Krista Nelson
Uncertain Times: Securing Rails Apps and User Data
Summarized using AI

Uncertain Times: Securing Rails Apps and User Data

by Krista Nelson

In her talk at RailsConf 2017, Krista Nelson addresses the pressing issue of cyber security in modern Rails applications and the imperative of protecting user data in uncertain times. She emphasizes that security is not a one-time effort but a continuous, collaborative process involving everyone in an organization, from developers to leadership.

Key points include:

- Understanding Risks: Nelson likens managing security threats to preparing for backcountry hiking, stressing the importance of assessing risks, acknowledging vulnerabilities, and understanding the potential consequences of breaches.
- Myths and Misconceptions: Many believe cyber attacks only target large firms; however, 43% of cyber attacks are directed at small businesses, underscoring a widespread disconnect between awareness of threats and actionable measures.

- Critical Statistics: Nelson cites alarming statistics, such as that 60% of small businesses that suffer a cyber attack go out of business within six months. These figures highlight the urgency of proactive security measures.

- Inclusive Security Practices: Nelson advocates for a company-wide culture of involvement in security. Everyone, not just dedicated security teams, should be educated about data sensitivity and incident reporting.
- Best Practices: She urges the adoption of strong password policies, the necessity of using password managers, and enabling two-factor authentication.

- Mapping Sensitive Data: Identifying and securing sensitive information, such as personally identifiable information and health data, is crucial. Nelson advises keeping a strict inventory of where and how sensitive data is stored and shared, including third-party tools.
- Securing the Software Development Lifecycle (SDLC): The talk covers incorporating security measures throughout the SDLC, including project planning, design, coding, testing, and deployment processes.
- Peer Code Reviews: Emphasizing the importance of peer reviews, she notes they can significantly catch potential vulnerabilities. Nelson also discusses the need for regular dynamic and static analysis of code to identify security flaws.
Finally, she concludes that while uncertainty is a constant in cybersecurity, developing a routine and passionate approach to securing systems is essential for protecting users and companies alike. Krista's call to action is for attendees to become 'user protection advocates', highlighting the need for a community-wide effort in securing user data.

