AV-Portal 3.23.3 (4dfb8a34932102951b25870966c61d06d6b97156)

Uncertain Times: Securing Rails Apps and User Data

Video in TIB AV-Portal: Uncertain Times: Securing Rails Apps and User Data

Formal Metadata

Uncertain Times: Securing Rails Apps and User Data
Title of Series
Part Number
Number of Parts
CC Attribution - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
It’s what everyone is talking about: cyber security, hacking and the safety of our data. Many of us are anxiously asking what can do we do? We can implement security best practices to protect our user’s personal identifiable information from harm. We each have the power and duty to be a force for good. Security is a moving target and a full team effort, so whether you are a beginner or senior level Rails developer, this talk will cover important measures and resources to make sure your Rails app is best secured.
Type theory Multiplication sign Letterpress printing Data conversion Information security Number Connected space
Sensitivity analysis Building Multiplication sign Firewall (computing) Orientation (vector space) Online help Parameter (computer programming) Computer programming Wave packet Goodness of fit Information security Computing platform Metropolitan area network Social class Thumbnail Enterprise architecture Focus (optics) Gender Software developer Stress (mechanics) Bit Process (computing) Software Integrated development environment System identification Musical ensemble Figurate number
Time zone Group action File format Multiplication sign Cellular automaton Device driver Informationstheorie Mereology Wave packet Process (computing) Roundness (object) Information security Arithmetic progression Reading (process)
Computer animation Bit rate Similarity (geometry) Information security Wave packet Vulnerability (computing)
Enterprise architecture Computer animation Cybernetics Right angle Mereology Information security Wave packet Vulnerability (computing) Product (business)
Computer animation Cybernetics
Game controller Computer animation Cybernetics Root Password Right angle Traffic reporting Metropolitan area network Vulnerability (computing) Product (business)
Implementation Computer animation Vector space Term (mathematics) Password Source code Physical system
Sensitivity analysis Group action Computer animation Mapping Software developer Expert system Video game Cycle (graph theory) Information security Entire function
Point (geometry) Web page Sensitivity analysis Complex (psychology) Greatest element Multiplication sign 1 (number) Online help Public key certificate Product (business) Number Encryption Information security Error message Focus (optics) Projective plane Sound effect Line (geometry) Informationstheorie Measurement Message passing Computer animation Order (biology) Video game Website Pattern language Whiteboard Pressure Family
Sensitivity analysis Business informatics Link (knot theory) Code Multiplication sign Open set Mereology Login Backpropagation-Algorithmus Computer programming Machine vision Medical imaging Sign (mathematics) Spreadsheet Roundness (object) Single-precision floating-point format Encryption Software cracking Cuboid Information security Personal identification number (Denmark) Physical system Email Reflection (mathematics) Database Bit Informationstheorie Cartesian coordinate system Hand fan Category of being Data management Process (computing) Googol Computer animation Password Statement (computer science) Self-organization Whiteboard
Code INTEGRAL Software developer Informationstheorie Public key certificate Computer programming Word Computer animation Root Right angle Information security Fundamental theorem of algebra Metropolitan area network Task (computing)
Web application Computer animation Spherical cap Open source Software developer Projective plane Feedback Open set Information security
Sensitivity analysis Mobile app Identifiability Multiplication sign Tape drive Dimensional analysis Computer programming Medical imaging Spreadsheet Bit rate Encryption Medizinische Informatik Address space Personal identification number (Denmark) Area Time zone Algorithm Email Mapping Cellular automaton Analytic set Database 3 (number) Informationstheorie Limit (category theory) Cartesian coordinate system Variable (mathematics) Type theory Computer animation Password Telecommunication Right angle
Filter <Stochastik> Service (economics) Multiplication sign Feedback Informationstheorie Line (geometry) Parameter (computer programming) Measurement Number Product (business) Computer animation Computer configuration Query language Natural number Password Website Software testing Information security Computing platform Reverse engineering Vulnerability (computing) Exception handling
Computer animation Ljapunov-Exponent Velocity Software developer Analytic set
Sensitivity analysis Length Multiplication sign Physical law Analytic set Set (mathematics) Informationstheorie Cartesian coordinate system Information privacy Data transmission Product (business) Propagator Computer animation Integrated development environment Vector space Password Energy level Video game Software testing Right angle Cycle (graph theory) Information security Computing platform Fundamental theorem of algebra
Authentication Slide rule Computer animation Link (knot theory) Multiplication sign Mereology
Point (geometry) Area Complex (psychology) Code Source code 1 (number) Mathematical analysis Measurement Code Word Computer animation Doubling the cube Different (Kate Ryan album) Duality (mathematics) Authorization Configuration space Software cracking Information security Library (computing)
Building Context awareness Multiplication sign Gender Physical law Keyboard shortcut Mathematical analysis Content (media) Control flow Insertion loss Cartesian coordinate system Computer programming Theory Product (business) Computer animation Integrated development environment Different (Kate Ryan album) Order (biology) Energy level output Circle Software testing Information security Metropolitan area network
