Application Security
Defending Against Data Breaches, as a Practicing Ruby Developer

Summarized using AI

Defending Against Data Breaches, as a Practicing Ruby Developer

Frank Rietta • October 02, 2015 • Earth

In the presentation "Defending Against Data Breaches, as a Practicing Ruby Developer," Frank Rietta discusses the critical importance of application security, particularly for developers not specializing in security. He emphasizes that security cannot be treated as a simple on/off switch but must be an integrated aspect of the software development process. Rietta begins by stating that developers must take responsibility for preventing data breaches, which are defined not only by unauthorized access but also by the lack of encryption.

Key Points Discussed:

- Understanding Security:

- Security is a process and mindset encompassing more than just activating SSL.

- Application security focuses on protecting data and privacy against both malicious hackers and legitimate users who may exceed their access.

  • Definition of Data Breaches:

    • A data breach occurs when unauthorized individuals can access sensitive information, even if the data is not explicitly accessed.
    • Rietta illustrates this with examples such as stolen laptops with unencrypted data.
  • Statistics and Common Vulnerabilities:

    • He cites the Verizon Data Breach Report indicating over 50% of attacks stem from stolen credentials, stressing the importance of strong authentication.
    • Discusses OWASP Top 10 vulnerabilities like insecure passwords and unpatched software, and highlights developers' roles in ensuring security.
  • Cultural Approach to Security:

    • Developers are encouraged to approach security as a fundamental requirement from the inception of project development.
    • Emphasizes creating an information classification system to protect data based on sensitivity levels.
  • Security in User Stories:

    • Rietta recommends incorporating security constraints into user stories to ensure thorough input validation and secure password policies.
    • Illustrates how to improve security practices from standard login procedures to customer service functionalities.
  • Adoption of Best Practices:

    • Promotes familiarity with the OWASP Top 10 as a means to understand and mitigate common web application vulnerabilities.
    • Suggests utilizing encryption standards and ensuring strong authentication measures across applications.

Conclusion and Takeaways:

- Rietta concludes by reiterating that security should be viewed as an organization-wide cultural commitment.

- Emphasizes the need for a defense-in-depth strategy and advocates treating security as an integral part of the development process to safeguard user data and build trust.

Defending Against Data Breaches, as a Practicing Ruby Developer
Frank Rietta • October 02, 2015 • Earth

By, Frank Rietta
You've been hearing about big data breaches in the news. As a developer who doesn't specialize in security, knowing how to protect your application from getting hacked may seem like a daunting task. However, fundamentals in the design and development process will greatly increase the security that protects your users from harm.

Help us caption & translate this video!

