For example, you should run vulnerability scans on your infrastructure, but don't. Perhaps your company doesn't have vulnerability disclosure policy, but should.
I no longer work at the company, but I used to work at a startup doing IoT devices. Our cloud server didn't stay up to date with security vunerabilities as we should have. Basically letting Mysql get behind in versions. There was also the issue of SSL being forgone in the name of time saving since I was the only one working on infrastructure. The development platform we were using broke on older versions with SSL enabled, so it was thrown into the wind before I had the time to deal with it.
This was due to being inexperienced with the work, too many duties, and a time line that didn't give me the time that I needed to fully understand some topics.
TLDR;
-Security vulnerabilities from version updates
-SSL on some platforms
-Not having a dedicated / experienced individual on staff for dev ops in general
Thanks, this is super helpful! I'm curious what other startups go through and how they juggle the business pressure with building something that is secure... or don't.
I'm not surprised to see that the first thing you listed was patching known vulnerabilities. Staying up to date with known vulnerabilities is the baseline of a security policy, but patch management is needlessly hard, especially if you don't have dedicated staff to scour security mailinglists.
We built a product to make this easier: https://appcanary.com . Maybe it would have helped your old employer.
Absolutely. I think many companies don't have DDoS protection on their online infrastructure.
Patching, changing admin and default passwords, periodically changing passwords are all practices that fall behind.
With the rise of IoT and more and more devices that can be infected with malware, these connected devices get ignored. We protect our PC and maybe our mobile phones, but what about our IP-connected cameras and office phones. You can use the Mirai scanner to see what devices are vulnerable: https://www.incapsula.com/mirai-scanner/
From a sysadmin/devops PoV boils down to flexibility. Security comes at the expense of flexibility and flexibility is more important for the survival and well-being of many/most IT companies and its especially crucial to startups.
5 comments
[ 4.1 ms ] story [ 20.1 ms ] threadThis was due to being inexperienced with the work, too many duties, and a time line that didn't give me the time that I needed to fully understand some topics.
TLDR; -Security vulnerabilities from version updates -SSL on some platforms -Not having a dedicated / experienced individual on staff for dev ops in general
I'm not surprised to see that the first thing you listed was patching known vulnerabilities. Staying up to date with known vulnerabilities is the baseline of a security policy, but patch management is needlessly hard, especially if you don't have dedicated staff to scour security mailinglists.
We built a product to make this easier: https://appcanary.com . Maybe it would have helped your old employer.
</self promotion>
Patching, changing admin and default passwords, periodically changing passwords are all practices that fall behind.
With the rise of IoT and more and more devices that can be infected with malware, these connected devices get ignored. We protect our PC and maybe our mobile phones, but what about our IP-connected cameras and office phones. You can use the Mirai scanner to see what devices are vulnerable: https://www.incapsula.com/mirai-scanner/
From a sysadmin/devops PoV boils down to flexibility. Security comes at the expense of flexibility and flexibility is more important for the survival and well-being of many/most IT companies and its especially crucial to startups.