Point (geometry) Web page Dynamical system Code Multiplication sign Cellular automaton Structural load Polygon Gradient Mathematical analysis Database Public key certificate Product (business) Fluid statics Goodness of fit Computer animation Website Software testing Figurate number Family
Logical constant Noise (electronics) Multiplication sign Line (geometry) Wave packet Product (business) Word Uniform resource locator Computer animation Personal digital assistant Code refactoring Renewal theory Condensation
Figurate number Information security Physical system
Standard deviation Mathematics Multiplication sign Moment (mathematics) Self-organization Figurate number Flow separation
2 and here and so welcome to uncertain times protecting your Rails and use the data and how many of you here were added keynote this morning on this thing going and so I was also there's and the audience and and I noticed that a lot of but that Dean's he had in his you know actually similar to what we're gonna be talking about today so an excited for that super excited to be here the 1st ever conference type begin with its here at rails complements is awesome communities so an just 1 out of you're looking bird Troy less of what to do for print and security measures the 2nd be exactly that and to mobile to start a conversation here and in really start talking about security in new light closed that started and so originally when was creating this talk many months ago the title of uncertain times ahead the and but in those couple months around a lot has happened since then found I'm trying times in other connection to did you start with you 0 who it was of then number and it's not uncertain times ahead it's uncertain times now and uncertainty is always been yeah in expecially now I think it's more and were more aware that the number of so cool I think
Cristani environment I press the A. Nelson a bit about my background went to the that man was a big corporations spend years making rich people richer that's that I went to the training school out and demerits and Austin 7 rails program running you haven't heard of them check amount and then after that I was looking for Linux career in Linux job the run it make sure that I found something that I was passionate about you know not just making the rich people returned from the panel wake up and work hard every day and doing something good so I found less vigorous parameters enterprise will have their priors platform that connects the employee is on personal identification so things that are really sensitive like your race gender gender sexual orientation and also some more funding ceiling hiker and then why we're there is to and connect people to build a platform to empower them and so we wanna make sure that we're not putting them at more harm by having our stress in sensitive data and natural the so when people ask me what I do I class figures so it's critical of the man in the because not on the back and developer but I do more than that you know I really on focus on security and making sure that we're doing everything that we can do unfortunately when you say you work on security people's minds think security the network security firewalls and these are asking really really complicated questions that I actually don't focus on divided so as China come up with a new way of explaining what I did hands and really the the wine y and gotta work what am I doing I'm trying to build something that's gonna help people than trying to protect them from from harm's way or a bad so I came up with a time of protection and the band but uh it's not my thumb like an advocating further different under protection I which I advocate for all protection and they landed and developers use the protection ever get so that's willing to go on for now and I hope there's some more of you in the crowd and I hope after this talk we always because the user protection advocates that they need a lot more and yeah community the so this is an this is
many pretty much the last year
and begin to security and ever since I've taken over the progress and disbanded reading wives and lots and lots of and you google suffer security omega like the outcome that you get from that there's just so much that the fear and the more more red consider becoming more clear what I needed to do was getting more crowded reward to use like what would focus on historical the format you know where I go so I started talking to everyone and can anyone I could talk to about it I would try talking so my coworker and my appearance there so severely phoneme of my let's drivers Menominee minute house on talk until about security many notice to think Everybody loves talking about security around has the apparently breached story in you know like Ashley Madison and you know the the in the the room like everyone knows about the problem they have a vivid story of then the other thing I notice with everybody had no excuse why they didn't have to worry about it like 0 that's a good thing that my company we have a security team so I don't even know what they do but they handle it on a story about it for here there's a lot and companies too small this like you need not worry about it we don't have any information at that sensitive don't have you know have a combined so we're going to have to worry about it or I again I know all we have to worry about it but we just have to get a and the p ling once you get out a and B he then ring and all this time to ensure the lot of you have heard that before like will have time in the future but that never comes the so and we notice that there's this big
