Talks

Summarized using AI

Ruby Security Gems

Angela Choi • February 28, 2023 • online

In the video titled "Ruby Security Gems" presented by Angela Choi at the WNB.rb Meetup, the focus is on enhancing web application security through the implementation of specific Ruby security gems. Angela, a software developer with experience in web security, shares valuable insights on how developers can protect user information.

Key Points Discussed:
- Introduction to Security Concerns: Angela begins by emphasizing the responsibility developers have in protecting user data, citing her personal experience with increasing the security of her bank account.

  • Overview of Two Security Gems:

    • Lockbox:
    • Used for encrypting sensitive data at the application level, making it easier to manage existing data without extensive migration.
    • Recommended for securing personally identifiable information (PII) like customer addresses, social security numbers, and medical records.
    • Notes that while encryption enhances security, it is not foolproof as hackers may exploit vulnerabilities if they obtain the encryption key.
    • Device Gem Enhancements:
    • Custom Password:
      • Allows for stricter password policies, encouraging longer and more complex passwords to prevent easy hacks.
      • Example: Enforcing a minimum of 12 characters with mixed complexity significantly improves security compared to the default 6-character requirement that can be easily cracked.
    • Trackable:
      • Tracks user sign-in information, which can help monitor suspicious activities.
      • Allows administrators to review user login attempts and set alerts for unusual patterns.
    • Lockable:
      • Locks user accounts after a defined number of failed login attempts, providing a security measure akin to what is commonly seen in banking sites.
  • Conclusion and Takeaways:

    • Emphasizes the importance of implementing stronger security measures in web applications.
    • Recommends using Lockbox for data encryption and device gems for managing user authentication effectively.
    • Stresses that while no encryption method is entirely secure, adopting these practices significantly reduces risks associated with data theft and unauthorized access.

Ruby Security Gems
Angela Choi • February 28, 2023 • online

Is your web application secured? Learn and discover some security gems you can implement in your project or at work. This talk will cover an overview of two security gems and when to use each of them.
https://www.wnb-rb.dev/meetups/2023/02/28

