A thing some of your peers actually believe could happen
“Understaffed startup attributes shipping on time releases and steady feature improvements without death-marches, attrition, an FTC injunction, a data breach, or revenue impact to weeks spent implementing:
- an HSM.
- a certificate authority tied to the HSM.
- transport encryption (correctly).
- browser based bcrypt(scrypt(PBKDF2())) password storage.
- a honeynet.
- data classification, retention, and encryption.
- CAPTCHAs.
- secondary questions.
- out of band credential reset via e-mail and SMS.
- authentication rate limiting.
- two factor authentication.
- the latest browser-supported frame-busting, XSS, and CSRF mitigating security controls.
- a custom security library.
- vulnerability management.
- administrative roll based access.
- proper logging.
- log monitoring.
- fraud monitoring.
- BGP peering DDoS appliances.
- a web application firewall.
- an intrusion detection system.
- Sender Policy Framework.
- A separate top level domain for every system.
- developer training in:application security, security architecture, cryptography, ecrime, computer and network forensics, and incident response.
- security through obscurity (no NOT security through obscurity!) ((what does that even mean?)) (((well it rhymes!)))
- a vulnerability disclosure bounty program.
- an FTC injunction.
- a SOX, HIPPA, PCI-DSS compliance program.
- server file integrity monitoring.
- and the free pizza lunches the founders provided daily.
March 4th, 2013 9:32am
