Category Archives: SDLC

How to secure your start up

It can be both hectic and rewarding when starting a new venture. After being around startups since 2000, I know how you feel. While it can be overwhelming you need to know how security and privacy play a part of your success.

First of all you should not ignore security despite what many venture capitalist groups are preaching it is pure BS. By designing security and privacy into your solution you will be miles ahead of your competition.

Here is how you need to approach this complex problem (which is not complex by the way but people feel better when you tell how complex it really is).

1. Need to conduct a Risk Assessment against both your product and small company to determine the data you collect and the means of collecting, processing, storing and destroying this data.  I would recommend to use ISO 27005 as the framework for this. As you step through this process you will need to consider all aspects of your solution including but not limited too, hosting, OS, plugins, modules, binaries, daemons, services, coding languages, authentication, logging, encryption, databases, etc. You get the point. You must focus on how each of the elements is going to be integrated and test each to confirm that you actually did not introduce any vulnerabilities.

2. Threat model your solution to determine how it can be attacked……because it will be. There are several frameworks for this out there. Get one and use it and make it part of a simple but efficient SDLC.

3. Know the laws and regulations that impact your product not just today but geographic regions where you plan to do business. These will be requirements for your product.

4. Unit testing for each of risks that you identify ensure that you create unit tests that will validate that you have identified and will ensure that each one is mitigated to minimum.

Here is the secret formula for security success (Sssshhh don’t tell anyone):

TRA + Regulatory + Threat Modeling + Testing/Verfication = Security Success

Some keys to success

1. Keep it simple but create a SDLC that drive security into your solution now. This will save you money down the road. If you have completely resign your software 2 years down the road to deal with security the costs will be prohibative. Trust me you will learn this the hard way.

2. Not all risks can and need to be eliminated. You need to determine how to get them to a level that you and the other founders are willing to accept. Keep in mind some privacy laws and regulations cannot be ignored you must mitigate the risks to a bare minimum.

3. Keep documentation of all your activities. These can be used if a partner or customer send in their auditors because you know they will.

4. Once you company is about 6-12 months old consider drafting some policies and procedures to drive new employees to better understand the culture of security you are looking to create.

Good luck and realize that you can simplify the security process but do it now! It will save you time and money down the road. I will also point out the 68% of SMBs that experience a data breach are usually out of business within two years. Hopefully, that is motiviation enough.


Three ‘Mission Critical’ Practices for any Development Team

Your company could (and should) be coding like NASA. That’s right – space-surfing, rocket-propelling, humanity-advancing, NASA. Whether you’re developing software to go to Mars or to order pizza with your sneakers, coding should follow a standard that ensures safety and security.

Nowadays, you’re likely developing a product or service that contains Personally Identifying Information (PII) or credit card information. Either that or it controls an IoT device. The fact is, these are all sensitive materials that could harm another person or location and there are three practices to consider to make sure they remain protected.

Keep humanity in mind.

If Michael Bay’s 1998 blockbuster Armageddon gave us any indication, apocalyptic asteroids are NASA’s greatest concern. This is not true as NASA spends more time protecting astronauts from its own technology than it does training boisterous oil rig workers to save the world.

Specific to coding, NASA has 10 base principles that should be considered for every product or service your organization is developing. These principles were established by Jet Propulsion Laboratory (JPL) lead scientist Gerard J. Holzmann and written with the C language in mind. Holzmann recommends C because of its long history and extensive tool support, although the rules can be generalized for coding in any programming language.

NASA’s rules are strict and add time to development if adhered to properly. That being said, NASA can’t afford to botch a project and these days, neither can tech companies. It’s this ‘measure twice, cut once’ mentality that gives Houston a sigh of relief and will prevent your company any future hiccups.

Highlight secure design.

Secure products are created when placing importance on secure design. Secure design is one step in a larger context which includes:

  1. Threat modelling.
  2. A Software Development Lifecycle (SDLC) including:
    1. Secure design.
    2. Secure coding.
    3. Secure testing and evaluation.
  3. Third party assessment of your product or service.
  4. Creation and implementation of a vulnerability disclosure and management process.
  5. Creation and implementation of an incident management process.
  6. Creation and implementation of a data breach process.