disconnect everybody knows the problem everyone knows here's the stories but really is taking action on it so why is is not at the same time and doing all this the research I was also getting ready to go on my next lecture answer every year go to Colorado and our friends and I get together in the Hague 7 miles out into the middle of nowhere on top of a mountain with no cell Bono Wi-Fi and I drew Evelyn zones so completely disconnected the and as I was preparing for this I also talking to people about it the only get like why would you do that went by the time often want to follow effort in doing something that is so dangerous nearly 70 rest see that the was you can get lost rather be an avalanche but to me it was In my heart I knew I knew why like it was a questioning why I wanted you that it's worth that the during is worth it is the beautiful atmosphere on In the artists but you just handle it you know you you your training you get your gearless it just kind of built into the process where round you can always thinking about it but never realizing how much you're thinking about it as part of the process the so that I can
or harmonic the kind similar rate there's a lot of risks security there's lot arrests and backcountry on the this to figure out how you can best protect yourself but what was the difference between mean handling our are security research and this avalanche safety research it was very the passion and so here
again rests on anything out of all of the recent I've done on security on that 1 training every and tracking recommendation we really did look down to what they were suggesting that you they just understanding arrest understand what is the probability probability and that this is going to happen what are the consequences that that does happen then how can I I minimize my vulnerability to that and how can I want my exposure Chen
said of if it's it so clear that all we need to do is you know look at arrests always be assessing arrest in figuring out how we can limit our vulnerabilities exposure why this a 350 billion dollar industry right and I think this is the problem here so that 1 cannot be prepared for something false secretly believing it will not happen and I think from going back to all the parts that had done it was 1 kind of thing 1 common thing it won't happen to me it's not going to happen to me it sets of people it does have until I hope they're doing something to protect themselves but it's not gonna happen to me also when using a fax they're alive some company is I'm actually you therefore I use their products and I yeah but you do have security training now would we don't do that and I realize I interesting in these companies just as the user is at my company trust in me and I wanna mention that they're preparing for me just as I'm preparing for users
we so am to help trying to get through this it won't happen to me mentality here since that's 43 per cent of cyber attacks target small business saving a lot of companies think 0 there only after the big died from after enterprises but no 43 per cent of attacks Attack small businesses my bank OK still what happened to
me like there's a ton of small businesses them but I out holds small and medium-sized businesses 55 per cent reported that they had a cyber attack in 50 per cent reported they had out of reach again matches the percentage that reported a lot of companies will go an entire year without even knowing they were attacked the the so it's not obvious there is a good chance you are going to get uh breach or the cyber attacks the main oftentimes you here were how come back and that the so this is happening to everyone you know they get through it will be fine but 60 per cent of
small companies that sufferers every attack out of business within 6 months this is what
that man would reign late monitor that we work so hard to try to get our companies that the flourish and and pride in yet 16 per cent of
those small companies of sufferers are attacked are out of business in 6 months 55 per
cent report the cyber attacks we so
often say OK will will buy product a right we get will buy a product was booked for money and that of little 48 % show root causes from a negligent employee or contractor and so and 41 per cent show Repast another party so again even if you throw as much money and all the products that you want hiding get control of their employees and 3rd parties 63 % and companies have and have been burned out of reach leverage from weak devolver stolen passwords so
where do you had to change the title once and again now to change your passwords in and enabled to vector implementation but there's 1 thing and I can get out of the fact that I hope all of you have a secure passwords and 2 vector are marked the world sources 63 per cent of users don't have
a term method to track and control of sensitive data so most of us are going to act and we know it's a problem yet the majority of us don't have a system in place the so let's sit
there and see what we can do we talk about 3
things and how to get everyone involves mapping of sensitive data securing you're 5 suffered development life cycle right so that everyone
involved so back to those conversations and as having made and so many people were saying I don't have the involved we have a security team they handle it yeah when you are out in that country you if you have the best expert with you got in your group if you have 1 person of having an off day not paying attention that they make 1 wrong turn and they can trigger an avalanche and put your entire group in danger if they're not prepared to know how to use the tools that they have and how to use their their beginning a 20 where you have to go on the skills it takes 2 to locate a person problem and and where to dig amount again you're putting your trust in and that they're here to also protect you so again it doesn't matter if you are an expert if you have an expert if you have 1 person in that group and that's not prepared the merely costly we yeah so
