Stuart Hirst, IT Security Manager of Edinburgh-based flight and hotel comparison site Skyscanner shared his approach to IT security this morning, explaining how he does DevSecOps for the company.
Hirst, father to a newborn, who amused everyone by asking for a coffee when going on stage at Cloud Security Expo, got up to share what he's learned in leading the two-year journey of setting up the security function for the company.
“We have a logo, so we must be important,” said Hirst who said his team created their own logo. The team wasn't there when he joined to one person and they are now a strong group of seven, and are also after a CISO.
So how do they strategise and ensure they don't miss things? “Do I follow ISO27001, BSIMM? Or one of the many others?”, no, said Hirst, “I spoke to people.” He took time to understand the business, its goals and where it could improve.
Hirst split his team into two. One part concentrates on SecOps, taking care of endpoint security and the users, and the other concentrates on product, to ensure any code which is pushed out “hundreds of times a day” to customers is the most secure it can be.
A big believer in Amazon's AWS cloud infrastructure, Hirst shared that Skyscanner is looking to follow in the steps of Netflix and entirely migrate their IT infrastructure over to the cloud. The scotsman said in the next 18 months the transition should be completed and the company is currently teaching it developers to code for AWS.
When Hirst joined Skyscanner, he said the company was not participating in any kind of bug bounty programmes. Skyscanner is now hosting its own 365 day bug bounty through Bugcrowd, however it wasn't always that easy. Hirst said his team does a lot of work with developers to ensure their code is secure, too.
Hirst said there are lots of developers who want a quick and easy reward and move on after that. When they get paid, some developers do simply move on to other bug bounties, and some are only interested in finding a particular kind of bug, like XSS bugs, and so Hirst suggests stamping out all XSS bugs at once, then moving onto the next type for a more fruitful experience.
Skyscanner's team has led the implementation of two-factor authentication throughout the organisation. “Despite it being a pain to implement,” Hirst said, he argues that having it on VPNs, on both Windows and Mac logins, on all web portals, on apps and SSOs, it significantly reduces the attack surface a criminal might have when snooping around a specific company.
Hirst said Skyscanner is big on data protection of personally identifiable information (PII), claiming a leak of it could you get lots of press coverage for all the wrong reasons. “We can't afford not to protect it, and I find the amount of companies who don't astonishing.”
Hirst then warned of the dangers of credentials in code, which are often pushed out to public websites like Github and aren't hashed and left in plain-text.
“On the topic of passwords,” said Hirst, “do feel free to come up to me after this talk and tell me why any one of these password manager brands are littered with vulnerabilities.” Hirst explains that despite those, he still advocates for their use to reduce password reuse and its associated dangers.
A big believer in automation, Hirst detailed Skyscanner's use of a SIEM and Slack to give real-time security updates to both his team and users to let them know something has gone wrong.
Skyscanner do carry out user education, but try and make it as fun as possible. For example, a member of Hirst's team said he found an excel spreadsheet with all of the company's social media login details, and to train employees on what the consequences could have been if it has gotten into the wrong hands, Skyscanner's security team chose to post fake stories on the company intranet from the BBC about a leak in the company, leaving a small note at the bottom which said, “this isn't a real story, but one which could be if we aren't more careful about security.”
However, Hirst argues that he will “never be able to change the behaviour of 900 people”, and so looks to remove humans from the equation.
Concluding, Hirst shared some lessons on what hadn't gone so well: code scanning. “We spent lots of money on some very expensive tools, and it didn't support out version of Python, and didn't work very well for our setup.”
Hirst said he had learned to take a step back claiming, “despite what the press tells you, not everything is critical.” Referring to the Cloudbleed vulnerability, Hirst quoted Cisco in saying there was a one in 3.3 million chance of an HTTP request containing login information.
Hirst claimed, “we need to learn to focus on the important stuff, and shout about our successes more often.”