nickmalcolm

namespace AppBundle\EventSubscriber;

use AppBundle\Entity\User;  
...
use ThisData\Api\ThisData;  
use ThisData\Api\Endpoint\EventsEndpoint;

class SecuritySubscriber implements EventSubscriberInterface  
{

nickmalcolm

// 2016 MIT licence. Nick Malcolm.
// Based on https://gist.github.com/stevebowman/7cff9dd80b227c899728

// Makes a call using Twilio's API.
// Expects the following Lambda environment variables:
//   TWILIO_ACCOUNT_SID - your account ID
//   TWILIO_AUTH_TOKEN  - an auth token generated in the Twilio console e.g. ABCD1234
//   TWILIO_FROM_NUMBER - the number you've purchased to make calls from e.g. +14243700000

// We'll call this number

nickmalcolm

# Use Warden's on_request hook to track each page view
# (every GET request that isn't for an asset)
Warden::Manager.on_request do |proxy|
  if proxy.request.get? && !proxy.request.original_fullpath.start_with?("/assets")
    payload = {
      ip: proxy.request.remote_ip,
      user_agent: proxy.request.user_agent,
      verb: 'page-view',
      object: {
        url: proxy.request.original_url

nickmalcolm

require 'this_data'
require 'httparty'

# A simple proof of concept which will pull a page of events from Okta, and push
# them to ThisData. This enables ThisData to detect behavioural anomalies, and
# keep a third-party access log.
#
# Requires the ThisData and HTTParty ruby gems.
#
# Usage:

nickmalcolm

<?php

$user = array("id" => "1234", "email" => "me@example.com");

$data = array("verb" => "log-in", "ip" => "1.2.3.4", "user_agent" => "Chrome", "user" => $user);
$data_string = json_encode($data);

$url = 'http://api.thisdata.dev:3000/v1/events.json';
$api_key = 'ABC123'; // Use your real API key here
$ch = curl_init($url. "?api_key=". $api_key);

nickmalcolm

Shorter version

Security Together is dedicated to providing a harassment-free experience for everyone, regardless of gender, gender identity and expression, sexual orientation, disability, physical appearance, body size, age, race, or religion. We do not tolerate harassment of participants in any form.

This code of conduct applies to all Security Together spaces, including our Slack group and associated events, both online and off. Anyone who violates this code of conduct may be sanctioned or expelled from these spaces at the discretion of the Security Together administrators.

Some Security Together spaces may have additional rules in place, which will be made clearly available to participants. Participants are responsible for knowing and abiding by these rules.

Longer version

nickmalcolm

String equality is something we check all the time when writing code. Are all_systems == "nominal"? Most of the time using your programming language's default equality operator is fine. However when performing equality checks in sensitive areas of your app, like authentication, you need to be extra careful.

What is a Timing Attack?

Timing attacks are a way of learning information about something by measuring the time it takes to respond to different queries. When a response is faster or slower based on what you send it, the algorithm is leaking information about what two values are being compared.

Don't do this!

nickmalcolm

Abstract

What is your talk about?

We build apps. We build them as secure as we can. But no matter what we do behind the scenes, the weakest link is often our end users. Bad passwords, phishing attacks, leaving credentials on post-it notes - is there anything we can do?! Yes! During this talk you will learn how to turn your app in to a powerful re-enforcer of good, secure, user behaviour. You'll have gained empathy for the risks your customers face. You'll have begun building a stronger bridge between you and your users.

Details

Explain the theme and flow of your talk. What are the intended audience takeaways? Include any pertinent details such as outlines, outcomes or intended audience.

The theme of this talk is how to help us help our users. When our users get hacked their lives can be massively impacted, financially and emotionally. Even if it wasn't through the websites we've made. The intended takeaway is that anyone can, and needs to, help in the role of education. The threat is growing, a

nickmalcolm

Following the RedDot Ruby 2016 CFP Format

Abstract

What is your talk about?

What the 💁 is a Security Champion? You are! Or, you will be after this talk. You know that security is no longer a nice-to-have, it's a requirement, and one of the biggest risks in our industry. By learning the current threats we face, and getting some practical steps to mitigate them, you'll develop a security mindset. More than just writing better code, you'll be inspired and equipped to encourage your bosses, co-workers, and customers to adopt secure best-practices too! You'll be a champion for better security.

##Details Explain the theme and flow of your talk. What are the intended audience takeaways? Include any pertinent details such as outlines, outcomes or intended audience.

nickmalcolm

# Shows the diffference of calling methods different ways
class Foo
  # attr_accessor defines def bar;end and def bar=(val);end
  attr_accessor :bar

  def initialize
    self.bar = "hello"
  end

  def method_one