once as you have found is you have to talk to leadership so how do you get everyone involved again everybody's busy usually now everyone's where multiple hats and this deadline is you have to your product then you don't wanna get in trouble so so use need to do what you need to do the I'm in order to get your work done and if you have time later to life and security things cool by needed but unlikely the books on the I noticed you that a new ship is not on board but that's there and I can understand that they're the ones that need to to lead by example and to do what they can do to make sure that they're protecting company that also I'm understanding and allowing time budgeting time and you know something didn't had instead lying understanding was it because they're just trying to be secure and be careful and make sure on the product was safe the so how do you get leadership to buy an and so again show that means that 60 per cent of small companies sufferers of attack error that separates of attacked her out of business in 6 months so again when you're getting pressure for leadership to you know focus on other things just remind them that if they wanna make money considered resent those none of them are out of business also remind them
of what the bottom line regardless of what your bottom line as if you're there to make money if you're there to help people review of the planet you're not going to build to do those things unless you were fully brought in on the team like this is why we here we are waking up working our butts off in order to do the things really operate and so again when your budgeting time and getting efforts make sure that they understand that if you wanna make money but I think from the small and medium size of live it was almost 100 k cost for each breach that they and so again but in some time of front and save the company wants money the an we don't appear here to new guys that assignment is there's is awesome you have that merely excited the carrots quantitatively appealing but in for those that are in the error of the rather firm attacks last minute by immigration 2 units was really great concept you have your contacts In a message to each contact where if something happens you can hit the button and I'll send messages to those complex Rameau sensitivity about this project I thought it was great I went to the site may notice they did not have the certificate of fell certificate of and the brother and broke my heart I mean on a planet around a page there the point you put in your phone number the is and so my you know and that's what I'm thinking about now as security there is you're putting in your phone number again and you can identify someone by the America in and providing all of this very sensitive and secure information and if it's not that a trustworthy around company you can end up doing way more harm by from the effect that that information of breach and 1 of them but luckily I went and I checked the former is the cup of polymer and they had the encryption of the formal but again if you were on knowing with the site to be really easy to have a Fisher were they made a site replicate this other site including upon number and they would know who the fear of that's the situation so again make sure you can continuously kind of this message back to the company and why are we here where we pattern about what are we protecting
we right so how to get everyone involved and to make sure that everyone at the company is and included in this program so that include employees but also includes contractors anyone have access to sensitive data and code on 1 of the great thing about the rails community is mentorship is really big here so if you had a mentor or advisor on that can see your code working the and you're sensitive data and make sure that they are also on board so every single person anyone has access to any part of your information what I make sure that they understand what is considered sensitive and I think yeah most people us assume we know of their social security number is sensitive information on the talking to the whole team of surprising to see how many people that a name that sensitive enough sensitive even just knowing that you're part of an organization if you're sign up for an application could again it's online at the right answer could it be harmful why fans of protect yourself users In the company a red and of wide on the right round the last 14 for the process of security in it broke down what it really matters when you signed your documents included so these companies did breached in and what happens when you you reach you can be sued they could take an image of your computer and knowing what information that they're going to have and share a few new maybe times of 1 supplies than a personal thing on your professional at time in of the in bank statement understanding that we assigning those thoughts let you bring it about what and then your users in our company when you make sure that everybody knows when to say something I think what if you look in the brain and by securities that maybe the the click a link that they should neglects even go out to the College of Health someone on the let him know when when they shared a step up and say something then where we have a repository prior policies and make sure that all of their employers can have access and that can easily pull it out that there reflection we that's not