There are organizations out there that can support your company’s efforts in secure design. The International Organization of Standardization (ISO) provides world-class specifications for products, services and systems, to ensure quality, safety and efficiency. With over twenty thousand international standards and related documents published, ISO spans across almost every industry, including technology.

Another example is the Open Web Application Security Project (OWASP) – a not-for-profit organization dedicated to helping organizations conceive, develop, acquire, operate and maintain trusted applications.

OWASP has developed a number of tools to aid in secure design such as, the dependency check tool and ZAP proxy tool. Both tools help identify project dependencies and check if there are any known, publicly disclosed, vulnerabilities in both software and web applications.

Keep in mind that adding security at the front end of the product life cycle saves money on the back end for delivery when you’re calling your lawyer to deal with a lawsuit.

Teach safe ‘sets’.

Teaching an old developer new protocols is kind of like teaching an old dog new tricks – difficult. Many senior developers are set in their ways and find it hard to code with strict (but secure) guidelines. The same could be said for junior developers that graduate with great coding skills but poor security knowledge. Whether your development team is made up of seniors, juniors or both, training them to code securely is necessary to produce secure products and services.

Secure coding training is effective if implemented as part of the onboarding process. Your training should establish guiding principles and follow a secure design process. Providing a baseline for your developers and training grounds for testing is a surefire way to teach them how to code securely.

OWASP has developed another resource called WebGoat – a deliberately insecure web application maintained by OWASP to teach web application security lessons. It’s through these war games and hands-on security lessons where your developers will truly grasp the concept of secure coding.

Coding for the benefit of all.

When developing software for a product or service, think big and small. As you prepare your team for launch, make sure they’re equipped with the proper tools and protocols before all systems are go. Establish a proper baseline, training program and development plan before your developers start coding. Time, money and sensitive information will be saved. From here, highlight secure coding as ‘mission critical’ once a project is in flight.

This is easier said than done as the pace at which tech companies are expected to operate continues to accelerate. Set timelines with the rationale that when your organization does something, they do it right. Inform your clients there is more on the line than an unsuccessful project – human lives are often at stake.

Remember: whether it’s a rupture in a shuttle’s oxygen tank or a security breach in a piece of software, failure is not an option.

Written by: DarkKnight


What does the WikiLeaks announcement mean to you?

I doubt you missed it but this week but WikiLeaks announced some very serious allegations on how vulnerabilities are being used by government agencies to compromise devices then use the devices to listen to conversations and capture all data from those devices. Do I have your attention now?

If you have one of following pay attention:

a. An iPhone
b. An Android phone and/or based device (this category is very wide)
c. Windows
d. Smart TV
e. Home IoT devices
f. Fake versions of security software from McAfee, Kaspersky, and Sophos

The list goes on and on. This truly represents a significant president  that an intelligence organization has infiltrated and created a platform to compromised systems for spying. I for one am not surprised. Why????

1. Many companies do not have SDLCs that include security testing and those that do only do the minimums they are required for their particular industry.

2. Many do not threat model or conduct aggressive pen-testing that is required for many of these products.

3. Executives are more inclined to release an insecure product to get revenues versus doing the right thing and securing it from the get go. Go to many startup incubators, they only think about security and privacy when they hit several 1000 of users or larger companies start asking about the security posture. Many of the folks that fund these start-ups consider security a “patching” problem. They want their money so get the product to point where someone is going to pay big dollars for it and we can walk away.

4 .Vendors are not required to provide any assurance to their products. This is why IoT in the consumer and business markets is a bounty of either compromised or to be compromised devices that are used in pivot attacks.

So how do you protect yourself and your organization in this wild west of vulnerable software? Consider the data you collect, store and process then how it is touched by the known vulnerable products listed above. Now, start to remove your critical data from these platforms until the patches and fixes can be provided. Start asking vendors and service providers those uncomfortable questions:

a. How do you securely test and design your software or solution? Prove it!
b. Do you provide free upgraded and patches to your products?
c. When was the last time you experienced a data breach?
d. How is your source code protected and evaluated against backdoors and compromises?
e. What security training do you provide your staff on a regular basis?
f. What 3rd party evaluations have you had conducted against your products?
g. What is your vulnerability disclosure policy?

The answers to these questions are going to give you a good sense to the security posture of the vendor. If they cannot answer these immediate or have to go check. Walk away! A company that has instilled a culture of security will have the answers to all members of staff.