WNB.rb Meetup

00:00:00.120 all right so let's get started today
00:00:02.700 I'll be talking about Ruby security gems
00:00:08.460 um a quick intro my name is Angela I'm
00:00:11.099 currently residing in Toronto I am
00:00:13.620 actually from New York City and Canada
00:00:15.420 is way too cold for me but I am
00:00:18.359 embracing the winter Vibes out here
00:00:23.160 um and currently I'm a software
00:00:25.439 developer at bite side it's a small
00:00:27.420 custom software shop based out of Ottawa
00:00:30.800 and my interest in the web security
00:00:33.120 actually began during my software
00:00:35.640 engineering boot camp I felt that as a
00:00:38.760 developer there was some kind of like
00:00:40.500 responsibility to protect users this
00:00:42.540 information since I am building an
00:00:44.520 application uh that they will be using
00:00:46.680 and most recently my bank account was
00:00:49.260 almost hacked and since then I've
00:00:51.600 changed my bank account password to be
00:00:53.340 more than 30 characters long just to be
00:00:55.800 extra secure and I've also taken a
00:00:58.379 greater initiative at work implementing
00:01:00.899 security features for web applications
00:01:05.280 all right so let's dive in
00:01:07.500 um so these are the security gems that
00:01:11.159 um the past like several months that
00:01:13.020 I've had an opportunity to research and
00:01:14.820 Implement security gems at work and so
00:01:17.520 I'll be sharing
00:01:18.960 um the gems that have influenced
00:01:20.580 implemented today
00:01:23.100 the first one is lockbox
00:01:25.939 and lockbox allows you to encrypt uh
00:01:30.360 sensitive data at the application Level
00:01:32.520 which is uh crucial for data and
00:01:34.799 security and it's actually
00:01:36.900 um very easy to migrate existing data as
00:01:39.299 well so if you didn't have any
00:01:42.479 um
00:01:43.140 encryption encrypted data at the moment
00:01:45.780 for like a web application you can
00:01:47.880 actually uh migrate it very easily I've
00:01:49.799 done this before
00:01:51.500 and a use case to use a lock box would
00:01:55.079 be to encrypt sensitive data such as
00:01:57.720 personal identifiable information also
00:02:00.540 known as pii such as a customer's
00:02:03.420 address social security number driver's
00:02:06.240 license medical records just very
00:02:08.280 sensitive information that you don't
00:02:09.899 want to be like leaked
00:02:12.860 and however
00:02:15.660 um by no encryption is foolproof and
00:02:19.440 weaknesses can be discovered or
00:02:21.120 exploited by hackers and so hackers
00:02:24.300 can't see the encrypted data unless the
00:02:27.120 encryption key or passphrase is used to
00:02:29.760 decrypt it so if a hacker manages to
00:02:32.700 obtain the encryption key or crack it or
00:02:35.280 crack the encryption algorithm then they
00:02:37.319 can gain access to the data so just by
00:02:40.020 encrypting your database it's not going
00:02:42.300 to be you know safe but it is still very
00:02:45.780 good to encrypt your database I would
00:02:47.940 say and so in addition to encrypting the
00:02:51.480 database it's also just as important to
00:02:54.060 enforce users users to have strong
00:02:56.580 passwords and Implement multi-factor
00:02:59.120 authentication device also has a
00:03:02.340 two-factor gem that you can also easily
00:03:04.440 Implement into your rails application I
00:03:07.500 haven't used this before but I was
00:03:09.540 looking at the documentation and looks
00:03:11.300 not too bad moment
00:03:13.920 I won't be covering this gym but just
00:03:16.080 wanted to let you know that there is a
00:03:18.180 two-factor gym within device
00:03:22.260 okay and if you are using rail 7
00:03:25.800 um there is something called active
00:03:27.000 record encryption which is very similar
00:03:28.980 to what lock box is so you can just
00:03:31.739 um use that instead of lockbox and this
00:03:34.739 will basically encrypt your data at the
00:03:36.540 application Level so you don't have to
00:03:37.920 like install any additional gems which
00:03:39.659 is really nice
00:03:41.159 foreign
00:03:44.060 and for the next few slides I'll be
00:03:47.340 talking about device gems and there are
00:03:50.280 three different
00:03:52.140 um gems basically you can you can add
00:03:54.659 and integrate into your application or
00:03:57.480 projects
00:03:59.040 um and if you are using device it's very
00:04:01.260 easy to integrate integrate these so
00:04:03.780 I'll be talking about custom password
00:04:05.959 trackable and lockable
00:04:10.799 our custom passwords so custom password
00:04:13.920 basically allows you to customize the
00:04:15.959 passwords to have longer characters so
00:04:18.359 at the moment rails password is minimum
00:04:20.639 six characters long there's no
00:04:22.800 restriction no strict requirements on
