Uncertain Times: Protecting your Rails App and User Data

Uncertain Times: Protecting your Rails App and User Data

It’s what everyone is talking about: cyber security, hacking and the safety of our data. Many of us are anxiously asking what can do we do? We can implement security best practices to protect our user’s personal identifiable information from harm. We each have the power and duty to be a force for good.

Security is a moving target and a full team effort, so whether you are a beginner or senior level Rails developer, this talk will cover important measures and resources to make sure your Rails app is best secured.

61f7e46117e603be2ae6e986db7e70ab?s=128

Krista Nelson

April 25, 2017
Tweet

Transcript

  1. 1.

    Uncertain Times Uncertain Times Protecting your Rails Application and User

    Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Protecting your Rails App and User Data
  2. 2.

    Uncertain Times Uncertain Times Protecting your Rails Application and User

    Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Ahead Protecting your Rails App and User Data
  3. 4.
  4. 5.
  5. 6.
  6. 7.
  7. 9.

    38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report It won’t happen to me…
  8. 10.

    38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 43% of cyber attacks target small business Symantec’s 2016 Internet Security Threat Report
  9. 11.

    38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report It won’t happen to me…
  10. 12.

    38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report Polling SMB’s for past year: 55% reported a cyber-attack 50% reported a data breach Ponemon Institute The 2016 State of SMB Cybersecurity
  11. 13.

    38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report How bad can it be?
  12. 14.

    38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 60% of small companies that suffer a cyber attack are out of business within six months. Symantec’s 2016 Internet Security Threat Report
  13. 15.
  14. 16.

    38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report Ok, we’ll pay for a product.
  15. 17.

    38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 48% show root cause from a negligent employee or contractor. Ponemon Institute The 2016 State of SMB Cybersecurity
  16. 18.

    38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 41% show root cause from a third party mistake Ponemon Institute The 2016 State of SMB Cybersecurity Ponemon Institute The 2016 State of SMB Cybersecurity
  17. 19.

    38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 63% of confirmed data breaches leverage a weak, default, or stolen password. Source: 2016 Data Breach Investigations Report from Verizon
  18. 20.

    Uncertain Times Uncertain Times Protecting your Rails Application and User

    Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Ahead Protecting your Rails App and User Data Change Your Passwords And Enable Two Factor Authentication
  19. 21.

    38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 63% of businesses don't have a ‘fully mature’ method to track and control sensitive data. Source: 2014 State of Risk Report, as quoted in Trustwave Security Stats
  20. 28.

    60% of small companies that suffer a cyber attack are

    out of business within six months. Show them the stats! Talk to leadership Get Everyone Involved
  21. 30.

    Security Awareness Training Who: What: Why: When: Where: All employees,

    contractors, anyone with access to sensitive data/code What is considered sensitive. Data, code, policies, procedures Protect yourself, users, and company Know when to say something Repository for policies Get Everyone Involved
  22. 31.

    How: • Password Manager • Two Factor Auth • Secure

    your Devices • When in doubt, delete • Careful what you email! Security Awareness Training Get Everyone Involved
  23. 34.

    Developer Training The Open Web Application Security Project (OWASP) is

    an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Get Everyone Involved
  24. 39.

    Map Your Sensitive Data Types of Sensitive Data • Personally

    Identifiable Information (PII) • Protected Health Information (HIPAA) • Payment Card Information (PCI) • Social Security Numbers (SSN) • Messaging, communications, logs, etc
  25. 46.

    Secure your SDLC • What needs to be done •

    Privacy Laws (local, international) • Terms and Conditions • Ethical/Moral requirements • Encryption • Availability Requirements
  26. 47.

    Secure your SDLC • User Privacy Settings • Strong Password

    requirements • Two-factor authentication • Email Authentication • Secure Sensitive Data Deletion • A masked staging environment • Anonymized analytics Features
  27. 50.

    Secure your SDLC Peer Code Review • Authentication • Authorization

    • Encrypting sensitive data • Error Handling • Input data validation • Add on configuration • Complex Code
  28. 52.

    Secure your SDLC • Full team QA • Dogfood your

    own product • Setup secure staging env • Test on different account types Manual testing
  29. 54.

    Secure your SDLC Be on High Alert • Exception Rates

    • Your Logs • Page Load Times • HTTP errors • Database performance • Database queries
  30. 55.

    Secure your SDLC Be on High Alert • Do one

    final security check • Have a plan to revert • Check out page load times • Are there HTTP errors/exceptions • Database performance
  31. 56.

    Secure your SDLC Logging • Get familiar with them •

    Filter out sensitive information • Cut back on noise • Use Lograge to collapse requests • Centralize all logs • Use structured logs
  32. 57.

    Secure your SDLC Monitoring and Alerts • What is the

    normal behavior • Alert severity levels • Appropriate thresholding • Adjust alerting as needed
  33. 58.

    “Uncertainty is the only certainty there is, and knowing how

    to live with insecurity is the only security.” ― John Allen Paulos