when password managers and who knew the use of the profit manager 9 5 this is a great so those of most of the room using a manager and I think also is need a step a little bit of bubble it's so great that we all are using passive unitarist but as I've been doing this on these toxin like talking to everyone most people don't actually know what a profit muintir is yet so compressor manager is just the way that you memorize 1 password and an old generate random of profits for all your organs so that we you can have different logins for every system Running gutsy electing gives www have been told that kind but in your mouth and I'll show you have you not and hospitals are even at the and have a gas most people have to back propagation and this another common thing I'm talking to people on the remaining knows vision used to back propagation but then you hear on but it's so annoying to get having a my phone and I don't have time for that but again it's important so is that where it not to get your phone to protect users securing the devices and so I live in humans this go and so it cracks me up some of them are working copy shops sir good and you have to hand it was my mind having and this is the 1 with a lot of as wide open and all those walk away and they that'll be open birds more than 5 minutes without a proper bring up the again most people vignettes occurs only computer your insurance so they know who you are and so please put about a lot on your computer again even not new properties of it's a new but it how many people are actually practicing matter and when in doubt the delete that you have some spreadsheets of user information or anything on your computer you know the computers going get stolen so he has little information on a computer as possible be careful what you know and I think we work so hard to protect our application and our databases the mold and went out and will send an e-mail with improved with user information to deliver co-workers and this also make sure that your full team understands that you know the allowing the not safe I'm so make sure that you have a way to set up for you can pass information through you know encryption using a GPG he or ramifying box but definitely don't you now also I've heard so many companies that use Google Docs for everything and also I see the use region in the google doc tho 1 be careful this who did the
belt there's a secure developer casinos and the and so a book so true for also so again when I say the word and security around as soon as on security engineer but really this isn't just a task that I should worry about like every developer should be a spinobulbar just like those rails community right like we all wanna write clean code we wanted to be and readable we want and you know well tested why do we not put an emphasis find something that is so um costly to our to our programming so relating it back to
is talk man the he talk a lot about how you have to have roots if you don't have written I can understand why you're doing what you're doing in the door understand why like doing in Africa and you just can't keep doing emotions humans evolved and this applies to security as well so again there's so many towards they would have to do any consumer knowing somebody purely figure out why you're doing and what the fundamentals are thing the whole make it less people so the fundamentals the CIA so confidentiality and making sure only those who should be able to see the information can see yet integrity and making sure that that information is on what it should be so again our people widening and changing information are there found on the Medina they trying to like duplicate of certificate like how do you make sure that this is what it should be non-accountability the overlap with the the US attacked uh on you know that something is information can be trusted of this no
last from 100 people here have red and you the last facts union and so this is probably the person and recommend for developers is go to the last play it's the Open Web Application Security Project then it is an open source project which is a ton of often tools they have on the cap set up that you can test on and play around with and they have the 0 lost
top 10 and they just came out with the new release and they're looking for feedback on it and they're going do the final release later this summer around but they have his also resources so these are the top critical and abilities that are most likely going to hit your application so if you can focus on these top 10 you're going to get the majority of the on little and the rest again a 2nd % but this is a great place to start at an understanding
encryption tapes and hashing algorithms and understanding why it's important again it's I've seen apps where they still have the 1 password so again you don't have to know the full details of all the a professional remember that Nolde from where you can trust about them and what you need to know about
right next mapping yeah sensitive data so when you are going to analyze it is critical to programs that make sure before you go into the zone that you know exactly where danger zones are the is again when you're out there it's very hard to see if by step here and say provides the appear and not say and see that well mapped out in no OK if I want to this area I need to put extra caution and you can do increase and 1 person throughout times to limit your exposure and you can on talk quieter you don't shout and there's all these protective the limit the chances that something's going to happen when you're in 1 of those cells the so how do we do that with our applications if you start thinking about OK we have a sensitive the we collect all the cells users what we need to keep safe and so again personal identifiable information companies so much again and name of binary variable and then you're out on an image all those things could type user back to application you have any protected health information that has a whole nother on bars in compliance so that you need to arm active people in in that information Hey right information social security numbers messaging communications wines and all these things the absence of inflationary needed to track of all the things that if you think about all the majority of that information rates that you have someone's e-mail address nearly user to aligned on it comes in and on application and a them database on the goes out to a single dimension with an amino and we have like a 3rd party tool that tracks analytics on you there on and many various spreadsheets are again so many places that this information can go on and on and on 3rd parties knowing what information gets sent she'll what on into who have access all that information so that you can be aware of the need to be saved in this place for someone leaves the company you know exactly where you need to go and check to make sure that they no longer have access to that information so 41 % show