Additionally, I would recommend that you stay off public WiFi networks as these are used to hunt for victims. Stop making it easy for governments to gain access to your devices. This includes corporate confidential and IP data because they take that too. Harden your device as much as you can and use a IPSec VPN to project your data in transit. Finally, encrypt all your stored data. If your systems are compromise you need to have that additional level of protection.


Cyber Canucks EP8 – Cyber Assurance Programs

We hope you enjoy episode 8 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode include how we TwelveDot look to help organizations implement a cyber assurance program. These aspects are key to getting your company and/or organization prepared to start thinking security in everything they do.

  • GAP Analysis– benchmark of current policies, partnerships, employees. As we focus on ISO and the 27K family of standards. We recommended that an Gap Analysis be conducted using ISO 270001. If you in industries such financial or telecom there are special supplements in 27K family that addressed specific controls for these sectors however the over arching approach is based on ISO 27001.
  • Assessment – Initial assessment identifies/validates to create risk assessment document and then action plan. Get your risk management practice jump started and running with ISO 27005 and ISO 31000. These should provide the necessary foundation for you to build your practice.
  • ISMS – Information Security Management System. This takes the previous two steps and then formally initiates the process and policies necessary to implement and continue to develop and mature as your organization grows and develops.
  • SDLC – System Development Life Cycle use be formalized for any company that produces a product/service. As part of your ISMS implementation will create the necessary checks and balances to ensure that cyber risks and privacy elements are identified, assessed, and mitigated as required. This is before you ever release your solution.
  • Evaluation – Internal and External Evaluations ( certification ) will be required on a on going basis. While many can be completed internally as part of your ISMS implementation you will need to bring in external assessment auditors for certification of your ISMS.

Keep in mind you do not have to go the certification route to start. You can begin by starting your ISMS and getting it operational. That is the toughest part! Once started, it is just a matter of making it better as you go along. No two companies are alike so your implementation considerations will be different. However, your goal is always the same creating a company culture of security.

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at

A big Thx goes out to Jack Wiles for sound editing.



Cyber Canucks EP5: Considerations for IoT

We hope you enjoy episode 5 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Threat Modelling – How is your device going to be attacked
– Code Assessment and Third Party Libraries    Risk and security aspects around application code and checking third party libraries against known common vulnerabilities
–  Infield Patching and Support-  often overlooked when thinking about cybersecurity
–  Manufacturers and SDLC – all organizations need to consider security and implementing an SDLC and formal evaluation process around device
–  Field Monitoring –  Guidelines and standards need to be addressed but also monitoring for suspicious activity in the field.

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at

A big Thx goes out to Jack Wiles for sound editing.

SoundCloud Ultimate Error: The track you specified in the shortcode does not exist in your account.


Devs stop the “bolt-on” syndrome

We believe the companies who develop products and services need to develop a cyber assurance program to ensure their solutions do not lead to “bolt-ons”…….yeah you heard me “bolt-ons”. Let me explain — we use insecure communications then use a VPN as a bolt-on to secure it, we use an insecure OSes and applications then use AV as a bolt-on to protect our desktops and PCs, and we do not patch and service our operational systems and use IPS/IDS as a bolt-on to protect them. Get the point?

We have been using this outmoded approach to security for a long time and it does not seem to be getting better but worse. Worse because those organizations that don’t use the bolt-ons are making it ugly for the rest of us when their systems are compromised and used to attack our systems.

How do we fix this mess? At the cusp of all things computerized is software. We need to become obsessed with safe and usable software and applications. We have to stop accepting licenses to use a product that is built to make people lots of money with little regard to users well being. Stop expecting your software to fail and exposure your business and your children. Think of it this way…..if your car was to fail as much as your OS or applications would you buy that car again? Probably not and you would light up social media channels with why not……so why give money back to the same developers who exposed your data in the first place? Or why give someone money who did not perform basic security or privacy testing for an application?

Help stop the bolt-on effect. Be selective of your software providers. Ask them the tough questions on how they perform security testing and ensure that vulnerabilities are reduced to a minimum. Then have them prove it! Take a peek at how many CVEs have been reported against them. This includes your mobile apps. You might be surprised to learn the folks who develop these apps have little to no formal software training yet collect and store your confidential and proprietary data — how safe do you feel now?