I was invited by Tech Talent South to give a guest lecture to their Spring 2014 class of students learning to become Ruby on Rails developers. These students are all adults looking to make a change in their career and are really bright and motivated individuals looking to better themselves with learning to code. In my view this is perfect because being a developer is the most trusted job position one can possibly hold in most organizations. We are routinely called upon to build the machine that runs the company and that other trusted employees will be dependent upon to do their job.
Tech Talent South (@techtalentsouth on Twitter) graciously gave me permission to film the class so that I can bring the video and notes to you here today.
The Video of the Talk
Video: What a Ruby developer can do to help prevent a Data Breach – 2014 (vimeo.com)
Slides: What a Ruby developer can do to help prevent a Data Breach (speakerdeck.com)
Data breaches are a major problem faced by society. We trust increasing amounts of private information to web applications, some built by startups and others by major corporations. No matter the organization though, these systems are built by individual developers making practical, specific coding decisions within their code that impact the security of the system and its data.
Individual developers have a responsibility have a personal standard of due care in their work. To be aware of what decisions they can personally make that protect their systems’ users and their employers or clients.
In this talk, the students are expected to become exposed to and learn:
That users perceive a breach a privacy even when the actions may be legal and permitted by terms of service.
The concept of relative risks and the balancing act that is fundamental to a comprehensive information security plan
That a data breach is the disclosure and access of sensitive information to an unauthorized person and that it does not matter if specific evil was done with that information
A short list of State and Federal laws that define legally protected private information, called Personally Identifiable Information (PII)
A discussion on professional ethics and reasonable standard of due care.
Become familiar with the OWASP Top 10, which is a list of ways that web applications are frequently compromised.
Become familiar with the availability of inexpensive physical 2 factor authentication and security credential devices that can be integrated into a system being built in Ruby on Rails.
With this knowledge, the hope is that the students will rise to the occasion and seek out additional knowledge about this topic. Moreover, by drawing a personal line in the sand, that each developer will be better prepared to push back within their organizations when sensitive information is being included with an application and to recommend appropriate safe guards or to decline to implement features if reasonable due care is being left out of the process.