Uncertain Times: Protecting your Rails App and User Data

Uncertain Times: Protecting your Rails App and User Data

It’s what everyone is talking about: cyber security, hacking and the safety of our data. Many of us are anxiously asking what can do we do? We can implement security best practices to protect our user’s personal identifiable information from harm. We each have the power and duty to be a force for good.

Security is a moving target and a full team effort, so whether you are a beginner or senior level Rails developer, this talk will cover important measures and resources to make sure your Rails app is best secured.

61f7e46117e603be2ae6e986db7e70ab?s=128

Krista Nelson

April 25, 2017
Tweet

Transcript

  1. Uncertain Times Uncertain Times Protecting your Rails Application and User

    Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Protecting your Rails App and User Data
  2. Uncertain Times Uncertain Times Protecting your Rails Application and User

    Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Ahead Protecting your Rails App and User Data
  3. @Krista_A_Nelson Developer / User Protection Advocate

  4. None
  5. None
  6. None
  7. None
  8. “One cannot be prepared for something while secretly believing it

    will not happen” - Nelson Mandela
  9. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report It won’t happen to me…
  10. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 43% of cyber attacks target small business Symantec’s 2016 Internet Security Threat Report
  11. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report It won’t happen to me…
  12. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report Polling SMB’s for past year: 55% reported a cyber-attack 50% reported a data breach Ponemon Institute The 2016 State of SMB Cybersecurity
  13. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report How bad can it be?
  14. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 60% of small companies that suffer a cyber attack are out of business within six months. Symantec’s 2016 Internet Security Threat Report
  15. None
  16. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report Ok, we’ll pay for a product.
  17. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 48% show root cause from a negligent employee or contractor. Ponemon Institute The 2016 State of SMB Cybersecurity
  18. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 41% show root cause from a third party mistake Ponemon Institute The 2016 State of SMB Cybersecurity Ponemon Institute The 2016 State of SMB Cybersecurity
  19. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 63% of confirmed data breaches leverage a weak, default, or stolen password. Source: 2016 Data Breach Investigations Report from Verizon
  20. Uncertain Times Uncertain Times Protecting your Rails Application and User

    Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Protecting your Rails App and User Data Uncertain Times Ahead Protecting your Rails App and User Data Change Your Passwords And Enable Two Factor Authentication
  21. 38% regularly upgrade software solutions 41% of SMBs have some

    visibility into employee password practices and hygiene 22% encrypt databases Source: 2016 Internet Security Threat Report 63% of businesses don't have a ‘fully mature’ method to track and control sensitive data. Source: 2014 State of Risk Report, as quoted in Trustwave Security Stats
  22. Let’s hit the road

  23. Map Your Sensitive Data Get Everyone Involved Secure your SDLC

  24. Map Your Sensitive Data Secure your SDLC Get Everyone Involved

  25. Map Your Sensitive Data Secure your SDLC Get Everyone Involved

  26. Get Everyone Involved

  27. Talk to leadership Get Everyone Involved

  28. 60% of small companies that suffer a cyber attack are

    out of business within six months. Show them the stats! Talk to leadership Get Everyone Involved
  29. Talk to leadership Get Everyone Involved

  30. Security Awareness Training Who: What: Why: When: Where: All employees,

    contractors, anyone with access to sensitive data/code What is considered sensitive. Data, code, policies, procedures Protect yourself, users, and company Know when to say something Repository for policies Get Everyone Involved
  31. How: • Password Manager • Two Factor Auth • Secure

    your Devices • When in doubt, delete • Careful what you email! Security Awareness Training Get Everyone Involved
  32. “A good developer is a secure developer” - Krista Nelson

  33. Developer Training Confidentiality Integrity Accountability Fundamentals - C.I.A Get Everyone

    Involved
  34. Developer Training The Open Web Application Security Project (OWASP) is

    an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Get Everyone Involved
  35. Developer Training Get Everyone Involved

  36. Developer Training Encryption Types (RSA, AES) Hashing Algoritms (MD5, bcrypt,

    PBKDF2, SHA256) Get Everyone Involved
  37. Map Your Sensitive Data Full Team Effort Secure your SDLC

  38. Map Your Sensitive Data Know your Danger Zones

  39. Map Your Sensitive Data Types of Sensitive Data • Personally

    Identifiable Information (PII) • Protected Health Information (HIPAA) • Payment Card Information (PCI) • Social Security Numbers (SSN) • Messaging, communications, logs, etc
  40. Map Your Sensitive Data Sensitive Data Flow

  41. Map Your Sensitive Data 3rd Parties 41% show root cause

    from a third party mistake
  42. “The simplest things are often the truest.” ― Ricard Bach

  43. Map Your Sensitive Data Secure your SDLC Get Everyone Involved

  44. Secure your SDLC 3rd Parties

  45. Secure your SDLC Software Development Life Cycle

  46. Secure your SDLC • What needs to be done •

    Privacy Laws (local, international) • Terms and Conditions • Ethical/Moral requirements • Encryption • Availability Requirements
  47. Secure your SDLC • User Privacy Settings • Strong Password

    requirements • Two-factor authentication • Email Authentication • Secure Sensitive Data Deletion • A masked staging environment • Anonymized analytics Features
  48. Secure your SDLC Find your weak layer

  49. Secure your SDLC Threat Modeling

  50. Secure your SDLC Peer Code Review • Authentication • Authorization

    • Encrypting sensitive data • Error Handling • Input data validation • Add on configuration • Complex Code
  51. Secure your SDLC Static Analysis

  52. Secure your SDLC • Full team QA • Dogfood your

    own product • Setup secure staging env • Test on different account types Manual testing
  53. Secure your SDLC Dynamic Analysis

  54. Secure your SDLC Be on High Alert • Exception Rates

    • Your Logs • Page Load Times • HTTP errors • Database performance • Database queries
  55. Secure your SDLC Be on High Alert • Do one

    final security check • Have a plan to revert • Check out page load times • Are there HTTP errors/exceptions • Database performance
  56. Secure your SDLC Logging • Get familiar with them •

    Filter out sensitive information • Cut back on noise • Use Lograge to collapse requests • Centralize all logs • Use structured logs
  57. Secure your SDLC Monitoring and Alerts • What is the

    normal behavior • Alert severity levels • Appropriate thresholding • Adjust alerting as needed
  58. “Uncertainty is the only certainty there is, and knowing how

    to live with insecurity is the only security.” ― John Allen Paulos
  59. @Krista_A_Nelson Developer / User Protection Advocate