Try it for free

How to turn a credentials breach in a development opportunity

Valerio Barbera

Hi, I’m Valerio founder and CTO at Inspector.

Recently my personal account on one of our company’s tool was cracked. My credentials have been stolen so the attackers have had access to this service with our credit card attached.

There were no risks for our users security, but only for our bank account, because attackers could use up our credits or use our account for public spam activities.

This experience has made us much more aware of the value of using (and develop) safe tools. We have therefore decided to bring some new features into Inspector that allow our customers to keep their account more secure, avoiding being victims of these violations as we have.

Regaining control

As soon as we realized that something was wrong with our tool, we’ve immediately disabled the credit card and removed the tool from our stack.

There were no risks for our users security, but only for our bank account.

Compromised credentials will always present a risk, but there are policies that can mitigate that risk.

The first step is to establish policies for the strength and management of passwords. Not all credentials are created equal.

For accessing sensitive information and for administrative access to internal working tools, stronger, more complex passwords and additional factors such as biometrics, cryptographic keys or 2FA confirmation codes are now required by default in our company.

This includes also all social media accounts of the entire team.

Now it’s time to bring what we have learned on Inspector. Below I present you the next security features we have decided to implement in Inspector.

Feature 1 — Control Logged-in devices

It is an essential feature to allow users to view the logged-in devices and easily log-out from a specific device with a simple click.

Below the detail of what we want to develop:

  • Displays currently logged in devices for a user in the profile section.
  • Log out from any specific device from the list of currently logged-in devices.
  • An option to log out from all other devices except the currently logged-in device.
  • An option to disable multiple device logins altogether. This means that a user can only be logged in from one device at a time.

If you will log in Inspector from your smartphone, you will see this new device in the logged-in devices list. This will allow you to identify unknown devices in the list, disconnect them with a simple click, and change your password to protect your account from unexpected authentications.

Feature 2–2FA Authentication

Are you using the same password for multiple websites including Inspector? Are you accessing Inspector from public or shared computers?

Such action weaken your password and make it easier to steal.

That’s why we’ll implement two step verification. An optional security feature that helps protect your account even if your password is stolen or cracked.

This feature will improve security because signing in requires two things:

  • Something you know: Your Password
  • Something you have: Your Phone

If an attacker crack your credentials he cannot authenticate into your Inspecotr account because he doesn’t have your phone to provide us the security code.

Conclusion

While a startup grows fast some incident can happen, but the most important thing is to learn from mistakes and put our experience at the disposal of our customers.

I hope you appreciate our work to make Inspector a safer and more efficient product with the aim of helping you reach your goals quickly and easily.

Related Posts

How to deploy a NodeJs server using Laravel Forge

Hi, I’m Valerio, software engineer from Italy, and C.T.O. at Inspector. We recently worked to replace the http handler behind our ingestion endpoint (ingestion.inspector.dev) with a new implementation in pure NodeJs. This endpoint receives monitoring data sent from all applications connected to our Code Execution Monitoring engine, and it treats more than 5 million http

February 7, 2021

Twilio SMS Notification Channel

Hi, I’m Valerio software engineer from Italy, and CTO at Inspector. I am really happy to announce the general availability of our brand new “Twilio – SMS” notification channel. If you are a busy developer you now have one more option to intelligently forward your application monitoring notificiations directly in your smartphone, stay informed about

January 20, 2021
Laravel Vapor implementation

How to make Inspector work on Laravel Vapor – Verifarma.com case study

In this article I’ll show you the code implementation to make Inspector work when your Laravel application is deployed on the AWS serverless environment using Vapor. The launch of Vapor was a big news for the whole PHP/Laravel ecosystem. It allows developers to deploy Laravel applications on AWS Lambda environment, the serverless infrastructure of AWS,

December 16, 2020

Stop losing customers and money
due to technical problems in your applications

Monitor performance of your code execution in real-time and identify bugs and bottlenecks before your users do.
Getting started for FREE
Simple Code Execution Monitoring, built for developers
Company
Company
2020 © Inspector S.R.L - VAT: 09552901218
Facebook
Twitter
Linkedin
Medium