7. Availability
● Pingdom
● Where’s it Up?
● StatusPage.io
○ status.myservice.com: ~ 10%
● Hosting & Infrastructure
○ CDNs like CloudFlare - test with Blitz etc.
○ DaaS like AWS RDS, MongoHQ etc.
○ deployment, e.g. NPM
○ third party JS, tag management e.g. GTM
○ DDOS with botnets, HTTPX
8.
9. Reliability
● Funding or lack thereof, business model
○ or corporate strategy, think Google Reader, G+
● PEBKAC
○ Google Docs, Yammer
● API availability ~ data backup an option
○ programmableweb.com
○ Kimono
● Backupify, Import2
10. Privacy
● Third party JS, GA has 20M accounts
○ BuiltWith
● Retargeting cookies
● Email/IP to user info on social media
○ Rapleaf, Rapportive
○ Intercom
○ FOAF
● FastMail, Minerva Fabric
○ PGP
11. Attack Vectors
● Social engineering, war driving, sniping,
drones?
○ Apple Amazon hack
● Rootkits, keyloggers
○ Vodafone Greece example (pre NSA)
● Packet sniffing, port scanning
● 0 day exploits, exploit marketplaces
○ WebGL, Java, Rails, OpenSSL/Heartbleed
● DNS, SSL intercept
○ compromised rootcerts
○ Arab Spring example
12.
13.
14.
15.
16. Attack Vectors
● Infrastructure providers
○ HDDs reused
○ Internal sniffing, e.g. MongoDB
○ OSS clients libs not audited, Nodetime example
● Phishing mails
● Cross site attacks: XSS, CSRF
● Malicious extensions: e.g. Window Resizer
● OAuth, third party app access
○ ~60% use Google for login
● etc. etc.
17.
18.
19. Countermeasures
● Encrypted laptop drives
● Secure passwords
○ LastPass or PwdHash
● Two Factor Authentication 2FA
○ Not enforced by most
● Suspicious activity detection
● Access logs
○ per user audit trail?
22. Politics: NSA, etc.
● Hosting outside of US by a non-US legal
entity is a competitive advantage
○ e.g. Upcloud, younited
○ caveat: traffic goes via Sweden
● How many SaaS companies from Estonia?
○ Sportlyzer
○ Weekdone
○ GoWorkaBit
○ InventoryAPI
23.
24. Shadow IT
● Bring Your Own Device (BYOD)
● Bring Your Own Service (BYOS)
● Most companies don’t know what software
their employees use
○ … and don’t want to know
● Shared accounts
○ Bitium, Meldium
25.
26. Case Study: StartHQ
● first contact:
○ password reset mails
○ access log monitoring
○ break in
○ disable /admin
○ apply fix
● two weeks later:
○ second break in
○ mail sent to all @starthq.com
○ apply second fix, more attempts, no more breakins