00:04:25.259 uppercase lowercase numbers or path or
00:04:28.020 symbols so for instance these are some
00:04:30.900 of the acceptable rails passwords like
00:04:32.759 one two three four five six or
00:04:35.479 p-a-s-sw-o or core T Q Wert or a b c d e
00:04:40.020 f one one one one one and actually the
00:04:43.020 word password is exceeding six
00:04:45.240 characters Believe It or Not uh it's
00:04:47.340 going above and beyond the requirements
00:04:48.960 so
00:04:50.100 just something to think about
00:04:52.259 um when your users are creating
00:04:53.699 passwords on Rails
00:04:56.100 and so
00:04:58.259 um a use case of using custom passwords
00:05:00.479 is to enforce a stronger password
00:05:01.979 requirements so that it will help users
00:05:04.620 from getting their accounts hacked so if
00:05:06.720 you see this table here uh the word
00:05:09.720 password will be cracked in less than 10
00:05:12.720 seconds actually the word guest I guess
00:05:14.400 because it's different letters um will
00:05:17.340 take 10 seconds to crack but all of
00:05:19.139 these uh will be able to be cracked in
00:05:22.500 less than one second also if your
00:05:24.419 password is on this list I highly
00:05:26.400 recommend you to change it uh
00:05:29.220 immediately
00:05:32.520 and this is another
00:05:34.860 um chart that I found what's really
00:05:37.560 interesting is that just by enforcing a
00:05:40.500 minimum of 12 characters
00:05:43.320 um let's say with number with numbers
00:05:45.500 uppercase lowercase letters and symbols
00:05:48.600 it's going to take 3 000 years to crack
00:05:51.360 it which is insane
00:05:54.240 um so yeah highly recommend you to
00:05:56.960 increase
00:05:58.520 your password characters for sure very
00:06:01.680 important
00:06:03.180 yeah so rails is like six so it'll be
00:06:06.000 hacked instantly
00:06:08.039 um even with if you add numbers
00:06:10.199 uppercase lowercase letters and symbols
00:06:12.720 so definitely make sure you have a
00:06:14.940 strong password
00:06:19.080 um and the second gem is called
00:06:20.460 trackable and trackable basically allows
00:06:22.979 you to track information about your user
00:06:25.080 sign-in so you can get information such
00:06:27.660 as like the signing account current sign
00:06:30.060 in at last sign in at current sign in IP
00:06:33.300 and last side and IP so basically you
00:06:36.300 can see you can monitor
00:06:38.639 um the login activities for your user
00:06:41.400 and so a use case of this would be like
00:06:44.340 maybe displaying a like log history uh
00:06:47.580 to your users admins or both to monitor
00:06:50.580 any login activities
00:06:52.460 and you can also use paper trail gem to
00:06:55.979 create simple rules to alert some
00:06:58.380 suspicious Behavior maybe there was like
00:07:00.060 a really high transaction
00:07:02.280 um that day or something like that by a
00:07:04.139 user
00:07:05.759 um so for instance like you can
00:07:07.020 Implement something like this like login
00:07:08.460 activities with timestamp uh the device
00:07:11.819 and operating system last sign in
00:07:14.039 address last sign in IP address and
00:07:16.860 current sign-in IP address location and
00:07:19.740 then it tracks the signing account
00:07:26.039 and the other gem is lockable and it
00:07:30.360 locks an account after a specified
00:07:32.400 number of failed sign-in attempts and
00:07:35.460 you can unlock through email or after a
00:07:38.759 specified time
00:07:41.039 and so
00:07:42.720 um you would use this when maybe there's
00:07:45.720 um attempt to log into maybe a user
00:07:48.660 attempts to log into their account with
00:07:50.699 an incorrect password several times so
00:07:53.220 maybe after three or five times of
00:07:55.139 incorrect password attempts account will
00:07:57.479 be locked I feel like this usually
00:07:58.800 appears um on like Bank sites right so
00:08:02.460 you'll usually get this like
00:08:03.660 notifications and your account is locked
00:08:05.819 your account was locked after too many
00:08:07.440 failed login attempts we sent you an
00:08:09.300 email with a link down unlock it
00:08:11.099 something like this you could use
00:08:12.660 blockable for
00:08:13.979 and sadly you'll have to wait and then
00:08:17.039 you know change your password or
00:08:18.780 something like that
00:08:21.360 um and yeah so that is a quick
00:08:24.599 um a quick recap of everything is
00:08:28.020 lockbox you can use to encrypt uh your
00:08:31.319 data
00:08:32.279 and within device there are three gems
00:08:34.740 you can add which is the customized
00:08:36.479 passwords to
00:08:38.159 um make your passwords longer characters
00:08:39.779 longer trackable to track users login
00:08:42.839 activities and lockable uh which you can
00:08:46.620 lock and unlock users
Explore all talks recorded at WNB.rb Meetup
+20