5 min read

Data Security and Privacy for your Remote Product Teams

Hello Readers! We have been doing a bunch of interviews with company CXOs to unravel experiences to help us thrive in the #thenewnormal.

About Appescco

Its leader provider of security software & services used Fortune 100 companies in SEO

About the Founders

Remote working is adopted today unprecedentedly despite it being around for a while. While there is a lot spoken about reducing the emotional distance, another critical conversation around data security is gaining ground. To gain more insights into the data security aspects, we caught up with Akash Mahajan, Co-Founder Appsecco, experts in Application Security and Consulting & Training.

 

Co-founders of Appsecco
Gwilym Lewis & Akash Mahajan— Co-founders of Appsecco. 

Enlighten us about Appsecco and how it started?

Akash: Appsecco is a specialist cloud and application security company, founded in 2015, with a presence in London, Bangalore, and Boston. Our clients range from some of the world’s largest financial institutions and professional services firms to leading international retailers and retail brands and from large-scale, heavy engineering companies to cutting-edge technology companies across the globe.

We focus on testing products and applications (web and mobile) hosted in cloud environments such as AWS, Azure, GCP, Kubernetes. Wherever applications and products can be installed and run, we can test them for security issues.

We work with teams who are using DevOps and help them embed security best practices in their CI/CD pipelines and cover various aspects of strategy and implementation around secrets management, automating compliance activities, vulnerability management, and more.

Let me take you through our interesting story. I have known Gwil for over a decade. I was a security consultant at his previous company on client security matters.  As a business owner, Gwil saw several challenges regarding data security. One of them was that the buying security market was loaded against the buyers.  Even after paying for the services, there was no way to understand if the buyer got value or not. Lastly, Gwil was unsure if the buyer was protected against the specific threats that the service was meant to mitigate.

While working together, we tackled the communication around explaining the benefits of security testing and helping people understand risk in a manner that businesses needed to. Additionally, we figured out that the world has moved towards primarily using self-service cloud solutions. Thereby, it made us realize that there are not enough trained people to ensure web applications and mobile applications were configured and coded securely. Consequently, we decided on a good place for us to start.

When it comes to security, what is your view on what Product teams should focus on?

Akash: Your product team must build things by considering the important criterion. Here are some of the security concerns that one should be aware of:

  1. Data Security
  2. Access Control
  3. Account Takeover
  4. Data Leakage

Data security is of paramount importance. Any team which collaborates to build a product may work on all the blueprints, mind-maps, design documents. Normally these would exist on physical whiteboards inside office premises but now are digital documents. These need to be kept safe from external attackers, insider threats, and unintentional publishing. The main reason for the protection of digital documents is because these are available for collaboration amongst the employees.

The moment we start thinking of tiered access, we need security to control such access. For instance, a product roadmap may be available for everyone to view but can be edited by the product manager only. Some of the collaboration tools may not support granular access and might require everyone to download the digital files onto their laptops.

What are some of the vulnerabilities you find as a Security expert?

Akash: Good question. Once the information has reached the laptops of the team members, everything that can be connected to the Internet is a potential threat.

Right from the web browser (hopefully patched and not containing any privacy infringing browser extensions) to the wireless ISP broadband router (hopefully not using the default username and password).

To take over accounts, attackers can misuse trust to steal usernames and passwords. They can steal sensitive information even if it is 'logged in' in their session information. Here are some quick tips to help you:

  1. Do everything over HTTPS (TLS/SSL).
  2. Make sure the software used is patched.
  3. Ensure broadband routers have secure passwords.
  4. Enable 2-factor authentication (2FA).

We are currently sharing our workspaces and the blur of family and professional lives are invisible, do you see any issues arising with this?

Akash: A very real problem indeed. While we worry about sophisticated network hacking attacks, in a lot of cases, family members may just share computers that may inadvertently be privy to sensitive corporate information. One area that most of us overlook is the prevalence of smart speakers recording everything.

When working from home, keep a note of the following things:

  • Source Code
  • Design Documents
  • Raw video/audio
  • Shared accounts
  • Corporate Email
  • Server Credentials and Passwords
  • Product Roadmaps
  • Confidential Discussions
  • Access to AWS/Azure cloud as Admins
  • Customer Lists/CRM Exports
  • Financial reports and access to bank websites

OKRs are fast being adopted by Remote Teams to drive outcomes. What would be your OKR picks for product teams?

Akash: Yes, OKRs are a great way to drive the culture of security. Here are my top picks, in the context I picked a dev-ops team.

Objective: Create an unbreakable software platform for end-users users to trust.

KR 1: Centralized Console with automated threat Response for 99.9% of threat vectors

KR 2: Cyber Defence Shield for employees to reduce internal threats from 20% to less than 2%

KR 3: Secure by design with 4 independent design reviews

KR 4: 95% automated security scan coverage on code & platform

Fitbots Team: Awesome! Thanks, Akash. What would you want to leave teams with?

Akash: One thing that anyone who cares for security should do is remember this mantra — It is okay to trust as long as you verify