http://amara.org/v/HLd3/

Rocky Mountain Ruby 2015

00:00:24.130 Hey everyone, my name is Frank Rietta. My background is as a developer, and I have a background in computer science and information security. I'm out of Atlanta, where I work with a company that I started, which specializes in building web applications where security is a priority. I'm here to talk to you about data breaches and how you, as a developer, can help prevent them. History has taught us that when you develop an application and it starts amassing customer data, relying on historically normative means of protecting that information often fails.
00:00:43.600 Consequently, the slides are available on Speaker Deck, and there's a paper that details this topic. If you're interested in a more in-depth version, feel free to check that out. I also have two Blue FIDO Universal two-factor tokens to give away, so be prepared for your questions because that is primarily what we're going to discuss. It could be a question for a friend, something you're dealing with, or something based on this talk.
00:01:05.930 Let me start with a fundamental axiom of security: security is not an on/off switch. You can't just flip on an SSL switch, which would be great because then you could take the data coming from your customers and encrypt it while it's in transit across the network to your services. However, since we can't rely solely on network security, we need to focus on application security. My definition of application security is that it is the area of information security concerned with protecting data and privacy against adversaries who have access to the software system as a whole.
00:01:58.560 The term 'adversaries' is important here because not all adversaries are hackers; they could be federal law enforcement agents or employees who have legitimate access to certain areas but exceed their authorized access. The goal of application security is to make the application itself more resilient against attacks. We're not simply going to hide it behind a firewall or turn on SSL and presume that we have security.
00:02:31.370 So, what is a data breach? To illustrate, consider this stick figure with a floppy disk. An unauthorized person gaining access to sensitive data and having the means to read it constitutes a breach. But there is an important caveat: even if the data isn't accessed, the breach is still defined by the lack of encryption. For example, if you have a laptop with sensitive data locked in your car and it gets stolen, and if that laptop is not encrypted, by law, it represents a data breach because you cannot prove that the person who stole it did not access the data.
00:03:19.230 On the other hand, if the laptop is encrypted, you may argue that there was no breach, as the thieves would have needed the key to access the data. This definition extends beyond physical theft; for example, if someone breaks into your Amazon account and accesses customer data or server instances, you must declare a breach, even if the hacker’s actual activity is not directly accessible. There is simply no proof that they did not access sensitive information.
00:04:11.279 This diagram presents a collection of data breaches over the last few years, where the size of each circle represents the number of records breached. As a developer, it is reasonable to be alarmed by these statistics, but it’s crucial to understand that the fundamental problems are not just problems of convenience. Security is not merely an on/off switch; there are basics we need to address.
00:04:49.110 This chart from the Verizon Data Breach Report outlines web hosting attacks from this year. Of a sample size of 205 enterprise-class systems, over fifty percent of breaches resulted from stolen credentials, particularly from staff members. This highlights the importance of preventing account compromise through strong authentication practices.
00:05:12.200 We must also consider common technical vulnerabilities. For instance, the OWASP Top 10 includes risks such as insecure passwords, lack of patching, and unencrypted backups. Developers should take personal ownership of these issues throughout the development process because weak security, such as unencrypted backups, has led to severe breaches in the past, including the incident involving bit.ly.
00:06:33.570 A notable quote from 2004 by Greg Hoglund and Gary McGraw indicated that most outsourced software is full of backdoors. I prefer to use the term 'vulnerabilities' instead of backdoors, and this aligns with my observations in practice. Security is not traditionally considered a functional requirement, but rather an attribute that can often be postponed. This deferment creates a dangerous situation: customers think developers are addressing security, developers think operations is responsible, and operations might believe someone else is handling it. In the end, no one is taking care of it.
00:07:06.200 As developers, we need to approach development with security in mind. Security should be treated as a fundamental requirement that needs to be addressed from the start. It's important to understand that not all information is equally sensitive. For example, in a governmental context, you hear about top-secret and secret information, while in a business context, we refer to PII (Personally Identifiable Information). However, what's really needed is an effective information classification system to ensure data is appropriately protected.
00:08:01.900 A basic information classification system can categorize data into several tiers, comparing public information with internal data and sensitive information defined by law. For instance, data identified as PII requires significant concern if compromised. Furthermore, there's data that may not be governed by laws but still holds value in affecting a company's reputation and customer trust.
00:08:52.150 Given the need for proper security, one tool developers can utilize is user stories with security constraints. These user stories incorporate security considerations into the development process. For those unfamiliar with user stories, they are descriptive components of functionality that involve conversations clarifying the details and tasks necessary for implementation. For example, when defining user stories, we can include specific security constraints to ensure robust input validation and password policies.
00:09:39.760 By including considerations for what would happen if a password were inadequate or if validation failed, we sharpen our focus on security issues. For instance, if users could create a password shorter than 12 characters, developers are alerted to increase password complexity and implement necessary verification mechanisms. Additionally, when customer service representative features allow staff to log in as customers, it is critical to enforce strict logging and require two-factor authentication.
00:11:02.690 We also need to think critically about private information that customer service representatives should not access. Database rules should restrict access based on necessity, and strong logging must be implemented to monitor staff actions. When responding to subpoenas, it is vital to engage in discussions with system administrators to avoid unnecessary data disclosures.
00:12:16.300 Now let's discuss direct object reference, which is an OWASP Top 10 issue. For instance, if I change the account number in the URL, I might gain unauthorized access to other user data. It’s important to clarify that users (especially non-technical stakeholders) may not consider this possibility, but authenticated users could exploit such vulnerabilities. This emphasizes the necessity of implementing robust security architecture.
00:13:00.540 Furthermore, as a disgruntled employee about to be fired, one might think to delete records or create chaos, impacting data retention and backup strategies. Criminal intent among users introduces significant risks; hence securing profile data and identifying risks while managing user data transparency becomes paramount.
00:14:06.890 Throughout this talk, we've emphasized the importance of structuring user stories to encompass security concerns. This awareness fosters insightful dialogues between business and technical teams about the threats faced by the application. Thus, we cannot simply adopt security practices as an afterthought; robust countermeasures must be integrated into the fabric of our application's development process.
00:14:56.020 Finally, it's vital for developers to familiarize themselves with the OWASP Top 10 vulnerabilities because these categories represent common risks across all web applications. The solutions are not unique to any framework like Rails or Sinatra; instead, they are universal practices aimed at enhancing security across the board. Enabling secure headers, forcing SSL, and employing automated tools such as Brakeman or Bundler Audit to detect vulnerabilities are vital steps we can take towards securing our applications.
00:15:37.670 Additional measures include utilizing encryption standards and practicing solid encryption measures for sensitive data. Such practices should not be mere suggestions but should be enforced as critical standards, particularly when working with historical data within legacy applications. We need to wrap up by reiterating that data breaches are a significant concern that won't disappear on their own. Your system is under constant threat, and you're the last line of defense.
00:17:17.930 Application security means preventing abuse by adversaries who may have access to your system. Poor security assumptions can lead to severe consequences. Implement an information classification system, treat security as a paramount requirement, and leverage user stories to mitigate vulnerabilities. Additionally, strong encryption and practical countermeasures are essential; two-factor authentication, in particular, must become the standard rather than the exception.
00:18:40.320 Ultimately, security requires a defense-in-depth strategy employing multiple concurrent controls to protect sensitive data and user information. Security is not merely about technical measures; it involves a cultural commitment to prioritize security at every level of the organization. As such, we must work proactively to ensure the integrity and security of our applications.
Explore all talks recorded at Rocky Mountain Ruby 2015
+9