Following the RedDot Ruby 2016 CFP Format
What is your talk about?
What the 💁 is a Security Champion? You are! Or, you will be after this talk. You know that security is no longer a nice-to-have, it's a requirement, and one of the biggest risks in our industry. By learning the current threats we face, and getting some practical steps to mitigate them, you'll develop a security mindset. More than just writing better code, you'll be inspired and equipped to encourage your bosses, co-workers, and customers to adopt secure best-practices too! You'll be a champion for better security.
##Details Explain the theme and flow of your talk. What are the intended audience takeaways? Include any pertinent details such as outlines, outcomes or intended audience.
The theme of this talk is to encourage and equip attendees who know a little, but not a lot, about security. Beginner to intermediate developers who might not have a strong security background. Ruby developers get a lot of security for free, especially with Rails, and community-vetted libraries. But there's more to security than that, and to have a secure application, you need to know and avoid threats, and be passionate about changing the culture of "it won't happen to us".
The intended takeaway from this is that the attendee can make a meaningful impact within their organization, as an advocate for security. They will achieve this by learning about current industry threats and trends - this gives them the ammo for anyone higher up who wants to roadblock their efforts. They will learn a few practical steps they can make as a developer / architect - enabling them to bolster the security of their applications. And primarily how to, on a personal level, get more interested and involved in security and the security community - so they become advocates and champions within their organization.
The talk would include the following topics:
- what has happened: recent, big name hacks (e.g. Snapchat phishing, Vehicle / IoT hacks ...)
- what is coming: trends
- practical steps today
- personal: learn OWASP Top 10, rails security websites, play with "hack me" websites
- app: set up monitoring for unusual activity, stay on top of patches with CI, vet your gems, etc
- become a champion:
- get involved in community
- educate your end users (when you communicate via email, in the in-app-processes like session management, password reset)
- educate co-workers:
- conversations, tools like Phish5
Explain why this talk should be considered and what makes you qualified to speak on the topic.
Better security is crucial, for business survival, and protection of our users. We need to talk more about security at conferences, and learn how to encourage one another in adopting best practices. We need general talks, like this, for people who are just beginning the journey. And security deep dives for those who have already started.
I'm qualified to talk on this because I have had to take this journey of learning and becoming a security champion since I became CTO at a cyber security startup a little over a year ago. It's my job to know and understand cyber-based threats, and stay current with industry best practice. I've talked about these topics at local Ruby meetups, in a way which is accessible to people unfamiliar with the subject matter. I've always been super interested in security, and now it has become a passion. I'm excited to help others with the lessons I've learnt, and learn from their experiences too.