00:00:12.599 Welcome to "Uncertain Times: Protecting Your Rails App and User Data."
00:00:18.710 How many of you were at the DHHS keynote this morning? I think almost all of you! I was in the audience as well, and I noticed that a lot of the themes from that keynote are actually similar to what we’ll be talking about today. I’m excited for that. This is my first ever conference talk, and I can't believe it's here at RailsConf amongst such an awesome community.
00:00:40.659 Just one note: if you're looking for a trove of best practices for securing your Rails app, it won't be exactly that today. Instead, I hope to spark a conversation about security and approach it from a new perspective.
00:01:06.420 Originally, when I was creating this talk many months ago, the title was "Uncertain Times Ahead." However, in that time, a lot has happened. We’re not just facing uncertainty ahead; uncertainty is here now. It’s always been present, but I think we’re more aware of it than ever.
00:01:39.750 So, who am I? I'm Krista Nelson. You can find me on Twitter at KristaANelson. To give you a bit of my background, I attended a large university where I studied mathematics. I worked for a big corporation for several years, making rich people richer, but I got tired of it. Eventually, I went to the Turing school in Denver, which is an amazing seven-month Rails program. If you haven't heard of them, I recommend checking them out.
00:02:07.920 After that, I was searching for my next career opportunity. I wanted to find something I was passionate about, something that wasn't just about making others wealthy. I wanted to wake up each day knowing I was doing something good.
00:02:38.180 I founded a company called Glassmakers, which is an enterprise platform that connects employees through personal identifiers, including sensitive information like race, gender, and sexual orientation, as well as more light-hearted identifiers like food preferences or hobbies. Our mission is to connect people and empower them without putting them at further risk.
00:03:01.320 When people ask me what I do at Glassmakers, it's often hard for me to articulate. I’m a back-end developer, but I focus heavily on security—ensuring we’re doing everything we can to protect our users. However, when I mention security, people often think I’m referring to network security or firewalls, and they start asking me complex questions unrelated to my day-to-day work.
00:03:35.400 I had to rethink how to explain my job. Ultimately, I want to build something that helps people and protects them from threats. I came up with the title "User Protection Advocate." I hope to inspire some of you to become user protection advocates in our community, as we need more of those voices.
00:04:06.310 Over the past year, I've immersed myself in security. Since taking on this focus, I've been reading extensively about software security. If you Google "software security," you'll find an overwhelming amount of information, making it difficult to discern what’s critical. The more I read, the more I questioned what to prioritize.
00:04:45.919 In my quest for knowledge, I started discussing security with everyone—family, friends, coworkers, and even strangers like my mailman. I discovered two key findings: firstly, almost everyone enjoys discussing security and has their favorite breach story, be it Ashley Madison or Yahoo! Everyone acknowledges the problem but also finds excuses for why they don’t have to worry.
00:05:23.170 Many people justify their negligence by thinking, 'Oh, my company has a security team. They’ll handle it,' or 'My company is too small; we don’t handle sensitive data,' or 'We’ll address security once we’ve launched our MVP.' Unfortunately, that mindset never leads to accountability or proactive measures.
00:05:54.980 This disconnect is troubling. While everyone knows security is an issue, few are taking action. Concurrently, I was preparing for my annual hiking trip in Colorado, where we hike seven miles into the wilderness, completely disconnecting from technology. Preparing for this trip always involves conversations about safety.
00:06:34.620 Many people questioned why I would undertake such risks when blizzards and avalanches could threaten our safety. For me, the experience is worth it; the beauty of nature and the journey itself are invaluable. It requires careful planning, training, and equipping yourself to manage potential risks.
00:07:02.320 This led me to an epiphany: security and outdoor adventures have a lot in common. In both scenarios, the key is understanding your risks—assessing probabilities and consequences, and determining how to minimize vulnerability. Realizing that security is a complex industry worth billions, I was struck by the wisdom of this quote: 'you cannot prepare for something while secretly believing it won't happen.'
00:07:40.300 Through my conversations, it became clear that when it comes to security, the common theme was 'It won’t happen to me.' Regarding companies, I'd even learned that some of them I used as a customer lacked sufficient security measures. I realized I was placing trust in these companies just as their users place trust in us.
00:08:05.240 To help combat this 'it won't happen to me' mentality, let's consider some statistics. Did you know that 43% of cyber attacks target small businesses? Many companies mistakenly believe cybercriminals exclusively target the larger enterprises. That misconception can lead to complacency.
00:08:43.220 Even more alarming, 55% of small and medium-sized businesses reported they had experienced a cyber attack or data breach. There’s a real risk—60% of small companies that suffer a cyber attack are out of business within six months. This stark reality hit me hard when I learned it.
00:09:12.290 It’s disheartening to think that our hard work could vanish so quickly due to a breach. Many think buying a security product will solve their issues, yet nearly half of breaches originate from negligent employees or contractors. Moreover, security vulnerabilities emerge from third-party interactions.
00:09:59.910 As for data breaches, 63% arise from weak default or stolen passwords. Therefore, it's essential to change your passwords and enable two-factor authentication. If I could emphasize one thing you should take away today, it’s that everyone should have secure passwords and two-factor authentication enabled.
00:10:38.450 Additionally, 63% of businesses lack a mature process to track and control sensitive data. Despite knowing that hacking is an ongoing issue, the majority do not take proactive measures to prevent data breaches. So how do we shift that mindset?
00:11:03.560 I want to discuss three main areas: involving everyone in the security conversation, mapping sensitive data, and securing your Software Development Lifecycle (SDLC). Getting everyone involved is crucial because I often hear the misconception that security is not everyone’s responsibility.
00:11:49.880 Even if you have security experts in your organization, one unprepared person can undermine the entire team. It’s essential to discuss security with your leadership and ensure they understand the importance of everyone’s involvement. Leadership must lead by example and prioritize time and resources for security.
00:12:22.790 Encouraging leadership to consider statistics—like the fact that 60% of small businesses go out of business following a cyber attack—is vital. If they truly want their companies to thrive, they need to prioritize security.
00:12:54.640 In encouraging a culture of security, I found a fantastic app aimed to help people feel safe possibly at risk of being targeted by immigration. It’s to be used as a panic button for those in need, where, in an emergency, you notify your emergency contacts. But when I checked out the app, it didn’t have a proper SSL certificate, which is essential. The app could collect sensitive information without being secure.
00:13:29.099 For us in software, it’s crucial to protect sensitive data. We need to be aware of what we are creating and where our user's information goes. Everyone at your company who has access to sensitive information should know what it entails. Surprisingly, many do not recognize that basic identifiers like names and emails can also be sensitive.
00:14:05.320 Additionally, as a potential entry point for security breaches, your onboarding process should educate employees on their responsibilities and the consequences of negligent behavior. Organizations need to create a culture of open communication about security where individuals feel comfortable reporting issues.
00:14:50.110 Adopting password managers is a valuable practice. It's impressive to see that most of you in the room do use them, but we should push that knowledge further. Many still don’t understand how password managers work. A password manager allows you to remember one password while it generates random, unique passwords for all your logins.
00:15:16.500 This practice significantly improves your security. Also, make sure to leverage two-factor authentication whenever possible. In my experience, I’ve witnessed many individuals neglect this important tool because they feel it’s an inconvenience.
00:15:57.490 Even the simplest security practices can often go overlooked, such as using locking screens or ensuring secure handling of sensitive information via email. Even small habits matter. Each of us must consider how we are actively protecting ourselves and our users.
00:16:32.300 In addition, consider the importance of data deletion practices. Ensure that sensitive information is deleted properly and not left hanging around unnecessarily. Encrypt sensitive communications to prevent unauthorized access.
00:17:10.060 Also, do not rely solely on popular tools like Google Docs for sensitive data as they can be vulnerable if not managed properly. For instance, repeatedly sending user information via email can lead to potential leaks. Make sure your team knows that sharing sensitive information over unsecured emails is risky.
00:17:56.810 Next, I emphasize that every developer should consider security in their coding practices. It’s not just a separate issue—it is a fundamental part of being a good developer. Like writing clean code, we must also ensure secure coding practices, understanding that an absence of such practices could lead to potentially disastrous outcomes for our applications.
00:18:31.430 Rooting our focus on security into our development processes is crucial. Following sources like the OWASP Top 10 can help provide essential checkpoints in developing secure applications. Understanding types of encryption and hashing algorithms safeguards your applications from existing vulnerabilities.
00:19:06.270 As we move on to mapping sensitive data, it’s necessary to identify what data is crucial for protection. Anything from a name, email, phone number, to health information should be safeguarded through appropriate compliance protocols.
00:19:43.490 Evaluate the data's journey from when it’s entered in the application to it being stored on various platforms. Understand which third-party providers have access to user data and how to manage that process securely.
00:20:14.340 In the wake of recent breaches, a significant portion stemmed from third-party partnerships. Before working with third parties, conduct proper security audits and due diligence. Again, only assume integrations or services are secure after you verify their security protocols.
00:20:51.300 If you’re in a service or product position, it is vital to ensure that security features you offer are clear and accessible to users. Security settings should not be hidden or complicated because those features significantly impact user safety.
00:21:33.720 Also, consider how user data will be handled in analytics and whether anonymization is an option. Those efforts reduce the risk of exposing sensitive data and mitigate potential breaches.
00:22:11.120 Now, let’s shift to the Software Development Lifecycle (SDLC). This is a crucial process—from conception to deployment. Each stage, including planning, design, and implementation, needs to prioritize user security. When specifying project goals, be sure to include privacy laws and ethical considerations.
00:22:48.350 Think carefully about features that need to be implemented to protect users. This includes things like strong password requirements, encryption, and user accessibility settings to manage privacy.
00:23:23.170 Another critical component is conducting peer code reviews effectively. Even if you use automated tools, having human oversight allows for additional risk identification. A review checklist tailored for security concerns can help guide that process.
00:23:59.990 Furthermore, employing static and dynamic analysis helps identify vulnerabilities before deployment. Programs like Brakeman can catch potential issues during coding. Ensure testing occurs in safe environments that mimic real deployment.
00:24:29.260 You should take testing a step further by employing techniques like dogfooding. This is where the team actively uses their application to uncover issues before they reach users.
00:25:06.130 Also, ongoing performance checks are crucial after deployment. Monitoring your logs and website performance can identify irregularities that may signify a breach.
00:25:41.800 In closing, living with uncertainty is a reality in the technology space. Security is not an option but a requirement. We should practice security seamlessly in our daily workflows to create safer applications for our users.
00:26:15.330 After all, the landscape of technology and security will continually evolve, and our practices must adapt with it. Thank you for being here today, and I hope you all become advocates for user protection in your circles!
Explore all talks recorded at RailsConf 2017
+105