requires uh of uh dada reach from a pretty mistake and
then the making this is 1 of the things that really shocking to me too I think we put so much trust in other companies again we just assume that they're gonna diligence actually say Prince of us having to do our work will make sure that they go and do their work there we just assume that they and their work and again a huge percentage of the beverages happen because of the use of 3rd parties so before you use a 3rd party make sure you do a security audit on that what are the security policies on what I yeah who has access to the information what information are you giving them and have they done penetration testing you have on abilities haven't had any reasons and the tax you can get there there's a fact to report it'll show all of the aunts agreement measures that they've been through so every time that you're saying any of your time information from your platform to another company need to make sure that they are trusted again make sure that that is on the on going to bed you maybe they were secure but there is a vulnerability associated feedback and that line clear also I think in another big thing that the parties is you assume that the secure so I know there's all these different tools out there that you can plug into security and then I know 1 where they were tracking exceptions and but that the fault was so and it tracks an exception it grabs the the parameters of the the request body you it captures times that you can help you determine and what cause the exception and there was no filters they had all these filter options but the filters were not the fault so again what information is being problem that France Rob passwords social here the numbers on the nature that if you're trying to do that by adding to the other party to make sure you read the docks in and and which you set it up with the correct also appear the reverse if you're a product the and you're offering a service that you have security measures legends of go to the site and I go we opera on occasion and all these things if here uses to farm step to annual at nature is like riding queries that they know on the set up
the the simplest things are up in the church so again and when you're doing analytics you need to send all of the user data to your analytics tool he completely unanalyzed again the velocities and the less chances that we on that it's going to compromise the
rent and last on securing you're as the LCE how many people here have heard and as we'll see before today that they have a happier and so the STL stands for the software development
life cycle then again even if you don't realize the what best LC was you're probably doing that and again it's just that the fundamentals of how do you get a product from the very conception of an idea to the boy deployment so you start by specky right where rebuilding and what's required wire we building up and really think of at the high level of what needs to get and what we need to think about like do I really do where privacy laws that we need to whole and where the transmission but having promised by users are there any ethical and work moral requirements do we need to make it's encryptor how available that need to be features so again when you're budgeting time handling you're at your products and think about what features are doing to him including us should be included must make sure that you have the receive as possible so user privacy settings you know what they want to choose to be in the public and the private strong password requirements in if you make your profit requirements this midfielder 13 basically 30 characters in length you learners start having to use a proper because an unreasonable to try to come up with 1 do you operate you vector up annotation so again we expect that the platforms that we used to have to about 2 back propagation for are you yourself a providing that as well on the novel applications again did you set here as Piet senior depends on your mouse and secure sensitive data deletion so what does that look like when you delete the user is it really getting rid of all your information from our from RCD environment to place you can the test your your product to make sure it's not abilities yet the same time not information out right a place again breached analyzing analytics so once you get your main features can
inspect out and the next part is design answer doesn't really go and really dig until what is needed what quite so then I'm avalanche safety an avalanche avalanches happen when every time it snows there's a new layer of snow and there's always the weakest link it once it gets triggered that that weakest link layer is what I'm let's go and for the slide happens so again what are your weakest links in these features is that your and let you know and your authentication how likely
them how likely you think these things are gonna happen and how consequential will it be if it does happen M and then
also once you figure out all of kind of the risks that you can think really like ranking and what are the ones that occur in the most unlikely to happen the worst that's gonna happen in are the measures that you can take to to mitigate those risks and not minute feature that were but again you have to think are we is this feature gonna add to the product or and you mom here
