Suggest modification to this talk

Title

Description

RailsConf 2019 - No Such Thing as a Secure Application by Lyle Mullican

_______________________________________________________________________________________________

Cloud 66 - Pain Free Rails Deployments
Cloud 66 for Rails acts like your in-house DevOps team to build, deploy and maintain your Rails applications on any cloud or server.

Get $100 Cloud 66 Free Credits with the code: RailsConf-19
($100 Cloud 66 Free Credits, for the new user only, valid till 31st December 2019)

Link to the website: https://cloud66.com/rails?utm_source=-&utm_medium=-&utm_campaign=RailsConf19
Link to sign up: https://app.cloud66.com/users/sign_in?utm_source=-&utm_medium=-&utm_campaign=RailsConf19
_______________________________________________________________________________________________

A developer's primary responsibility is to ship working code, and by the way, it's also expected to be secure code. The definition of "working" may be quite clear, but the definition of "secure" is often surprisingly hard to pin down. This session will explore a few ways to help you define what application security means in your own context, how to build security testing and resilience into your development processes, and how to have more productive conversations about security topics with product and business owners.

Date

Summarized using AI?

If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.

Show "Summarized using AI" badge on summary page

Summary

Markdown supported

In the presentation "No Such Thing as a Secure Application" delivered at RailsConf 2019, Lyle Mullican explores the nuanced concept of application security, emphasizing that true security is not a checkbox but a risk management process. He outlines the importance of defining what security means in the context of software development and advocates for a proactive approach in integrating security into the development lifecycle.

**Key Points Discussed:**

- **Security vs. Functionality**: While developers are adept at defining functional requirements for software, there is a notable lack of tools for expressing security needs. This oversight leads to vague assumptions about security in applications.

- **Understanding Security**: Mullican points out that security is fundamentally about managing risk, involving specific controls tailored to mitigate identified threats. Instead of asking if an application is secure, we should inquire about the ways in which it is secure or insecure.

- **Defining Threats**: Establishing a threat model is crucial. This involves identifying potential threats, assessing their likelihood and impact, and prioritizing them based on risk.

- **Testing Security Controls**: Effective security requires rigorous testing of the implemented controls through various methods, including:
  - **Explicit Tests**: Tests that validate if security measures behave as intended.
  - **Static Analysis**: Tools like Brakeman that assess code structure for vulnerabilities while not executing the code.
  - **Dynamic Analysis**: Running the application and testing its response to various inputs which can uncover hidden issues.
  - **Manual Testing**: Engaging experienced testers to identify vulnerabilities that automated tools may miss.

- **Resilience and Incident Response**: Security incidents are inevitable, so rapid detection and a clear incident response strategy can mitigate damage. Mullican describes easy-to-implement strategies to improve response, such as trap routes that alert developers of probing attempts.

- **Cultural Aspects of Security**: It is essential to foster a security culture within organizations by encouraging documentation and structured security discussions. This helps shift conversations from blaming individuals for security failures to improving overall systems and processes.

- **Useful Tools and Resources**: The presenter recommends several tools and resources for securing Rails applications, including Breakman, Bundler Audit, and OWASP guidelines.

In conclusion, Mullican emphasizes that while no application can be completely secure, developers must adopt a robust approach to security that includes consistent testing, risk management, and open dialogues about security practices in the context of business needs and technological challenges.

Cancel