At Dwolla, we recognize that security is never done, but rather, it is a process. We are proud of our information security program and our continual focus on learning from and contributing to the Information Security community. There are many companies pushing the envelope and continuing to improve and share their approach to InfoSec, so we wanted to share some of the companies we follow and admire for their contributions to Information Security and beyond…
I’ve seen CloudFlare called—via Twitter—a world-class blogging corporation that does some CDN work on the side. A company with the ambitious goal, “to help build a better Internet”, CloudFlare helps protect the Dwolla platform as well as many other customers including MIT, OkCupid, international customers, and Fortune 500 companies. Some fascinating features we love include the Web Application Firewall, strong TLS edge, DNS security and of course their amazing volumetric DDoS protection.
In addition to their tech, they share their knowledge just as much as they innovate through their prolific blogging operation. Their focus on cryptography is as strong as I’ve seen anywhere, including implementing and testing new techniques including things like TLS 1.3 and the use of ChaCha20-Poly1305 for an additional performant TLS cipher suite option. CloudFlare has also demonstrated the power of moving to GoLang for security and performance, as well as demonstrating how to build and run your own public key infrastructure (PKI) via the CloudFlare cfssl open source project. Through the blog posts, we can see that CloudFlare manages and pushes the secure boundary of the Internet.
Facebook has introduced a new tool, and it is a welcome addition for organizations looking to perform secure and fast/performant operating system monitoring. This tool, OSQuery, has not only been enhanced for use on Linux, OSX and FreeBSD, but at the request of Facebook, it has also been audited by NCC Group. Teams can securely query remote systems for key security and performance information, and the tool can even perform File Integrity Monitoring. OSQuery can serve as a replacement for legacy tools like audited or AIDE, better yet, a developer kit has been released for Windows. Sharing this technology with the community fills a much-needed gap for robust, safe and secure monitoring of trusted systems.
Coinbase has demonstrated a commitment to building a secure infrastructure in the cloud. Just as a rising tide lifts all boats, so too does Coinbase’s sharing of security principles with the community. They serve as a reference for other cloud deployments of highly secure workloads. Using Medium, Coinbase has shared what they’ve learned in their AWS environment and bring awareness and caution to the risk of SMS-based multi-factor authentication.
The principles for building their secure AWS environment are transferrable: Layered Security & No Single Point of Failure, Lock Down Production Access, Cold Storage, Log All The Things, Anomaly Detection and Consensus-Based Deploys. The September 27th post, “On Phone Numbers and Identity” gives us a play-by-play rundown of a cell phone account take over including a number port. This post helps to remind us that while the phone is quickly becoming a strong second factor in authentication, the phone number itself must be protected.
Slack is not only a top-notch messaging application, but is also top-notch example of a company demonstrating the desire to keep both its users and the Internet safe. ImageMagick is a widely deployed library used by web applications to manipulate graphics, resize images, etc. Unfortunately, ImageMagick also had a remote code execution bug which is about as bad as they get. The Slack team helped with the creation of the ImageTragick.com website to help gain attention, provide facts, and helpful guidance out to the masses. Through creative marketing and persistence, the Slack security team helped get the word out on the ImageMagick code execution vulnerability.
Along with the vulnerability insight, Slack has shared some of the intelligent log analysis they are performing, and, when paired with push notifications, the powerful ability to watch, acknowledge and train their users on secure practices.
Ryan Huber, a security engineer at Slack, outlined in a blog post the centralization of logs, the correlation and processing of events and the requested acknowledgments from users when something doesn’t look right. For example, if a user who had previously never run a command, as indicated by historical data, (like dtrace which is run very rarely if at all) suddenly ran dtrace on 5 production servers at 0400, this event would require acknowledgment. By programmatically sending a push notification, Slack is showing the power of devaluing credentials, the power of out-of-band push notifications and the need for all of us to continue to increase the value of our logs to both detect security events and coach our users on better ways of working.
Principal Financial Group & Workiva
Two local companies contributing to the Information Security community include Principal Financial Group in Des Moines and our friends at Workiva in Ames, IA. While these companies have great InfoSec teams, they walk the walk by leading local community meetups to further spread the word. Principal Financial Group spearheaded the creation of SecDSM: an open forum for short technical talks and a partner of the SecKC group in Kansas City, Mo. Workiva created and leads the Ames OWASP chapter covering mobile and web application threats and emerging design patterns for secure application development. Dwolla participates in both groups as we too believe growing a community of trusted InfoSec professionals and sharing best practices makes all of us stronger.
Last but not least, Etsy is one of our favorites and has inspired some of the strategy here at Dwolla. From embedding InfoSec within the Engineering team, vs. being in a corner and unavailable, to ruthless measuring/monitoring and the security-focused use of feature flags, and the great work on Web Application Security, this company has given back to the Information Security community tremendously. Etsy’s security team rolls up their sleeves and helps the development team get things done. Their willingness to share is clearly demonstrated by their speaking engagements and detailed blog, Code As Craft.
Dwolla recognizes that security is never done, but rather, it is a process. The sharing of the Information Security community is part of this process and we are grateful to these companies and others for sharing and inspiring the process of continual security improvement.