coterie 0 and so 1 thing that red over and over and over again is even with all of these tools 1 of the most effective way of catching a security breach is through pure could reveal we are human on retired were words there's a lot to thing about and so having an actress of eyes How can really make a difference so I recommend making uh uh security code review check less common just checking these things you know is it authenticated is it is operation authorizations of cracks harming Christine sensitive data how they're handling again if we get and areas that could give the risk losing into how of our our that is set up it could lead them them into harm's way modern is there of any hand configurations again if you're going in a library or a point in the dialog dual double check to make sure that that's uh secure source and then you have the configurations set up in a secure when I'm in complex code and given actual like to complex codes again it's usually the breaches enough on SAP analysis so again
with the and they should be Texaco reveals that many of human could reveal and then a static analysis and there is a ton of programs out there are many doesn't matter to me which program you use as long as found that works for you know on is going through and catch a ton of things so man and it is just phenomenon so I think you forget do not work that they do on remember that everybody should have at least break man found not all of found on the good good practice so again you can set up if you have circle CI and you can set up where every time it runs it does the shacks Pan-American check for top probability is again as a loss content can check all of your gender dependencies is by law order which make sure that and you're not having any dependencies in you don't that's on probabilities if you have the
the so manual testing and a lot theory it is that you can see it use I'm June and is there is good product the molecule Gambia each of the down and to but again review spent all that time writing your road building feature test it also try to break it and make sure to that it's such as you have some co-workers go on and on purpose they put in practice and input and see what happens 1 . than your own products from our CEO is famous 1st to the best adopted in our own products and how she finds all of about such a binds still a demo and but make sure when you're using your own products and set up a secure seating environment again in you make sure that what you're testing is going to be true to how it's going to happen and correction the testing different contexts so that it might work for you and that maybe you have a different application level than where users out so we're going to testing make sure you log in as a user logging of them in London on of all the different roles and make sure that only things that should be happening are available that acts all dynamic
analysis and so this is where people actually go in and try to interpret on polis houses grade on muscle cell testing site in yeah our website will test asserts so again and set up a weekly calendar reminded to every week thing a website into Paulson dysmetria of certificates set up around 10 bumper of sleep and all steps again is it's Crying of products of their and and they range of price points and figure out a way out of time but not just in a static analysis but dynamic analysis to
so deploy and be on high alert so once you've deployed occurred usually is celebrate and a new deadline but you're not quite done yet I once again as soon as you pressure code good Alliance figure out what's going happen have a way to reverse the code if it crashes spray and journal alliance check your page load times check http URIs onwards as your database performance look like brother anywhere database queries right winding I'm so again make sure
that you're familiar with winding time I knew when I started renewal it existed but I just thought it was there just in case for emergencies didn't really wanna go to somebody again really get familiar with that now the more practice that you have the better you're going to get so just with avalanche training in being in in the back country and every trip that I take a 1 1 more thing in and every time something that happens and quicker to being able to respond so get friendly with their lights now is also a time interval products out there where you can harm pop art filter out noise you can consolidate all into 1 centralized location and you can have a word structured gradual on condense it from multiple 171 lines so take the time now to clean up your life get and set up so that you're comfortable advance that something that happened you be able to tell if need be comfortable we and monitoring
alerts and so again make sure that you know what the normal ones so that you can see what those spikes are and set up the alerts for you know how critical of it and 1 is that it's it happens once you need to be allotted or is that is that where that happened many many times over 5 minutes you need to know where also know how severe that should be wake up the engineering team is more the of annoyance so again this will be kind of constant and yeah refactoring at you man as always kind updating what those alerts for like Korea certainty as the only
certainty there as and knowing how to live with insecurity is the only security so uncertainty is definitely here now it's definitely not going away from is not helpful to just be a parade by that I mean it's really the only most certain thing rests on hands knowing how to live with and security is the only secure way so again we just need to build these into our courts we need to be passionate about it why you know why we hear writing the care of our systems are secure not and the answer figure out
how to go on the and
you know updated are duly processes so again
and I am Chris Allison and I'm working accross vigorous last figures is hiring and severe interest standards and also organization from finding and I hope that after his time we have more user protection advocates the problems where the moment may begin that's not
so the change in Ch