Highlights from the FTC’s Second “Start With Security” Initiative
On November 5, the FTC hosted its second “Start With Security” event in Austin, Texas in an effort to provide companies with practical tips and strategies for implementing effective data security.
FTC Commissioner Terrell McSweeny opened the event discussing the FTC’s “Start With Security” business initiative and guidance document, which provides “best practices” (and not so best practices) in the 50+ data security cases brought by the FTC. A few key takeaways from the Commissioner’s opening remarks – (1) ensure products live up to advertised claims and promised privacy practices; (2) even in the rush to innovate, privacy and security should not be overlooked; and (3) from the FTC’s perspective, the standard is not “perfect” security, but “reasonable” security.
The event continued with a series of panels providing information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response.
- PANEL 1: Starting up Security -- Building a Security Culture
The first panel included a discussion with founders, executives, and employees at major companies to better understand how information security can be a core value and ways to address and mitigate common security vulnerabilities. A common theme of the panel was that security should be incorporated into the company’s culture from the beginning. While this is often a top-down approach beginning with a push from senior level executives, it may require building in a security culture from the ground up. Panelists agreed, however, that it is most cost effective to build in security from the beginning, rather than having to address security vulnerabilities after the fact. This is especially true as more start-ups and companies are moving to a cloud-based platform. Panelists also addressed common vulnerabilities, the importance of having a proper risk management framework, and appropriate security training for employees. Although companies should consider potential threats and vulnerabilities from the start, this should be an ongoing process, and companies should continually evaluate how PII comes in, how it is used, where it is stored, and with whom it is shared.
- PANEL 2: Scaling Security -- Adapting Security Testing for DevOps and Hyper-Growth
The second panel focused on how security testing can be automated and adapted for a world of continuous delivery in a high-growth start-up environment. The discussion began with an overview of a recent study of approximately 35,000 websites which found that once a vulnerability is known, it takes on average nearly 200 days to fix it. Panelists commented that this statistic underscores the importance of a robust security system, particularly in a world where deploying new code multiple times per day is becoming more commonplace. One panelist noted that an easy place to start security monitoring is with maintaining and analyzing internal data logs to determine the most vulnerable places within a system and focus on running security tests in those areas. In addition to highlighting a number of specific security tools that start-ups can utilize to make system testing more efficient, panelists also stressed the need for security personnel to communicate effectively with developers and project managers about known vulnerabilities and threats. For instance, rather than preparing a 50-page security issues report, panelists suggested that security team members should distill any issues that are discovered down to essential threat information so that developers can address these problems quickly. Panelists noted that certain tools that enable automated testing, such as Gauntlt, can be incorporated into a company’s everyday security testing given that they use language and structures that are familiar to developers.
- Fireside Chat: Investing in Security
FTC Commissioner McSweeny led a brief discussion with a co-founder of an early-stage venture capital fund that invests in technology start-ups, primarily in Texas. Throughout the chat, McSweeny asked questions focusing on why it is important for early-stage start-ups to prioritize security and what role security plays when a start-up is looking for investors.
- PANEL 3: Third-Party AppSec-- Dealing with Bugs, Bug Reports, and Third-Party Code
The third panel included a discussion with security executives at major companies explaining how start-ups can manage risks from third-party code and services as well as how start-ups can harness the security community’s work to improve their secure development lifecycle. Panelists provided recommendations to start-ups about how to best manage service providers and how start-ups can vet third-party components. Specifically, start-ups should create channels or processes for addressing vulnerability reports, particularly if the startup is writing its own code. The panel also introduced a new “Vulnerability Coordination Maturity Model,” which provides start-ups with a baseline assessment of their security programs and provides companies with advice regarding five main principles: (1) organization, (2) engineering, (3), communications, (4) analytics, and (5) incentives.
- PANEL 4: Beyond Bugs -- Embracing Security Features
The fourth panel looked at the benefits of and challenges to embracing multifactor authentication, site-wide encryption, and content security policy. Panelists took turns defining the contours of these proactive security measures that can help eliminate vulnerabilities and protect consumers from threats. Panelists encouraged site-wide encryption, highlighting that browsers, such as Google, are incentivizing this practice by making it a factor in ranking and rolling out a feature that will warn users when a site does not have SSL/TLS. Panelists recommended that companies have site-wide encryption by default. The discussion around multifactor authentication suggested that although it was a useful trust indicator, there still are significant challenges with this security measure. Describing biometric information as a fad, panelists also cautioned against its use as part of multifactor authentication because biometric information cannot be reset. The panel concluded by addressing content security policy and free resources available online. The consensus with regards to a content security policy was that it should be implemented with new software. Retrofitting a content security policy into an existing website or project, while possible, would not be without significant challenges.
The FTC simultaneously released two videos to illustrate lessons businesses can learn from the FTC’s more than 50 data security settlements. The first, Implementing Strong Password Policies, includes tips on password practices that can help protect businesses. The second, Secure Devices and Paper, talks about the risks posed by a lax approach to securing files and devices, and simple steps to keep them safer. The FTC’s next “Start With Security” event will be held in Seattle on February 9, 2016.