00:00:09.679
Hello everyone, my name is Mike Milner, and I'm the CTO over at Immuno. I wanted to welcome you all to Kansas City. I hope everyone is having a good time here on the third day of the conference. I'll try to keep the references to 'We're not in Kansas anymore' and 'The Wizard of Oz' to a minimum, since you've probably heard them all.
00:00:27.269
RailsConf has always been a great place for us. If you remember us from last year, we had a booth in the expo hall. In fact, we launched our company here at RailsConf, and our first supported platform was Rails. We really appreciate the support!
00:00:40.020
Speaking of launches, I want to start by asking. Did anyone stay up late last night to watch the keynote? Those guys did an amazing job, let's give them a round of applause! This is not just about REST APIs; I love to watch teamwork and collaboration.
00:01:06.479
Now, how many of you did different tasks today? How many of you did all of them? I want to take a moment to emphasize that there's a lot of content to cover today. Last time I did this presentation, I sped through several topics and finished in six to seven hours, which is probably not what you want.
00:01:36.930
So, a quick background on me: the reason I'm doing this workshop is that we work with APIs, and some of you may be familiar with what that entails. How many of you are aware of that? It's crucial for my talk today. I want everyone to understand the significance of it because it can greatly impact your work.
00:02:04.259
Let’s be honest; security is tough. It's hard to stay on top of everything and ensure that your code is protected. Everyone wants to stay secure, but achieving that is challenging. It takes a lot of time and effort, especially when you’re focused on making sure your site works and delivers cool features for users.
00:02:23.640
Despite these challenges, I hope some of you are interested in the fascinating aspects of security. Today, I will focus on three types of vulnerable code that might exist in your applications. This includes the code you write for your application itself, the view logic that you handle, and the Ruby code that constitutes the overall controller.
00:03:00.120
You’re also responsible for code written by others. Rails runs on Ruby, and you likely utilize a host of third-party gems to add functionality to your app. The security of this external code is also something you must be aware of. Additionally, there might be gaps in your code, such as functionalities you haven’t written yet to protect against attackers.
00:03:11.340
Let's start with one attack type that you may be familiar with: SQL injection. This common vulnerability occurs when user input modifies your SQL queries. For instance, if you construct a query by piecing together user-entered strings and a hacker attempts to input manipulated characters, it can result in unintended queries being executed against your database.
00:04:06.240
As many of you may know, SQL injection has been a well-understood vulnerability since its public discussion in 1998. So by now, one would think that every app on the internet has resolved this issue. Unfortunately, that's not the case. Just last year, 157,000 customer details were stolen from a UK ISP, demonstrating that SQL injection is still a prevalent threat.
00:04:50.220
VTech, a company producing kid-friendly technology, also faced a breach, losing information on 200,000 children as well as almost 5 million parents—including their names, emails, and passwords. This is a stark reminder that data breaches still occur regularly.
00:05:11.770
The reality is that SQL injection is not only a legacy issue; it's still impacting organizations. For instance, Weatherspoon’s pub in the UK experienced a data breach affecting around 650,000 customers, including their phone numbers and emails. The hackers even gained access to beer vouchers, which significantly depleted the pub's revenue.
00:05:38.350
If you're a Rails developer, you might think that you are insulated from these vulnerabilities due to Active Record. However, it’s crucial to dig deeper and scrutinize how Active Record handles queries. You may find instances where it's possible to inadvertently introduce SQL injection vulnerabilities.
00:05:55.420
In 2016, a new information leak vulnerability was uncovered in Rails. If you're using certain render functions without clear parameter expectations, it can lead to revealing sensitive information. The nature of these vulnerabilities could allow attackers to exploit user input to access sensitive files.
00:06:06.340
It's vital to understand the implications of this vulnerability and take steps to mitigate your exposure. Many developers still utilize functions like render params without understanding the risks associated with arbitrary file disclosure. If this vulnerability is present, an attacker could read any file that the web server has access to.
00:06:56.950
By safeguarding the data your applications handle and implementing secure coding practices, you can significantly reduce the risk posed by these vulnerabilities. One misstep could lead to catastrophic data exposure. The ghost of Christmas past may remind you of the necessity of diligence in web application security.
00:07:31.830
Moreover, string concatenation with user input can lead to vulnerabilities like command injection, exposing your application to severe threats. This risk amplifies when user-submitted data is mishandled, allowing attackers to manipulate your commands at runtime.
00:08:22.480
Understanding these vulnerabilities fosters greater awareness about common attack methodologies, equipping you to better handle potential security challenges. By analyzing these vulnerabilities, we begin to devise effective defensive strategies. It’s incumbent upon us, as developers, to ensure that our applications remain secure.
00:09:04.060
I want to talk about ransomware as well; it has permeated application security. Security threats have evolved to the point where ransomware is actively targeting websites, locking users out and demanding a ransom for access. This trend started ramping up in late 2015, with actors zeroing in on various applications, exploiting vulnerabilities to execute malicious scripts.
00:09:56.170
Healthcare providers and agencies have faced ransomware attacks with potentially devastating consequences for their operations. Ransomware not only jeopardizes sensitive data but could also jeopardize the livelihood of employees, as customer networks may ultimately be affected.
00:10:41.450
Credential stuffing is another widespread practice in which attackers take username and password combinations from a breach on one site, and use them to try and gain access to other accounts elsewhere. Statistically, many users reuse passwords across different platforms, making this threat a reality. The responsibility for this spans both developers and users, emphasizing the need for strong password policies and multi-factor authentication.
00:12:29.640
When working on protecting against these attacks, consider implementing rate limiting to restrict failed login attempts, while allowing genuine users the opportunity to recover their access as necessary. It’s vital to train your users on creating strong passwords and using unique combinations across various sites.
00:13:49.820
Another dimension of this involves warranty fraud. For instance, Fitbit's issues related to warranty fraud in 2015 emphasize the financial threat which accompanies unregulated user accounts. Hackers exploited stolen credentials to change user details and fraudulently request padlocks for Fitbits that had never been broken.
00:15:06.220
To effectively combat vulnerabilities, it’s essential to implement active defenses and remain engaged in continuous monitoring and threat assessment. Tools like web application firewalls (WAFs) can provide a layer of protection, but they also require proper configuration and regular updates to remain effective against current vulnerabilities.
00:15:49.470
Modern approaches, such as Runtime Application Self-Protection (RASP), help applications defend themselves in real-time against exploits. It shifts the security logic to the internal application level, providing visibility on potential threats and attacks. Though this may represent a significant evolution in app security, awareness and vigilance remain paramount.
00:17:12.300
The importance of education cannot be overstated; developers must stay informed about the latest trends in security vulnerabilities, ensuring their applications are equipped to handle threats as they emerge. Resources like OWASP provide valuable insights into vulnerabilities, enabling developers to remedy code effectively.
00:17:51.220
In summary, protecting web applications involves an intricate understanding of potential vulnerabilities within both custom code and third-party dependencies. Through rigorous testing, continuous education, and effective defensive strategies, we can mitigate risks and safeguard both user data and system integrity.
00:18:36.390
The journey never ends. As long as we continue to build applications and users interact with them, we must remain cognizant of these vulnerabilities and evolve our security practices accordingly. Thank you all for your time. Let’s ensure we’re engaged, informed, and diligent in making the web a safe space for all.