00:00:12.599
Welcome to "Uncertain Times: Protecting Your Rails App and User Data."
00:00:18.710
How many of you were at the DHHS keynote this morning? I think almost all of you! I was in the audience as well, and I noticed that a lot of the themes from that keynote are actually similar to what we’ll be talking about today. I’m excited for that. This is my first ever conference talk, and I can't believe it's here at RailsConf amongst such an awesome community.
00:00:40.659
Just one note: if you're looking for a trove of best practices for securing your Rails app, it won't be exactly that today. Instead, I hope to spark a conversation about security and approach it from a new perspective.
00:01:06.420
Originally, when I was creating this talk many months ago, the title was "Uncertain Times Ahead." However, in that time, a lot has happened. We’re not just facing uncertainty ahead; uncertainty is here now. It’s always been present, but I think we’re more aware of it than ever.
00:01:39.750
So, who am I? I'm Krista Nelson. You can find me on Twitter at KristaANelson. To give you a bit of my background, I attended a large university where I studied mathematics. I worked for a big corporation for several years, making rich people richer, but I got tired of it. Eventually, I went to the Turing school in Denver, which is an amazing seven-month Rails program. If you haven't heard of them, I recommend checking them out.
00:02:07.920
After that, I was searching for my next career opportunity. I wanted to find something I was passionate about, something that wasn't just about making others wealthy. I wanted to wake up each day knowing I was doing something good.
00:02:38.180
I founded a company called Glassmakers, which is an enterprise platform that connects employees through personal identifiers, including sensitive information like race, gender, and sexual orientation, as well as more light-hearted identifiers like food preferences or hobbies. Our mission is to connect people and empower them without putting them at further risk.
00:03:01.320
When people ask me what I do at Glassmakers, it's often hard for me to articulate. I’m a back-end developer, but I focus heavily on security—ensuring we’re doing everything we can to protect our users. However, when I mention security, people often think I’m referring to network security or firewalls, and they start asking me complex questions unrelated to my day-to-day work.
00:03:35.400
I had to rethink how to explain my job. Ultimately, I want to build something that helps people and protects them from threats. I came up with the title "User Protection Advocate." I hope to inspire some of you to become user protection advocates in our community, as we need more of those voices.
00:04:06.310
Over the past year, I've immersed myself in security. Since taking on this focus, I've been reading extensively about software security. If you Google "software security," you'll find an overwhelming amount of information, making it difficult to discern what’s critical. The more I read, the more I questioned what to prioritize.
00:04:45.919
In my quest for knowledge, I started discussing security with everyone—family, friends, coworkers, and even strangers like my mailman. I discovered two key findings: firstly, almost everyone enjoys discussing security and has their favorite breach story, be it Ashley Madison or Yahoo! Everyone acknowledges the problem but also finds excuses for why they don’t have to worry.
00:05:23.170
Many people justify their negligence by thinking, 'Oh, my company has a security team. They’ll handle it,' or 'My company is too small; we don’t handle sensitive data,' or 'We’ll address security once we’ve launched our MVP.' Unfortunately, that mindset never leads to accountability or proactive measures.
00:05:54.980
This disconnect is troubling. While everyone knows security is an issue, few are taking action. Concurrently, I was preparing for my annual hiking trip in Colorado, where we hike seven miles into the wilderness, completely disconnecting from technology. Preparing for this trip always involves conversations about safety.
00:06:34.620
Many people questioned why I would undertake such risks when blizzards and avalanches could threaten our safety. For me, the experience is worth it; the beauty of nature and the journey itself are invaluable. It requires careful planning, training, and equipping yourself to manage potential risks.
00:07:02.320
This led me to an epiphany: security and outdoor adventures have a lot in common. In both scenarios, the key is understanding your risks—assessing probabilities and consequences, and determining how to minimize vulnerability. Realizing that security is a complex industry worth billions, I was struck by the wisdom of this quote: 'you cannot prepare for something while secretly believing it won't happen.'
00:07:40.300
Through my conversations, it became clear that when it comes to security, the common theme was 'It won’t happen to me.' Regarding companies, I'd even learned that some of them I used as a customer lacked sufficient security measures. I realized I was placing trust in these companies just as their users place trust in us.
00:08:05.240
To help combat this 'it won't happen to me' mentality, let's consider some statistics. Did you know that 43% of cyber attacks target small businesses? Many companies mistakenly believe cybercriminals exclusively target the larger enterprises. That misconception can lead to complacency.
00:08:43.220
Even more alarming, 55% of small and medium-sized businesses reported they had experienced a cyber attack or data breach. There’s a real risk—60% of small companies that suffer a cyber attack are out of business within six months. This stark reality hit me hard when I learned it.
00:09:12.290
It’s disheartening to think that our hard work could vanish so quickly due to a breach. Many think buying a security product will solve their issues, yet nearly half of breaches originate from negligent employees or contractors. Moreover, security vulnerabilities emerge from third-party interactions.
00:09:59.910
As for data breaches, 63% arise from weak default or stolen passwords. Therefore, it's essential to change your passwords and enable two-factor authentication. If I could emphasize one thing you should take away today, it’s that everyone should have secure passwords and two-factor authentication enabled.
00:10:38.450
Additionally, 63% of businesses lack a mature process to track and control sensitive data. Despite knowing that hacking is an ongoing issue, the majority do not take proactive measures to prevent data breaches. So how do we shift that mindset?
