Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Uncertain Times: Protecting your Rails App and User Data

Krista Nelson
April 25, 2017
Technology
0
220

Uncertain Times: Protecting your Rails App and User Data

It’s what everyone is talking about: cyber security, hacking and the safety of our data. Many of us are anxiously asking what can do we do? We can implement security best practices to protect our user’s personal identifiable information from harm. We each have the power and duty to be a force for good.

Security is a moving target and a full team effort, so whether you are a beginner or senior level Rails developer, this talk will cover important measures and resources to make sure your Rails app is best secured.

Krista Nelson

April 25, 2017
Tweet

Other Decks in Technology

See All in Technology
2024/4/26 コンピュータ歴史博物館解説告知
toshi_atsumi
0
200
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
130
Postman v10リリース後を振り返る
nagix
0
130
WebアプリケーションにおけるPDOの使い方入門 / phpcon odawara 2024
meihei3
2
430
〜小さく始めて大きく育てる〜データ分析基盤の開発から活用まで
kniino
0
2k
HEXA OSINT CTF V3 作戦会議
meow_noisy
0
110
DevOpsDays History and my DevOps story
kawaguti
PRO
8
1.6k
AIQ株式会社 エンジニア向け会社紹介資料
aiqlab
0
370
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
110
オブザーバビリティの Primary Signals
onk
PRO
0
550
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
0
220
Databricksを活用してDELISH KITCHENのレシピレコメンドを開発した話
furu8
0
250

Featured

See All Featured
Web Components: a chance to create the future
zenorocha
305
41k
What’s in a name? Adding method to the madness
productmarketing
PRO
15
2.6k
Creatively Recalculating Your Daily Design Routine
revolveconf
209
11k
Making Projects Easy
brettharned
108
5.5k
Code Review Best Practice
trishagee
54
15k
Faster Mobile Websites
deanohume
297
30k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
12
1.5k
The Language of Interfaces
destraynor
151
23k
Optimizing for Happiness
mojombo
370
69k
YesSQL, Process and Tooling at Scale
rocio
163
13k
How STYLIGHT went responsive
nonsquared
92
4.8k
GraphQLとの向き合い方2022年版
quramy
31
12k

Transcript

  1. Uncertain Times Uncertain Times Protecting your Rails Application and User

    Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Protecting your Rails App and User Data

  2. Uncertain Times Uncertain Times Protecting your Rails Application and User

    Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Ahead Protecting your Rails App and User Data

  3. @Krista_A_Nelson Developer / User Protection Advocate

  4. None
  5. None
  6. None
  7. None

  8. “One cannot be prepared for something while secretly believing it

    will not happen” - Nelson Mandela

  9. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report It won’t happen to me…

  10. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 43% of cyber attacks target small business Symantec’s 2016 Internet Security Threat Report

  11. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report It won’t happen to me…

  12. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report Polling SMB’s for past year: 55% reported a cyber-attack 50% reported a data breach Ponemon Institute The 2016 State of SMB Cybersecurity

  13. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report How bad can it be?

  14. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 60% of small companies that suffer a cyber attack are out of business within six months. Symantec’s 2016 Internet Security Threat Report
  15. None

  16. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report Ok, we’ll pay for a product.

  17. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 48% show root cause from a negligent employee or contractor. Ponemon Institute The 2016 State of SMB Cybersecurity

  18. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 41% show root cause from a third party mistake Ponemon Institute The 2016 State of SMB Cybersecurity Ponemon Institute The 2016 State of SMB Cybersecurity

  19. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 63% of confirmed data breaches leverage a weak, default, or stolen password. Source: 2016 Data Breach Investigations Report from Verizon

  20. Uncertain Times Uncertain Times Protecting your Rails Application and User

    Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Ahead Protecting your Rails App and User Data Change Your Passwords And Enable Two Factor Authentication

  21. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 63% of businesses don't have a ‘fully mature’ method to track and control sensitive data. Source: 2014 State of Risk Report, as quoted in Trustwave Security Stats

