On September 9, 2015, the Federal Trade Commission (FTC) held its first “Start with Security” conference at the University of California Hastings College of the Law in San Francisco. The conference was the first in a series of events hosted by the agency intended to provide additional guidance to businesses regarding how to keep consumers’ information secure.
The FTC’s San Francisco event was aimed primarily at start-ups and software developers, with panels focusing on building a culture of security, scaling security during periods of rapid growth, investing in security, vulnerability disclosure and response, and implementing security features. The panels were each moderated by a staff attorney from the FTC’s Division of Privacy and Identity Protection, with panelists hailing primarily from Silicon Valley tech companies. Each panel is summarized below.
Panel One: Starting Up Security
The first panel of the day featured Devdatta Akhawe from Dropbox, Jonathan Carter from OWASP, Frank Kim from SANS Institute, and Window Snyder from Fastly. The panel discussed how start-ups can build a culture of security and develop security expertise. Specifically, the panel examined: (1) the importance of start-up founders and executives championing security at their companies; (2) how start-ups can build internal security expertise by seeking out engineers with an interest in security and enabling them to become security evangelists; (3) how start-ups can leverage existing free and proprietary security resources such as OWASP, BSides, and SANS; (4) how to integrate threat modeling into development and to consider potential threats early in the development cycle; and (5) leveraging existing secure software frameworks and building secure abstractions for developers.
The panel also discussed cross-site scripting (XSS) attacks as a case study. XSS attacks typically involve an attacker injecting malicious code into a webpage on a target organization’s website. When users visit the page, their browsers execute the malicious code, which may then steal information from the users, do other things the users did not authorize, or otherwise inject malware into the users’ machines. To mitigate XSS attacks, the panel discussed verifying all data coming from a user’s web browser before trusting it and HTML encoding data before sending it to a user’s web browser. The panel also recommended consulting the OWASP XSS Prevention Cheat Sheet for additional mitigation methods. Finally, the panel discussed using training to help prevent XSS attacks, specifically through training developers to think like attackers and eliminate software flaws before they make it to production environments.
Panel Two: Scaling Security
The panelists for the second panel were Michael Coates from Twitter, Zane Lackey from Signal Sciences, and Jeff Williams from Contrast Security. The panel focused on how to integrate security into modern agile software development methods and how to make security scalable. The panel discussed providing security training to all developers, doing security in small chunks throughout the development process, and having a company’s security team create tools for developers to build secure code.
The panel also discussed how to leverage existing internal resources to improve security. For example, the panel discussed using existing performance and outage logs to monitor for unusual activity and potential security issues. Additionally, the panel provided examples of using existing development dashboards and code check-in tools to also scan for security issues, such as XSS vulnerabilities. Finally, the panel discussed methods of verifying that security protections are in place, including through implementing continuous alerts to provide feedback after code has been deployed.
A “Fireside Chat” Between Ashkan Soltani and Arun Mathew
Midway through the conference, FTC Chief Technologist Ashkan Soltani engaged in a “fireside chat” with Arun Mathew of Accel Partners to discuss how venture capital firms perceive security risks relating to start-ups and other emerging companies. Soltani and Mathew both emphasized that emerging companies should invest in security, as their potential investors in the venture capital and private markets increasingly perceive data security as a requisite component of any data-intensive business. Soltani and Mathew explained their view that appropriately addressing security is necessary to avoid the fallout from a data security incident, which could lead to negative press, soured customer relationships, government inquires and litigation, and investor skepticism. Mathew suggested that many venture capital firms are now evaluating emerging companies’ approaches to security when reviewing their businesses for investment, with an eye toward understanding whether the companies have adequately invested in security and appropriately built security safeguards into their operations and products. Specifically, he said they consider whether start-ups have a culture of security, a budget set aside for security, and an internal process to consider security.
Panel Three: Bugs and Bounties
The third panel of the day featured Raymond Forbes from Mozilla, Paul Moreno from Pinterest, and Kaite Moussouris from HackerOne. The panel focused on vulnerability response and how companies can set up processes for receiving and responding to bug reports. Panelists pointed to existing vulnerability disclosure and handling frameworks such as ISO 29147 and ISO 30111 as processes that companies should follow. At a basic level, these involve establishing a method for securely receiving vulnerability reports, verifying and investigating reports received, communicating with bug reporters, developing security updates, and using the knowledge gained in this process to improve the software development lifecycle.
The panel also discussed whether and when it makes sense for a company to offer compensation for vulnerability reports. Specifically, the panel recommended that companies consider what scope they want to put on a bounty program (i.e., the domains, apps, versions, and types of bugs to which the program should apply), what incentives they want to offer (e.g., cash, publicity), and whether they have the time and resources to devote to a bounty program. The panel also covered the history of bounty programs, noting that although they are still relatively rare, more companies have been adopting them in recent years.
Panel Four: Beyond Bugs
The panelists for the final panel of the day were Pierre Far from Google, Jon Oberheide from Duo Security, and Yan Zhu from Yahoo. The panel discussed how to implement several technologies designed to mitigate large categories of attacks. For example, the panel discussed deploying HTTPS across an organization’s entire website, rather than just sensitive areas, to protect against unsecured HTTP sniffing attacks. The panel also discussed the costs of implementing transport layer security (TLS) and projects in development that are designed to reduce those costs, such as Let’s Encrypt. Additionally, the panel discussed the tradeoffs of implementing multifactor authentication, including balancing the additional protection it can provide against the additional friction it adds for users. Finally, the panel discussed different methods for implementing content security policies to mitigate the risk of XSS attacks.
Organizations should pay close attention to the FTC’s Start with Security initiative, as guidance the FTC promulgates provides valuable insight into the agency’s thinking on security issues. Moreover, FTC staff may seek to use guidance provided as a basis for what constitutes “reasonable security” in future enforcement actions. For example, the focus of several panels on XSS attacks may signal that the FTC will continue to look critically at organizations that have not taken steps to mitigate such attacks going forward. Also, given FTC staff’s interest in vulnerability reporting and bounty programs, organizations should, at a minimum, ensure they have processes in place to receive vulnerability reports and may want to evaluate whether additionally creating a bounty program makes sense for the organization. Indeed, both failures to protect against XSS attacks and to implement processes for receiving and addressing third party vulnerability reports have been cited in prior FTC complaints.1 Thus, while there is certainly no one-size-fits-all solution to data security, organizations should prioritize evaluating issues that the FTC has flagged as important in its guidance and prior enforcement actions.
1 E.g., Complaint, United States v. RockYou, Inc., No. CV 12-1487 (N.D. Cal. March 26, 2012), https://www.ftc.gov/sites/default/files/documents/cases/2012/03/120327rockyoucmpt.pdf, Complaint, In re Fandango, LLC FTC No. 132 3089 (August 13, 2014), https://www.ftc.gov/system/files/documents/cases/140819fandangocmpt.pdf.