In 2018, to support our vision of world-class security, LogMeIn leadership decided to dedicate a full team to taking care of and constantly improving LastPass’ security. Our team was formed to get the most from the company standards and raise the bar of security across LogMeIn by providing a great example for every other product.
Building a Dedicated, Versatile Security Team
The team initially consisted of LastPass engineers who were enthusiastic about security, to guarantee hands-on domain knowledge and to make sure we are able to act on issue resolution and mitigation. As the team grew, we extended the team with security experts to bring in the attacker mindset. We were able to combine the best from both worlds – both the attacker and defender mindset represented in one team. From the beginning, the team was geographically distributed to cover more working hours across the globe.
The team is built around multiple topics and focuses on satisfaction of both internal and external customers. External customers include LastPass users and the security researchers we engage with on Bugcrowd. We work hard to make them feel more secure, to build trust with us and our product, and to keep them satisfied with the offered services. Our internal customers include engineering, product, sales, marketing, PR, and the customer care organization, all of whom work to support the LastPass service. We are providing services for them to rely on any time security comes into question.
Improving Our BugCrowd Program
Our first target for improvement was our public bug bounty program. Rather than rotating responsibility for security issues among individuals or teams, we now have a dedicated team. This has allowed us to improve our response time, follow a more standardized process internally, and communicate more openly. We’ve also been able to improve our relationships with security researchers. We are able to be involved in the early stages of submission validations if needed, and are able to more quickly raise awareness internally of any incoming issues in a way that is digestible for stakeholders.
Our security engineers are also able to act quickly and start working on fixes or mitigation, but we are also prepared to provide full context, involve engineers from other teams and coordinate the combined effort where it is needed for fixing issues as fast as we can. The dedicated team also has the ability to identify systemic issues and drive efforts to fix root causes, as opposed to merely fixing isolated issues.
Last but not least, recently we updated the description and the scope of the Bugcrowd program to provide more guidance to the researchers based on lessons learned in the last year and comments from researchers. We’ve also improved our internal security activities to reduce the attack surface and identity issues before a researcher may find them.
Cultivating a Security-Minded Engineering Organization
In our experience, achieving strong security requires a different mindset, and means spreading knowledge across the engineering organization.
Internally, we started providing more growth opportunities to our engineers, including training on how to acquire an attacker mindset, to learn more about security best practices, and to internalize lessons learned from the field of identity management. With a fast-growing engineering organization, we are also responsible for making sure that everyone, including new hires, are aware of security best practices from the beginning. Our team is dedicated to regularly sharing lessons learned with the entire LastPass and LogMeIn engineering organization on different forums. We not only share our security team’s internal knowledge but also include best practices from all over the world gathered from researchers via our bug bounty program.
In addition to raising awareness, we also actively help our engineers bring the security focus into every phase of software development, from planning through to release, as part of our standardized security development lifecycle practice. Because our dedicated security engineers share the same domain knowledge and are working on the same code base as all LastPass engineers, security design review sessions are even more fruitful and interesting. Our engineering teams are proactively requesting reviews by our team to see what we can find together.
Threat modelling and security review sessions are kept professional and even spiced up with some fun. We use an escalation of privileges card game for threat modelling. We make sure we have a constructive atmosphere where we tear apart a solution all together, including the engineers who originally planned and implemented the code. Everyone is interested in finding issues to win the game.
The human factor is always mentioned as a problem in cybersecurity. I think it is only a problem if you do not allocate enough time and effort into raising awareness and training people. Also, supporting engineers with reasonable and effective processes – and educating them on why – will motivate them to follow those requirements, instead of looking for loopholes that could lead to bigger issues. With a dedicated security engineering team, we are able to constantly work on improving processes and helping people based on their feedback and their needs.
As a result of building a mature engineering organization focused on security, we are much more effective in maintaining our vision of world-class security. It remains our mission to deliver customer satisfaction by delivering secure solutions that our customers can trust to secure the data of their businesses and their families.
Ferenc Kun is the Security Engineering Manager for LastPass at LogMeIn. He focuses on leading a dedicated security team that oversees compliance and penetration testing, security assessments of the product, and integrating the key pillars of core SDL into the development lifecycle. Ferenc has been with LogMeIn for 5 years, with experience as a developer for multiple LogMeIn products.