  22. Let’s hit the road

  23. Map Your Sensitive Data Get Everyone Involved Secure your SDLC

  24. Map Your Sensitive Data Secure your SDLC Get Everyone Involved

  25. Map Your Sensitive Data Secure your SDLC Get Everyone Involved

  26. Get Everyone Involved

  27. Talk to leadership Get Everyone Involved

  28. 60% of small companies that suffer a cyber attack are

    out of business within six months. Show them the stats! Talk to leadership Get Everyone Involved

  29. Talk to leadership Get Everyone Involved

  30. Security Awareness Training Who: What: Why: When: Where: All employees,

    contractors, anyone with access to sensitive data/code What is considered sensitive. Data, code, policies, procedures Protect yourself, users, and company Know when to say something Repository for policies Get Everyone Involved

  31. How: • Password Manager • Two Factor Auth • Secure

    your Devices • When in doubt, delete • Careful what you email! Security Awareness Training Get Everyone Involved

  32. “A good developer is a secure developer” - Krista Nelson

  33. Developer Training Confidentiality Integrity Accountability Fundamentals - C.I.A Get Everyone

    Involved

  34. Developer Training The Open Web Application Security Project (OWASP) is

    an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Get Everyone Involved

  35. Developer Training Get Everyone Involved

  36. Developer Training Encryption Types (RSA, AES) Hashing Algoritms (MD5, bcrypt,

    PBKDF2, SHA256) Get Everyone Involved

  37. Map Your Sensitive Data Full Team Effort Secure your SDLC

  38. Map Your Sensitive Data Know your Danger Zones

  39. Map Your Sensitive Data Types of Sensitive Data • Personally

    Identifiable Information (PII) • Protected Health Information (HIPAA) • Payment Card Information (PCI) • Social Security Numbers (SSN) • Messaging, communications, logs, etc

  40. Map Your Sensitive Data Sensitive Data Flow

  41. Map Your Sensitive Data 3rd Parties 41% show root cause

    from a third party mistake

  42. “The simplest things are often the truest.” ― Ricard Bach

  43. Map Your Sensitive Data Secure your SDLC Get Everyone Involved

  44. Secure your SDLC 3rd Parties

  45. Secure your SDLC Software Development Life Cycle

  46. Secure your SDLC • What needs to be done •

    Privacy Laws (local, international) • Terms and Conditions • Ethical/Moral requirements • Encryption • Availability Requirements

  47. Secure your SDLC • User Privacy Settings • Strong Password

    requirements • Two-factor authentication • Email Authentication • Secure Sensitive Data Deletion • A masked staging environment • Anonymized analytics Features

  48. Secure your SDLC Find your weak layer

  49. Secure your SDLC Threat Modeling

  50. Secure your SDLC Peer Code Review • Authentication • Authorization

    • Encrypting sensitive data • Error Handling • Input data validation • Add on configuration • Complex Code

  51. Secure your SDLC Static Analysis

  52. Secure your SDLC • Full team QA • Dogfood your

    own product • Setup secure staging env • Test on different account types Manual testing

  53. Secure your SDLC Dynamic Analysis

  54. Secure your SDLC Be on High Alert • Exception Rates

    • Your Logs • Page Load Times • HTTP errors • Database performance • Database queries

  55. Secure your SDLC Be on High Alert • Do one

    final security check • Have a plan to revert • Check out page load times • Are there HTTP errors/exceptions • Database performance

  56. Secure your SDLC Logging • Get familiar with them •

    Filter out sensitive information • Cut back on noise • Use Lograge to collapse requests • Centralize all logs • Use structured logs

  57. Secure your SDLC Monitoring and Alerts • What is the

    normal behavior • Alert severity levels • Appropriate thresholding • Adjust alerting as needed

  58. “Uncertainty is the only certainty there is, and knowing how

    to live with insecurity is the only security.” ― John Allen Paulos

  59. @Krista_A_Nelson Developer / User Protection Advocate