00:11:03.560
I want to discuss three main areas: involving everyone in the security conversation, mapping sensitive data, and securing your Software Development Lifecycle (SDLC). Getting everyone involved is crucial because I often hear the misconception that security is not everyone’s responsibility.
00:11:49.880
Even if you have security experts in your organization, one unprepared person can undermine the entire team. It’s essential to discuss security with your leadership and ensure they understand the importance of everyone’s involvement. Leadership must lead by example and prioritize time and resources for security.
00:12:22.790
Encouraging leadership to consider statistics—like the fact that 60% of small businesses go out of business following a cyber attack—is vital. If they truly want their companies to thrive, they need to prioritize security.
00:12:54.640
In encouraging a culture of security, I found a fantastic app aimed to help people feel safe possibly at risk of being targeted by immigration. It’s to be used as a panic button for those in need, where, in an emergency, you notify your emergency contacts. But when I checked out the app, it didn’t have a proper SSL certificate, which is essential. The app could collect sensitive information without being secure.
00:13:29.099
For us in software, it’s crucial to protect sensitive data. We need to be aware of what we are creating and where our user's information goes. Everyone at your company who has access to sensitive information should know what it entails. Surprisingly, many do not recognize that basic identifiers like names and emails can also be sensitive.
00:14:05.320
Additionally, as a potential entry point for security breaches, your onboarding process should educate employees on their responsibilities and the consequences of negligent behavior. Organizations need to create a culture of open communication about security where individuals feel comfortable reporting issues.
00:14:50.110
Adopting password managers is a valuable practice. It's impressive to see that most of you in the room do use them, but we should push that knowledge further. Many still don’t understand how password managers work. A password manager allows you to remember one password while it generates random, unique passwords for all your logins.
00:15:16.500
This practice significantly improves your security. Also, make sure to leverage two-factor authentication whenever possible. In my experience, I’ve witnessed many individuals neglect this important tool because they feel it’s an inconvenience.
00:15:57.490
Even the simplest security practices can often go overlooked, such as using locking screens or ensuring secure handling of sensitive information via email. Even small habits matter. Each of us must consider how we are actively protecting ourselves and our users.
00:16:32.300
In addition, consider the importance of data deletion practices. Ensure that sensitive information is deleted properly and not left hanging around unnecessarily. Encrypt sensitive communications to prevent unauthorized access.
00:17:10.060
Also, do not rely solely on popular tools like Google Docs for sensitive data as they can be vulnerable if not managed properly. For instance, repeatedly sending user information via email can lead to potential leaks. Make sure your team knows that sharing sensitive information over unsecured emails is risky.
00:17:56.810
Next, I emphasize that every developer should consider security in their coding practices. It’s not just a separate issue—it is a fundamental part of being a good developer. Like writing clean code, we must also ensure secure coding practices, understanding that an absence of such practices could lead to potentially disastrous outcomes for our applications.
00:18:31.430
Rooting our focus on security into our development processes is crucial. Following sources like the OWASP Top 10 can help provide essential checkpoints in developing secure applications. Understanding types of encryption and hashing algorithms safeguards your applications from existing vulnerabilities.
00:19:06.270
As we move on to mapping sensitive data, it’s necessary to identify what data is crucial for protection. Anything from a name, email, phone number, to health information should be safeguarded through appropriate compliance protocols.
00:19:43.490
Evaluate the data's journey from when it’s entered in the application to it being stored on various platforms. Understand which third-party providers have access to user data and how to manage that process securely.
00:20:14.340
In the wake of recent breaches, a significant portion stemmed from third-party partnerships. Before working with third parties, conduct proper security audits and due diligence. Again, only assume integrations or services are secure after you verify their security protocols.
00:20:51.300
If you’re in a service or product position, it is vital to ensure that security features you offer are clear and accessible to users. Security settings should not be hidden or complicated because those features significantly impact user safety.
00:21:33.720
Also, consider how user data will be handled in analytics and whether anonymization is an option. Those efforts reduce the risk of exposing sensitive data and mitigate potential breaches.
00:22:11.120
Now, let’s shift to the Software Development Lifecycle (SDLC). This is a crucial process—from conception to deployment. Each stage, including planning, design, and implementation, needs to prioritize user security. When specifying project goals, be sure to include privacy laws and ethical considerations.
00:22:48.350
Think carefully about features that need to be implemented to protect users. This includes things like strong password requirements, encryption, and user accessibility settings to manage privacy.
00:23:23.170
Another critical component is conducting peer code reviews effectively. Even if you use automated tools, having human oversight allows for additional risk identification. A review checklist tailored for security concerns can help guide that process.
00:23:59.990
Furthermore, employing static and dynamic analysis helps identify vulnerabilities before deployment. Programs like Brakeman can catch potential issues during coding. Ensure testing occurs in safe environments that mimic real deployment.
00:24:29.260
You should take testing a step further by employing techniques like dogfooding. This is where the team actively uses their application to uncover issues before they reach users.
00:25:06.130
Also, ongoing performance checks are crucial after deployment. Monitoring your logs and website performance can identify irregularities that may signify a breach.
00:25:41.800
In closing, living with uncertainty is a reality in the technology space. Security is not an option but a requirement. We should practice security seamlessly in our daily workflows to create safer applications for our users.
00:26:15.330
After all, the landscape of technology and security will continually evolve, and our practices must adapt with it. Thank you for being here today, and I hope you all become advocates for user protection in your circles!