Skip to content

Instantly share code, notes, and snippets.

@rietta

rietta/security_talk.md

Last active August 29, 2015 14:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rietta/f9294d53bc2242f5bf75 to your computer and use it in GitHub Desktop.
Save rietta/f9294d53bc2242f5bf75 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
security_talk.md

Regular talks are 45-minute blocks. We recommend 30-35 minutes of presentation, followed by allowing 10-15 minutes for questions and discussion.

Title

Defending from Data Breaches by Fostering a Culture of Security

Tracks: Culture or Crafting Code

Abstract (600 chars)

You've been hearing about big data breaches in the news. As a developer who doesn't specialize in security, knowing how to protect your application from getting hacked may seem like a daunting task. However, fundamentals in the design and development process will greatly increase the security that protects your users from harm.

For Review Committee

This content will only be visible to the review committee.

Details

Include any pertinent details such as outlines, outcomes or intended audience.

This talk is designed for both developers and managers (specifically product owners in an Agile process). While I do touch on a concrete example of working the requirements of State law into a user story and then showing the process that turns that story into working code, the principles can be applied by non-developers as well. The intended takeaway for the audience is that security is hard, but morally obligatory.

It has been my experience that the Q&A section for this talk have been robust, with audience participation during the presentation period in addition to afterwards. I am planning on this outline, though am open to adjustments:

  • 7 Introduction to software security
    • Security is not an on/off switch, but is about risks and risk management
    • Three key questions to ask when considering if XYZ is secure?
      • Secure against what?
      • What is the worst thing that can happen?
      • Compared to what alternative?
    • Treating security as a non-functional requirement often means that everyone is expecting someone else to take care of security when in fact no one is!
    • State data breach law primer
  • 6 A litany of data breaches
    • Anthem Blue Cross
    • bit.ly
    • Buffer App (through MongoHQ)
    • Target & Home Depot
  • Designing a secure file upload feature
    • Starting with a user story and showing the user of GnuPG, Paperclip, and OpenStack Files to create a secure upload system with an enforced data retention policy based on legal requirements.
    • User story: "As a Pawn Shop Clerk, I scan a copy of the customer’s drivers’ license because the company is required by law to keep this record at least two years from the date we purchase a used valuable from a customer."
  • Professional ethics
    • what is your reasonable standard of due care?
    • This is the core takeaway of the entire talk, that as developers it is our moral duty to add security concerns into the development process and that to do otherwise could constitute negligence
  • Practical Developers' Countermeasures
    • Have a Defense in Depth strategy, that includes multiple concurrent countermeasures.
    • Use Secure HTTP Headers and enable SSL-only with Strict-Transport Security on all production sites
    • Include security concerns in your user story writing and ALWAYS ask about ways to change the business model to avoid PII.
    • Run automated audit tools, such as Brakeman, Bundler-audit, Code Climate, and Linters
  • Q&A

Total time: 45 minutes

Pitch

Explain why this talk should be considered and what makes you qualified to speak on the topic.

Security incidents that lead to customer data breaches have been happening at an increasing rate, from the latest Anthem Blue Cross breach, to Target, to Home Depot, to breaches including the MongoHQ incident that lead to the BufferApp compromise.

History has taught us that waiting until a software project is complete and bolting security on through the use of security software or network security countermeasures is not effective enough. To have a chance to build a secure system, a team requires the active support of developers and for the organization to adopt a written information security policy that influences business model decisions and the user story writing workshop. It's not just about code and most non-developer stakeholders truly do not have enough knowledge to make informed decisions without the help of the developers. That means that developers need to be aware of basic legal requirements and be able to communicate these issues during the planning process.

I am uniquely qualified to speak on this matter as a security professional who works as a Ruby on Rails developer. I have been teaching on this topic every chance I have had in several local Ruby community meetings and have guest lectured for multiple bootcamp classrooms. My relevant education is a Masters in Information Security from the College of Computing at the Georgia Institute of Technology.

Bio

I'm the CEO of a development shop with team members here in Atlanta, GA, and Nashville, TN. We work primarily with startup companies that are building out their web app and infrastructure. I have a Masters in Information Security from the College of Computing at the Georgia Institute of Technology.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment