Uncertain Times: Securing Rails Apps and User Data
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Teil | 3 | |
| Anzahl der Teile | 86 | |
| Autor | ||
| Lizenz | CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben. | |
| Identifikatoren | 10.5446/31296 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
RailsConf 20173 / 86
1
8
10
12
18
19
23
30
35
42
49
52
53
55
56
59
65
74
77
79
82
83
84
00:00
ZahlenbereichComputersicherheitHochdruckMultiplikationsoperatorUmsetzung <Informatik>TypentheorieEinfach zusammenhängender RaumMailing-ListeApp <Programm>ZeitrichtungEinflussgröße
01:41
ComputersicherheitUnternehmensarchitekturGebäude <Mathematik>Twitter <Softwareplattform>SoftwareHilfesystemTuring-TestGeschlecht <Mathematik>MathematikSoftwareentwicklerSystemidentifikationFirewallBitGüte der AnpassungGrundraumSystemplattformProzess <Informatik>FokalpunktTypentheorieProgrammierungDifferenteOrientierung <Mathematik>Metropolitan area networkFigurierte ZahlFormation <Mathematik>Klasse <Mathematik>ThumbnailWellenpaketDruckspannungSensitivitätsanalyseParametersystemProgrammierumgebungMultiplikationsoperator
04:19
ComputersicherheitMereologieDateiformatProzess <Informatik>ZeitzoneMultiplikationsoperatorInformationstheorieTreiber <Programm>SoftwareschwachstelleGruppenoperationUnrundheitZellularer AutomatLesen <Datenverarbeitung>WellenpaketArithmetische FolgeÄhnlichkeitsgeometrieBitrateFokalpunktRechter WinkelWeb logGüte der AnpassungDifferenteSoftware EngineeringSoftwareVererbungshierarchieMomentenproblem
08:40
Produkt <Mathematik>ComputersicherheitWellenpaketRechter WinkelSoftwareschwachstelleMereologieHilfesystem
09:50
UnternehmensarchitekturVektorraumGeradeQuellcodeMultiplikationsoperatorMetropolitan area networkVerkehrsinformationTermComputerspielExpertensystemPasswortGruppenoperationOrdnung <Mathematik>Dreiecksfreier GraphDruckverlaufProdukt <Mathematik>ImplementierungFokalpunktFehlermeldungSoftwareentwicklerEinflussgrößeGamecontrollerSensitivitätsanalyseSoftwareschwachstelleKybernetikRechter WinkelWhiteboardMAPHilfesystemComputersicherheitEinsWurzel <Mathematik>MinimumGanze FunktionPhysikalisches SystemDefaultUmsetzung <Informatik>StatistikProjektive EbeneApp <Programm>Physikalischer EffektAuthentifikationBestimmtheitsmaßComputeranimation
16:28
Message-PassingZahlenbereichVorzeichen <Mathematik>Kategorie <Mathematik>Spiegelung <Mathematik>ProgrammierungTabellenkalkulationKartesische KoordinatenSelbst organisierendes SystemPasswortPunktMusterspracheWirtschaftskybernetikVerschlingungEinfache GenauigkeitGoogolFamilie <Mathematik>ComputersicherheitOffene MengeMereologieWeb-SeiteDatenverwaltungWeb SiteInformationstheorieBefehl <Informatik>Digitales ZertifikatCracker <Computerkriminalität>WhiteboardMultiplikationsoperatorBackpropagation-AlgorithmusE-MailBitChiffrierungCodePersonenkennzeichenQuaderBildgebendes VerfahrenBildverstehenDatenbankProjektive EbeneUnrundheitSoundverarbeitungSensitivitätsanalyseProzess <Informatik>Physikalisches SystemFächer <Mathematik>Komplex <Algebra>LoginInformationMAPTeilbarkeitNotebook-ComputerAuthentifikationWeb logTouchscreenBildschirmmaskeSoftwareentwicklerRandomisierungPhishingGenerator <Informatik>BrowserSchlüsselverwaltungDokumentenserverComputeranimation
23:07
Open SourceSoftwareentwicklerApp <Programm>MagnetbandlaufwerkMultiplikationsoperatorFundamentalsatz der AlgebraWort <Informatik>IdentifizierbarkeitAlgorithmusComputersicherheitChiffrierungDreiWurzel <Mathematik>Analytische MengeZellularer AutomatInformationstheorieRückkopplungVariableDimensionsanalyseMetropolitan area networkWeb-ApplikationPersonenkennzeichenKugelkappeDatenbankCodeProgrammierungZeitzoneInverser LimesProjektive EbeneFlächeninhaltKartesische KoordinatenRechter WinkelTelekommunikationMAPE-MailAdressraumBitratePasswortDigitales ZertifikatOffene MengeMedizinische InformatikTaskBildgebendes VerfahrenTabellenkalkulationTypentheorieIntegralSoftwareschwachstellePhysikalischer EffektLoginPlastikkarteHilfesystemHoaxGesetz <Physik>URLZahlenbereichDoS-AttackeWeg <Topologie>Web SiteQuaderComputeranimation
28:59
ComputersicherheitReverse EngineeringNatürliche ZahlMultiplikationsoperatorGeradeInformationstheorieProdukt <Mathematik>ZahlenbereichParametersystemFilter <Stochastik>Dienst <Informatik>SoftwareschwachstelleEinflussgrößeSoftwaretestPasswortWeb SiteAusnahmebehandlungRückkopplungAbfrageKonfiguration <Informatik>SystemplattformDefaultRohdatenAuthentifikationSystem-on-ChipPersonenkennzeichenComputeranimation
31:23
Analytische MengeGeschwindigkeitSchnittmengeWort <Informatik>KonfigurationsraumDickeDifferenteProgrammierungDelisches ProblemMultiplikationsoperatorQuellcodeMereologieAuthentifikationComputersicherheitAnalysisDatenmissbrauchEinsComputerspielKartesische KoordinatenProgrammbibliothekDreiecksfreier GraphPunktEinflussgrößeLjapunov-ExponentPropagatorFlächeninhaltInformationstheorieVerschlingungSoftwaretestCodierungSystemplattformDatentransferAutorisierungProdukt <Mathematik>RechenschieberCracker <Computerkriminalität>Gesetz <Physik>MAPPasswortVektorraumMetropolitan area networkSoftwareentwicklerSensitivitätsanalyseRechter WinkelKomplex <Algebra>ProgrammierumgebungCodeFundamentalsatz der AlgebraFehlermeldungSoftwareschwachstelleDatenbankHackerTypentheorieKonditionszahlChecklisteTermEin-AusgabeRuhmasseProjektive EbeneAusnahmebehandlungDatenverwaltungComputeranimation
37:05
ProgrammierumgebungMultiplikationsoperatorGesetz <Physik>Produkt <Mathematik>Geschlecht <Mathematik>KonstanteCodeGebäude <Mathematik>SoftwaretestDatenbankInhalt <Mathematik>GradientAnalysisDigitales ZertifikatGüte der AnpassungFamilie <Mathematik>GeradeDynamisches SystemEinfügungsdämpfungPolygonWeb SiteMAPComputersicherheitWellenpaketKartesische KoordinatenLastHydrostatikWort <Informatik>KreisflächeSchnelltasteKondensation <Mathematik>Physikalische TheorieDifferenteFigurierte ZahlMetropolitan area networkWeb-SeiteURLCASE <Informatik>Ein-AusgabeRauschenPhysikalisches SystemKontrollstrukturKontextbezogenes SystemErneuerungstheorieZellularer AutomatOrdnung <Mathematik>RefactoringPunktLoginZehnSchießverfahrenProgrammfehlerHilfesystemNormalvektorSoftwareschwachstelleBestimmtheitsmaßSystemverwaltungAuthentifikationElektronische PublikationSweep-AlgorithmusApp <Programm>Spannweite <Stochastik>TypentheorieFehlermeldungComputeranimation
42:27
Prozess <Informatik>Selbst organisierendes SystemFigurierte ZahlMomentenproblemMultiplikationsoperatorGrenzschichtablösungStandardabweichung
43:00
MathematikJSONXML
Transkript: Englisch(automatisch erzeugt)
00:16
protecting your rails app and user data how many of you here were at DHH's
00:22
keynote this morning cool almost I think all of you and so I was also there sent in the audience and I noticed that a lot of the the themes he had in his keynote are actually similar to what we're gonna be talking about today so I'm excited for that I'm super excited to be here this is
00:42
first ever conference talk I can't believe it's here at railsconf amongst this awesome community so just one note if you're looking for a chore list of what to do for putting in security measures it's not going to be exactly that but I'm hoping to start a conversation here and really start
01:01
talking about security in a new light so let's get started and so originally when I was creating this talk many months ago the title was uncertain times ahead but in those couple months a lot has happened it's been some untrying times yeah another connection to do just talk the juice arrow what it
01:25
was up with that I don't know but it's not uncertain times ahead it's uncertain times now uncertainty has always been here and especially now I
01:43
am Krista you can find me on Twitter Krista a Nelson a bit about my background went to a big university studied math went to a big corporation spent a lot of years making rich people richer got sick of it I went to the Turing School out in Denver it's an awesome seven-month rails program if
02:02
you haven't heard of them check them out and then after that I was looking for my next career and my next job I really wanted to make sure that I found something that I was passionate about you know I'm not just making other rich people richer and if I'm gonna wake up and work hard every day I'm doing something good so I found glass breakers which is an enterprise
02:26
enterprise platform that connects employees on personal identifications so things that are really sensitive like your race gender sexual orientation also some more fun things to like foodie or hiker but why we are there is to again
02:47
connect people to build a platform to empower them and so we want to make sure that we're not putting them at more harm by having us trust in their sensitive data and not treat it well so when people ask me what I do at
03:01
glass breakers it's it's hard for me to come up with an answer because you know I'm a back-end developer but I do more than that you know I I really focus on the security and making sure that we're doing everything that we can do unfortunately when you say you work on security people's minds think security network security firewalls and they start asking me all these
03:24
really complicated questions that I actually don't focus on day by day so I was trying to come up with a new way of explaining what I did and I really had to think why why do I go to work what am I doing I'm trying to build something that's going to help people and I'm trying to protect them
03:41
from harm's way or bad then I came up with I'm a protection advocate but then I thought that might sound like I'm advocating for a different type of protection so I which I advocate for all protection but I landed on developer
04:02
user protection advocate so that's what I'm going to go on for now on I hope there's some more of you in the crowd and I hope after this talk you'll all want to become user protection advocates because I think we need a lot more in our community so this this has been me pretty much the last year
04:27
digging into security ever since I've taken over the focus I've just been reading blogs and blogs and blogs if you google software security oh my goodness like the outcome that you get from that there's just so much to dig through and the more and more I read instead of becoming more clear of what
04:44
I needed to do I was getting more clouded kind of more confused like what do I focus on this do I focus on that you know where do I go so then I started talking to everyone I could anyone I could talk to about it I would try talking so my co-workers my parents they're so sick of me talking about this
05:03
my Lyft drivers my mailman you name it I was talking to him about security and I noticed two things everybody loves talking about security everyone has their favorite like breach story you know like the Ashley Madison you know the LinkedIn the yahoos everyone like everyone knows about it's a
05:22
problem they have a favorite story and then the other thing I noticed was everybody had an excuse why they didn't have to worry about it like oh it's a good thing that at my company we have a security team so I don't even know what they do but they handle it I don't have to worry about it or I
05:41
hear this a lot oh our company is too small it's lucky we don't have to worry about it we don't have any information that's that's sensitive we don't have you know HIPAA compliant so we're good we don't have to worry about it or yeah I know we have to worry about it but we just have to get out our MVP like once we get out our MVP then we're gonna have all this
06:03
time I'm sure a lot of you have heard that before like we'll have time in the future but that never comes so I know it is there's this big disconnect everybody knows it's a problem everyone knows here's the
06:21
stories but nobody's taking action on it so why is there that disconnect at the same time of doing all the security research I was also getting ready to go on my next hut trip so every year I go to Colorado and our friends and I get together and we hike seven miles out into the middle of nowhere on top
06:43
of a mountain with no cell phone no Wi-Fi hike through avalanche zones to completely disconnect and as I was preparing for this I was also talking to people about it and everyone didn't get it like why would you do that like why would you spend your time off and want to put all that effort in doing
07:02
something that is so dangerous you know there's so many risks you could have a blizzard you could get lost there could be an avalanche but to me it was in my heart I knew why like it wasn't a question I knew why I would want to do that it's worth it the journey is worth it it's this beautiful
07:22
atmosphere and there are risks but you just handle it you know you do your training you get your gearless it's just kind of built into the process where you're kind of always thinking about it but never realizing how much you are thinking about it it's just part of the process so then I kind of had this aha moment they're kind of similar right there's a lot of
07:44
risks in security there's a lot of risks in backcountry basically you need to figure out how you can best protect yourself but what was the difference between me handling our security research and this avalanche safety
08:01
research and it was the passion so here again risks anything out of all of the research I've done on security or on avalanche training every tip and trick and recommendation when you really did look down to what they're
08:21
suggesting that you do it just understanding your risk understand what is the probability probability that this is going to happen what are the consequences if it does happen and then how can I minimize my vulnerability to that and how can I limit my exposure so if it's if it's so
08:44
clear that all we need to do is you know look at our risks always be assessing our risks and figuring out how we can limit our vulnerabilities and exposure why is this a 350 billion dollar industry right and I think this is the problem here so it says one cannot be prepared for something while
09:04
secretly believing it will not happen and I think from going back to all the talks that I had done it was one kind of thing one common theme it won't happen to me it's not going to happen to me it sucks for the people it does happen to I hope they're doing something to protect themselves but
09:22
it's not going to happen to me also when I was doing those talks I realized some of these companies I'm actually a user for I use their product and I hear oh do you do security training nah like we don't do it and then I realize I am trusting in these companies just as the users at
09:43
my company trust in me and I want to make sure that they're preparing for me just as I'm preparing for our users so to help try to get through this it won't happen to me mentality here are some stats 43% of cyber attacks
10:02
target small business so I think a lot of companies think oh they're only after the big dogs they're only after enterprises but no 43% of attacks attack small businesses you might think okay still won't happen to me like there's a ton of small businesses but out of holds small and medium-sized
10:22
business 55% reported that they had a cyber attack and 50% reported they had a data breach again that's just the percentage that reported it a lot of companies will go an entire year without even knowing they were attacked so it's now obvious there is a good chance you are going to get
10:43
breached or cyber attacked but then oftentimes you hear well how how bad can that be so if this is happening to everyone you know they get through it will be fine but 60% of small companies that suffer a cyber attack are
11:00
out of business within six months this is what my brain felt like when I heard that stat we work so hard to try to get our companies to flourish and thrive and yet 60% of small companies that suffer a cyber attack are out of business within six months and 55% report a cyber attack so often say okay
11:30
well we'll buy a product you're right we get it we'll buy a product we'll throw money at it that'll that'll fix it 48% show root causes from a
11:42
negligent employee or contractor and 41% show root cause from a third party so again even if you throw as much money at all the products that you want how are you going to get control of your employees and third parties 63% of
12:02
companies have have confirmed a data breach leverage from a weak default or stolen password so I already had to change the title once I'm changing it again now to change your passwords and enable two-factor authentication if there's one thing I can get out of this talk is I hope all of you have a secure
12:25
passwords and two-factor enabled so also 63% of businesses don't have a fully mature method to track and control sensitive data so most of us are going to get hacked we know it's a problem yet the majority of us don't
12:44
have a system in place so let's hit the road and see what we can do I'm going to talk about three things how to get everyone involved mapping your sensitive data and securing your software development lifecycle all
13:03
right so get everyone involved so back to those conversations that I was having and again so many people were saying I don't have to be involved we have a security team they handle it when you are out in backcountry even if you have the best expert with you guiding your group if you have one
13:22
person that's having an off day not paying attention if they make one wrong turn they can trigger an avalanche and put your entire group in danger if they're not prepared to know how to use the tools that they have how to use their their beacon their transceiver how to the skills it takes
13:42
to to locate a person and probe them and where to dig them out again you're putting your trust in them that they're here to also protect you so again it doesn't matter if you are an expert if you have an expert if you have one person in that group that's not prepared it can be really costly so
14:01
one issue I found is you have to talk to leadership so how do you get everyone involved again everybody's busy usually now everyone's wearing multiple hats there's deadlines you have to get your project done you don't want to get in trouble so you just need to do what you need to do in order to get
14:23
your work done and if you have time later on to learn some security things cool but you need to focus on what you need to focus on I noticed too that if leadership is not on board with this they're not going to understand that they're the ones that need to lead by example and do what
14:42
they can do to make sure that they're protecting the company and then also understanding and allowing time budgeting time you know if something didn't hit its deadline understanding was it because they were just trying to be secure and be careful and make sure the product was safe so how do you
15:01
get leadership to buy in so again to show them the stats 60% of small companies suffer a cyber attack or that suffer a cyber attack or out of business in six months so again when you're getting pressure from leadership to you know focus on other things just remind them that if they want to make
15:20
money 60% of small businesses are out of business also remind them of what the bottom line is regardless what your bottom line is if you're there to make money if you're there to help people or if you're there to help the planet you're not going to be able to do those things unless you are fully bought in on the team like this is why we here we are waking up and
15:43
working our butts off in order to do one of these things or maybe all three and so again when you're budgeting time and and getting efforts make sure that they understand that if you want to make money I think from the small and medium-sized businesses it was almost a hundred K cost for each
16:02
breach that they had so again putting some time up front can save the company lots of money again if you're here to do good I just saw on the news there's this awesome new app that made me really excited I can't remember what it's called but it's basically a panic button for those that are in fear
16:21
of getting a attacked last minute by immigration and it's this really great concept you have your contacts and a message to each contact where if something happened you can hit the button and it will send messages to those contacts I was excited to hear about this project I thought it was great I went to their
16:42
site and I noticed they did not have the certificate the SSL certificate up in the browser broke my heart and on the form or on the page there was a form where you put in your phone number and so my you know that's what I'm thinking about now is security is if you're putting in your phone number
17:03
again and you can identify someone by their phone number and providing all of this very sensitive and secure information and if it's not at a trustworthy company you can end up doing way more harm by if that if that
17:23
information got breached then it would have done good luckily I went in and I checked the form where they got the phone number and they had the encryption at the form level but again if you were unknowing and you went to the site it'd be really easy to have a phisher where they made a site replicate this other site and you can put in your phone number and they
17:42
would know who's at fear of getting into the situation so again make sure you can continuously kind of give this message back to the company of why are we here what are we passionate about what are we protecting all right so how do we get everyone involved so make sure that everyone at the
18:03
company is included in this program so that includes employees it also includes contractors anyone with access to sensitive data and code one of the great things about the rails community is mentorship is really big here so if you have a mentor or an advisor that can see your code or can
18:21
see your sensitive data make sure that they are also on board so every single person anyone that has access to any part of your information what make sure that they understand what is considered sensitive and I think most people assume we know okay a social security number is sensitive
18:42
information but talking to the full team it was surprising to see how many people didn't realize a name that's sensitive an email is sensitive even just knowing that you're a part of an organization if you're signed up for an application could again if someone got it in the wrong hands could could be harmful why so protect yourself users and the company I read a blog on the
19:10
onboarding for startup security and it broke down what it really meant when you signed your documents and included so these companies do get breached and what happens when you get reached you could be sued they could take an
19:23
image of your computer knowing what information that they're gonna have I'm sure a few of you maybe sometimes have once or twice done a personal thing on your professional laptop maybe you checked your email or your bank statement understanding that when you're signing those docs what you're putting yourself up for and again your users and your company when make
19:46
sure that everybody knows when to say something I think a lot of people can be afraid by security so maybe they did click a link that they shouldn't have clicked and they think oh should I probably should tell someone but let them know when when they should step up and say something and then where have
20:05
a repository for all your policies and make sure that all of your employees can have access to that and easily pull it up if they ever have a question alright so now how password managers who here uses a password manager nice
20:24
this is so great so this is most of the room is using a password manager I think also we need to step a little bit outside our bubble it's so great that we all are using password managers but as I've been doing this these talks and really talking to everyone most people don't actually know what a
20:41
password manager is yet so a password manager is just a way that you memorize one password and it'll generate random passwords for all your logins so that way you can have different logins for every system you can go to I think it's www.haveibeenpwned.com you can put in your email and it'll show you if your
21:02
email and password has already been hacked and I have a guess that most people have two-factor authentication and this is another common thing that I heard when talking to people is everybody knows they should use two factor authentication but then you hear but it's so annoying I have to get up and get my phone and I don't have time for that but again it's important
21:23
so is it worth getting up to get your phone to protect your users secure your devices so I live in San Francisco and it cracks me up so I'm often I'll work in coffee shops or go to meetups and it blows my mind how
21:42
many times I see someone with their laptop just wide open and they'll just more than five minutes without a password screen popped up again most people you get stickers on your computer you're wearing shirts they know who you are so please put a password lock on your computer again
22:02
these are not new top or new subjects or new insights but how many people are actually practicing that when in doubt delete so if you have spreadsheets of user information or anything on your computer you don't know if your computer is going to get stolen so keep as little information on
22:23
your computer as possible be careful what you email and I think we work so hard to protect our application and our databases but then we'll blank out and we'll send an email with info with user information to it to one of our workers and so also make sure that your full team understands that you know
22:45
emailing is not safe so make sure that you have a way to set up where you can pass information through you know encryption using a GPG key or up on box but definitely don't email and also I've heard so many companies that
23:01
use Google Docs for everything and also I see they put user information in their Google Docs so be careful a good developer is a secure developer Krista Nelson so there's a quote by me also so again when I say that I work on security everyone assumes I'm a security engineer but really this isn't
23:24
just a task that I should worry about like every developer should be a secure developer just like this rails community right like we all want to write clean code we want it to be readable we want you know well-tested
23:41
why do we not put an emphasis on something that is so costly to our to our programming so relating it back to DH uses talk and he talked a lot about how you have to have roots if you don't have roots you're not going to understand why you're doing what you're doing and if you don't
24:01
understand why you're doing what you're doing you're not going to care you're just going to keep doing the motions be miserable and this applies to security as well so again there's so many tours that you could have to do and they can seem annoying but if you really figure out why you're doing it and what the fundamentals are I think it'll help make it less painful so the
24:21
fundamentals are CIA so confidentiality making sure only those who should be able to see the information can see it integrity making sure that that information is what it should be so again are people logging in and changing information are they mimicking are they trying to like duplicate a
24:46
certificate like how do you make sure that this is what it should be and accountability I think we see this a lot with the DDoS attacks of you know if someone needs information can they trust that it's going to be there
25:01
this the OS how many people here have read through all the OS box okay a few hands so this is probably the first thing that I would recommend for developers is go to the OS site it's the open web application security project and it is an open source project with just a ton of awesome
25:21
tools they have a fake app setup that you can test and play around with they have the OWASP top 10 they just came out with a new release and they're looking for feedback on it and they're gonna do the final release later this summer but they have these awesome resources so these are the top critical
25:44
vulnerabilities that are most likely going to hit your application so if you can focus on these top 10 you're gonna get the majority of the vulnerabilities that you're gonna be put at risk again it's not gonna be a 100% but this is a great place to start understanding encryption types and
26:02
hashing algorithms understanding why it's important again I've seen apps where they still have the SHA-1 password so again you don't have to know the full details of all the different hashing algorithms but know what you can trust about them and what you need to know about them all right next mapping your
26:21
sensitive data so when you are going through avalanche zone it is critical to 100% make sure before you go into the zone that you know exactly where your danger zones are because again when you're out there it's very hard to see okay if I step here I'm safe if I step here I'm not safe so you need to
26:43
have it well mapped out and know okay if I walk through this area I need to put extra caution you can do things where you send one person through at a time to limit your exposure you can talk quieter you don't shout there's all these kind of tactics to limit the chance that something's gonna happen
27:01
when you're in one of those zones so how do we do that with our applications if you start thinking about okay we have the sensitive data or we collect all this data from our users what do we need to keep safe so
27:20
personal identifiable information can be so much again a name a phone number their LinkedIn URL an image all those things could tie a user back to application you have any protected health information that has a whole nother laws and compliances that you need to enact if you hold any of that
27:42
information payment card information social security numbers messaging communications logs all these things can have sensitive information that you need to keep track of all those things and if you think about all the the journey of that information right so if you have someone's email
28:03
address you know they use it to log in it comes to the application it gets saved in the database we goes out to SendGrid or MailChimp we send them emails we have like a third-party tool that tracks analytics on that user
28:22
maybe there's spreadsheets or again so many places that this information could go adding in third parties knowing what information gets sent to what place and who has access to all that information so again you can be aware
28:40
of we need to be safe in this place or if someone leaves the company you can know exactly where you need to go and check to make sure that they no longer have access to that information so 41% show root cause of data breach from a third-party mistake and I think this is one of the
29:02
things that was really shocking to me too I think we put so much trust in other third companies again we just assume that they've done their diligence it'll actually be safer instead of us having to do our work we'll make sure that they go and do their work or we just assume that they went and did their work but again a huge percentage of data breaches
29:21
happen because of your use with third parties so before you use a third party make sure you do a security audit on them what are their security policies what who has access to their information what information are you giving them have they done penetration testing do they have vulnerabilities
29:41
have they had any recent attacks you can get there there's a SOC 2 report and it'll show all of the security measures that they've been through so every time that you're sending any of your information from your platform to another company you need to make sure that they are trusted and legit and again make sure that that is ongoing too that you know maybe they
30:05
were secure but then there is a vulnerability so you need to keep that line clear also I think another big thing with third parties is you assume the defaults are secure so I know there's all these different tools out there
30:21
that you can plug into security and I know one where they were tracking exceptions but the default was so and it tracks an exception it grabs the params of the the request body and it captures that in time so that you can help you determine what caused the exception there was no filters they had
30:45
all these filter options but the filters were not default so again what information is getting trapped in that params raw passwords social security numbers so make sure that if you're trying to do good by adding a third party make sure you read the docs and make sure you're setting it up and it's a
31:03
secure way also if you're the reverse if you're a product and you're offering a service if you have security measures a lot of times you'll go to the site and be like oh we offer authentication and all these things if your users have to take a step to enable that make sure it is like red and clear so that they
31:22
know to set it up the simplest things are often the truest so again when you're doing analytics do you need to send all of the user data to your analytics tool can you completely anonymize it again the the less that you send the less chance there is going to be that it's going to get
31:42
compromised all right and last securing your SDLC how many people here have heard of the SDLC before today okay about half of you so the SDLC stands for
32:01
the software development lifecycle and again even if you didn't realize what the SDLC was you're probably doing it and again it's just the the fundamentals of how do you get a project from the very conception of an idea to deployment so you start by specing right what are we building
32:24
what's required why are we building this really think of like the high level what needs to get done what do we need to think about like do are we do we have privacy laws that we need to withhold what are the terms and conditions what have we promised our users are there any ethical and more
32:43
moral requirements do we need to make sure it's encrypted how available doesn't need to be features so again when you're budgeting time and building out your your products think about what features do we need to can we include in this should be included in this to make sure that our users are
33:01
as safe as possible so user privacy settings you know what do they want to choose to be to be public and to be private strong password requirements again if you make your password requirements I mean this would be extreme but 30 basically 30 characters in length people are going to start having to use a password manager just because it's unreasonable to try to come
33:23
up with one that one do you offer a two-factor authentication so again we expect the the platforms that we use to have to about two-factor authentication but are you yourself providing that as well email authentication so again did you set up your SPF and your deacons on your
33:45
secure sensitive data deletion so what does it look like when you delete the user is it really getting rid of all your information from all your tools a mass staging environment a place you can test your your product to make sure it's not going to have vulnerabilities yet at the same time not
34:01
putting that information out for another place to get breached anonymized analytics so once you get your main features kind of specked out the next part is design so this is where you go and really dig into what are these features going to look like so in avalanche safety avalanche
34:23
avalanches happen when every time it snows there's a new layer of snow and there's always a weakest link and once it gets triggered that that weakest link layer is what let's go and that's where the slide happens so again what are your weakest links in these features is it your input you know is
34:42
it your authentication how likely how likely do you think these things are going to happen and how consequential will it be if it does happen and then also once you figure out all of kind of the risks that you can think really like ranking them what are the ones that are kind of the
35:02
most likely to happen the worst that's going to happen and are there measures that you can take to mitigate those risks and if not maybe the features not worth it again you have to think are we is this feature going to add to the product or and they undo more harm peer code review and so
35:22
one thing that I've read over and over and over again is even with all of these tools one of the most effective way of catching a security breach is through peer code review we are human we're tired we're overworked there's a lot to think about so having an extra set of eyes can really
35:42
make a difference so I recommend making a security code review checklist and just checking these things you know is it authenticated is it is the authorization authorization set up correct are we encrypting sensitive data how's the error handling again if we give errors that could give hackers
36:05
clues and to how of our database is set up it could lead them into harm's way is there any add-on configuration so again if you're pulling in a library or you're playing in a third data double double check to make sure that
36:22
that's a secure source and that you have the configurations set up in a secure way and complex code give an extra look to complex code again that's usually where the breaches can happen stack analysis so again with the there
36:41
should be two types of code review the manual human code review and then a static analysis and there's a ton of programs out there it doesn't matter to me which program you use as long as it works for you but these go through and catch a ton of things so break man is just phenomenal I'm so glad thank you
37:02
for doing all the work that they do but everybody should have at least break man if not all of these on their code code or practice so again you can set up if you have circle CI you can set it up where every time it runs it does these checks and it can check for top vulnerabilities again
37:25
those OWASP top tens can check all of your gem dependencies there's bundler audit which makes sure that you're not having any dependencies in your gem file that has vulnerabilities so manual testing this is one of my
37:45
favorite if he's if you can't see it he's shooting in his his code product and then a QA Gumby shuts it down but again if you spent all that time writing your code building a feature test it also try to break it and make
38:05
sure to that it's not just you you have some co-workers going in and purposely put in incorrect input and see what happens dog food your own product our CEO is famous for she's the best at dog food in our own
38:20
product I don't know how she finds all of the bugs that she finds but it's usually in a demo but make sure again you are using your own products set up a secure staging environment again if you want to make sure that what you're testing is going to be true to what's going to happen on production and test on different account types so again it might work for
38:42
you but maybe you have a different authentication level than what your users have so when you're going through and testing make sure you log in as a user login as a admin login as all the different roles and make sure that only the things that should be happening are available to that access level dynamic analysis so this is where it'll actually go in and try to
39:06
hack into your code quality has this great SSL test and you can just type in your website and it'll test your certs so again I'd set up a weekly calendar reminder to every week put in your website into quality and just make sure your certificates set up tinfoil and burp sweep and OS app again
39:25
there's a ton of products out there and they are in range of price point but I would figure out a way of not just doing the static analysis but dynamic analysis too so deploy be on high alert so once you've deployed your
39:45
code usually you just want to celebrate go have a beer you did it you hit your deadline but you're not quite done yet so again as soon as you push your code go to the logs figure out what's going to happen have a way to revert the code if it crashes right check your logs check your page load times check
40:06
HTTP errors what does your database performance look like are there any weird database queries logging so again make sure that you're familiar
40:20
with logging I know when I started I knew it existed but I just kind of thought it was there just in case for emergencies didn't really want to go into it but again really get familiar with it now the more practice that you have the better you're gonna get so just with avalanche training and being in the backcountry every trip that I take I
40:41
learn more and more things and every time something then happens I'm quicker to being able to respond so get friendly with your logs now there's also a hundred different products out there where you can help filter out noise you can consolidate all into one centralized location you can have it where it's structured log rage will condense it from multiple lines down
41:03
into one lines so take the time now to clean up your logs get them set up so that you're comfortable with them so that if something did happen you'd be able to tell and you'd be comfortable monitoring and alerts so again make sure that you know what the norm is so that you can see what those spikes are
41:21
and then set up the alerts for you know how critical is it is it if it happens once do you need to be alerted or is this is it where if it's happening many many times over five minutes you need to get alerted also know how severe is it should we wake up the engineering team is it more just of annoyance so again this will be kind of constant refactoring if you
41:45
may of always kind of updating what those alerts will look like for you so uncertainty is the only certainty there is and knowing how to live with insecurity is the only security so uncertainty is definitely here now
42:01
it's definitely not going away it's not helpful to just be afraid by it I mean it's really the only most certain thing there is and knowing how to live with insecurity is the only secure way so again we just need to build these into our course we need to be passionate about it why you know why
42:21
are we here why do we care if our systems are secure or not and figure out how to you know update our daily processes so again I am Krista Nelson I'm working at Glassbreakers Glassbreakers is hiring so if you're
42:43
interested it's an awesome organization come find me and I hope that after today's talk we have more user protection advocates in the crowd let's spread the movement all right thank you