are widely used. What should be paid attention to when using these technical components Woolen cloth?

The first is to focus on the exposure of ports on the public network. Do not expose them to the public network unless necessary, and maintain the lowest visibility range. The second is not to use the default ports, such as Redis 6379, MySQL 3306, and use non-standard ports as much as possible to reduce the risk of attacks (here can only be reduced, but it cannot be completely avoided, but this is a very effective measure ). For internal applications, such as ES, grafana, etc., we also need to control the corresponding permissions. If it is for authentication, the authentication password must also meet certain conditions, and weak passwords should not be used as much as possible.

7) App Security

Many startups have their own apps. For them, important information such as keys and tokens cannot be hard-coded into the app. This is easy to crack. At the same time, do as much reinforcement as possible. In fact, there are many commercial solutions that can be used. When collecting user data, apps must also maintain the lowest authority and do a good job of data privacy. In fact, there are many relevant policies and regulations in this part, and the state is now very strict in controlling this. We also use a lot of third-party SDKs in our App, and these third-party SDKs may not be so transparent to us, so we should also pay attention to the security of third-party SDKs.

8) Safety test

In the entire security development process, we also need to do security testing. The first is threat modeling. Based on the types of threats faced by projects or products, according to different businesses, it is necessary to do a good job in threat modeling, and sort out the attack surface to introduce relevant security tests.

We just mentioned the specifications to pay attention to throughout the development process, so what should we do before going live? As shown in Figure 8, an HTTPS certificate is the minimum requirement, but when using an HTTPS certificate, we should pay attention to monitoring the validity period of the certificate. The certificate has a validity period, especially this free certificate, which may only be valid for a few months. Once the certificate expires, business may be disrupted.

In addition, we also need to do security testing to check program vulnerabilities, web application vulnerabilities, etc. Of course, the coverage of security detection is relatively wide, and there are many commercial solutions, but they may be more expensive. In fact, we can also use some free and open source scanning tools, which can also help us scan for some obvious problems. In fact, we can also use the scanner internally to do regular scans to detect as early as possible to avoid more damage caused by the attack.

4. Attention before going online

Before going online, we also need to make a security protection plan, which may require good communication with the project manager or product owner to determine the security protection plan. It takes time to do security protection. To confirm whether the entire project plan and milestones will be delayed, it is necessary to communicate with the relevant management parties in advance. We also define the minimum acceptable level of security and privacy quality involved in safeguarding. These are all preparations that we need to do before we go live.

5. It is recommended to use cloud protection

There are a lot of things to do to protect security threats. For start-ups, there may not be a lot of resource support, nor professional security personnel to do the corresponding implementation, so a more feasible method is to use cloud protection, then use cloud protection what are the benefits?

First of all, cloud protection is more convenient to use. Basically, it can be used out of the box. As long as you buy the security service on the platform, make the corresponding configuration, and then you can directly receive the traffic through DNS drainage. And cloud protection is generally paid on demand, so the cost is very easy to control for start-ups.

In addition, in addition to protection, cloud protection can generally provide acceleration, such as WAF and SCDN. In addition to protection, it also provides static acceleration to reduce back-to-source bandwidth and improve access speed. The resources of cloud protection can be elastically expanded, which is also very friendly to startups.

6. How to select products for cloud protection

However, when using cloud protection, we must pay attention to many problems. In fact, many of our customers have not experienced well in the process of using it. This does not mean that our products are not good, but that they are not used correctly. How to choose security products type? In fact, there are many kinds of cloud protection products, and you may need to pay attention to the following aspects when making product selection.

The first is product capability, which is what we value the most. To have the ability to prevent and control common attacks, it also depends on the number of nodes, because the more the number of nodes, the more nearby access can be satisfied, resulting in better network speed . Product prices are also more sensitive for start-ups, and products with more flexible prices should be selected as much as possible.

The second is protection settings. Although security products, especially cloud protection, are very flexible to use, if they are not used properly, the protection effect will not be good. Therefore, we need to set relevant policies when using cloud protection. The policies are strongly related to the business. The access policies of API business and website business are completely different. Many APIs may not be able to perform man-machine verification, and browsers may Just enter the verification code. We also need to learn the business characteristics. The cloud protection capability is relatively strong, but if the analysis is done based on the traffic model of the business characteristics in advance, the protection effect may be better.

In the early stage of service access, it is recommended to use the observation mode first, so that it may record the considered attack behavior, but this will not block the service, and the protection mode will be relatively strict. Therefore, in the early stage of launching, we still have to do a good job of business observation, so as to avoid false prevention. Then during the attack, we can also make relevant alarms, so that we can receive the attack at the first time. We also need to understand the measures taken by cloud manufacturers under extreme attacks. Although cloud manufacturers have strong protection capabilities, they are not unlimited. When we use this protection, we also need to make some safety plans and do a good job of the bottom line of safety.

The third is security services. When the business faces an attack, the cloud vendor needs to provide feedback and response in a timely manner. Most cloud vendors now use the work order method, and we also need to understand the specific response speed. Some are manual services, and manual services are also time-limited, which requires some understanding.

The fourth is source site protection. If we use cloud protection, but the origin site is exposed, hackers can completely bypass the cloud protection and attack the origin site directly, so this is a point to pay special attention to when using cloud protection. Not exposed. At the same time, during the protection process, we need to go back to the source, set the blacklist, and only allow protection nodes, which can ensure the security to the greatest extent. Our cloud services are relatively flexible, and care must be taken to avoid ignoring service expirations, resulting in loss of protection. Here are some small details in the process of using cloud protection.

