Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
How to build secure products? After 9 years of coding, I moved to the security team where I discovered a better, more manageable approach to security. From my talk, you will learn how to design with security in mind so that security isn't a blocker but an enabler for innovation.
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
Wiktoria Dalach's talk at RubyConf AU 2023, titled "Security Doesn't Have To Be a Nightmare", provides insights into building secure products by integrating security considerations into the software development lifecycle. After transitioning from a software engineer to a security engineer, Dalach shares her experiences and practical tips to help developers manage security without it becoming an obstacle to innovation. ### Key Points Discussed: - **Common Security Issues**: Dalach highlights the frequent scenario where security checks are initiated late in the development process, often leading to increased workloads and delays. She emphasizes that security should not be an afterthought but integrated from the start. - **Sanitizing Input**: A crucial first step in securing applications is sanitizing user input to prevent script injections. Dalach underscores the importance of this practice, especially in the Ruby on Rails environment, which offers sanitization tools. - **Database Protection**: Validating data is essential to protect databases, which are critical assets. Dalach notes that loss of data can have a significant negative impact on user trust. - **Credential Management**: She stresses the importance of keeping sensitive credentials out of repositories, recommending best practices for scoping API tokens to prevent potential breaches. - **Security Scanners**: Investing in dynamic and static application security testing (DAST and SAST) tools can help developers proactively identify vulnerabilities. Integrating these tools into workflow systems like GitHub and GitLab can streamline security efforts. - **CIA Triad**: Dalach introduces the CIA triad—Confidentiality, Integrity, and Availability—as a framework for categorizing security concerns. This helps teams focus on specific aspects of security during development. - **Shifting Security Left**: A key takeaway is the concept of shifting security left, meaning incorporating security practices early in the design and development processes rather than at the end. She motivates attendees to proactively involve security teams during the planning stages. ### Conclusions: Dalach closes her talk by reiterating that engineers have a responsibility to build secure products, emphasizing that it should be a defining quality of modern engineering. By encouraging proactive engagement with security, she believes teams can foster a collaborative atmosphere that eliminates the dread traditionally associated with security compliance. Attendees are urged to adopt the CIA questions in their projects to ensure safety and integrity throughout their development processes and to stay informed about potential vulnerabilities.
Suggest modifications
Cancel
