Two new videos of the data breach talk and class that I lead in August and December are now up on YouTube! I hope that it helps you level up on your security knowledge because good software security needs to be a moral stance.
Next public talk
I am scheduled to give a presentation to this topic for the Nash.rb Users' Group on Thursday, February 5, 2015 at the Emma office in Nashville, TN. If you are in town and can make it out, I would love to meet you.
December, 2014, at Tech Talent South
Data Breaches and Ruby developers, with live exploits via Chrome - Classroom https://www.youtube.com/watch?v=OYg46fnX7so
August, 2014, at the Atlanta Ruby Users' Group meetup
How a Ruby/Rails developer can help prevent a Data Breach https://www.youtube.com/watch?v=w-4U3Eyb6xg
- Security is hard, but morally obligatory
- It is important to have a defense in depth strategy that starts within the development process
- Real applications can be exploited even if security tools say there is nothing wrong to report
- Entrepreneurs and business people tend to think they can choose the level of security appropriate for their system, but there are legal and moral obligations when other peoples' data is at risk, see Commercial Information Security Classification System.
- Whenever someone asks you “is XYZ secure?,” consider three questions:
- Secure against what? A question about your threat model.
- What is the worst thing that can happen? What is the cost of a failure of security?
- Compared to what? Is your in-house, PHP solution, more secure? Really?
- Security faces the weakest link problem. That is, the security of the entire system is only as secure as the weakest of its countermeasures.
- Password reset mechanisms are a notorious weak link, consider the Mat Honan incident.
- As a developer, stay up-to-date with the OWASP Top 10 and do not ignore them.