7. Cloud protection tips: How is my source IP exposed?

We mentioned the origin site just now. In fact, many start-ups have access to cloud protection because they do not have much experience, but they do not actually get the protection effect. Because the IP is exposed, the hacker has obtained the IP, even if it is replaced IP he can also find. In fact, there are many ways to expose IP. For example, you may not have access to cloud protection in the past. Although you have access to it later, the past DNS records point directly to the origin site, and many platforms can find historical DNS resolution records.

Therefore, if the DNS resolution record points directly to the origin site, there is a risk of exposure.

The second is the subdomain name, which is also very common. Now there are many subdomain names, including static domain names, dynamic domain names, and API domain names, which may be independent domain names, and may be connected to dynamic domain names or API domain names, while static domain names may still be Pointing to the source site, which may also lead to the risk of source site leakage and attack.

The third is that some websites are not very good, and can directly display or interface to display the source site information. The fourth is that the security products used may go back to the source, which will also expose the IP.

In addition, mailbox MX records, mail services, internal leaks, and search engines in cyberspace will also lead to source IP exposure. Now, the capabilities of cyberspace search engines are actually very strong, and many business assets can be retrieved and found through correlation analysis. source site. In fact, there are a lot of methods, so we must pay more attention when doing business development or going online to avoid the source site being exposed. Because once the source station is exposed, cloud protection basically loses its effect.

8. Concerns after going online

Just mentioned the development and business planning before going online, so what indicators should we pay attention to after going online? The first is to pay attention to the protection situation. If an attack occurs, we need to do data analysis. Afterwards, security inspections must be carried out, and if conditions permit, emergency response and attack drills can be conducted. The last thing is to pay attention to the security circle. As mentioned earlier, many software projects use a lot of third-party components. If you pay attention to the information of the security circle, you can learn about the security vulnerabilities in time, and then make timely responses and repair the vulnerabilities.

03 Construction of safety standards for start-ups

The protection against external threats was introduced earlier. In fact, the internal security construction of the enterprise is also very important. Next, I will share the key directions that start-ups should take to establish a security baseline.

1. Construction of safety standards for startups

■Figure 7

The construction of security specifications for startups includes several aspects as shown in Figure 7. The first is to do a good job of safety training. Safety training should be carried out throughout the company from the very beginning. It is necessary for everyone to establish safety awareness and form a safety culture. Specifically, it includes behavioral safety, account security, safety awareness and development norms.

The second is the process system. The process system may not have a direct relationship with security, but it also has a certain impact on security. Such as change management, authority control, network management, device management, and security auditing. The third is data security, which mainly includes personal privacy, data backup, and data desensitization.

2. Layout Zero Trust

In fact, there are still many problems in traditional security. With the transformation of enterprises, it is difficult to adapt to the new development trend at this stage. Especially telecommuting, so zero trust is likely to be the new trend in the future. It is actually a very good thing if start-ups deploy zero trust from the very beginning and build a security system based on the best practices of zero trust. So what is the concept of zero trust? Its concept is very simple, as shown in Figure 8, the first is identity authentication and authorization.

■Figure 8

Second, the permissions to access all resources are dynamic, and such related dynamic permission control should be done based on the overall context. Then when assigning access rights, follow the principle of least privilege, and for important applications, you can also do multi-factor authentication. These are several important concepts of zero trust. So if we can deploy zero trust from the beginning, such as establishing a unified identity management, unified rights management, unified application management and control, and follow the concept of zero trust for security construction, I think it is a good start.

There are actually several tricks to deploying zero trust, as shown in Figure 10. The first is that we need to think holistically by layer. Because zero trust involves a wide range, we must follow best practices and make overall considerations in a layered manner. The second is to use multi-factor authentication as much as possible, and then to do single sign-on. That is, there may be many platforms and various systems in an enterprise mentioned above. If you can get through single sign-on, you can simplify the use.

In addition, because the principle of zero trust is not to trust anyone, regardless of whether employees are internal or external, relevant permission control and identity authentication must be done, so there is no distinction between internal and external. At the same time, the implementation of zero trust requires the entire company's top-down promotion, so the top management also needs to cooperate and all employees participate in the transition.

In the end, there are actually some important details in zero trust. The transition from traditional security to zero trust adds a lot of content, and the entire protection concept is completely different. In this process, it is necessary to avoid the impact on work efficiency as much as possible to achieve a smooth transition. So if possible, it is recommended that startups do zero trust design from the beginning, which can solve some long-term problems.

About "Soundnet Developer Entrepreneurship Lecture Hall"

Now is an era where everyone can start a business, and for technical people, it is an era of entrepreneurial friendliness. If you understand technology, it will be easier than others to put your entrepreneurial ideas and dreams into practice.

But entrepreneurship means going from 0 to 1, it means continuous creation and innovation, and it means that entrepreneurs and teams need continuous growth and breakthroughs. Only in this way can we create valuable products that meet market demand, gradually form the advantages and barriers of the enterprise, and grow into a mature enterprise.

Shengwang pays attention to developers with innovation ability, development ability and entrepreneurial intention, and hopes to provide developers with corresponding support and services . To this end, we have launched a series of entrepreneurial sharing of "Soundnet Developer Entrepreneurship Lectures" in order to provide more help for everyone on the road of growth and entrepreneurship.