Time for #DevDiscuss
Tonight's topic is: Practical security tips
Let's start:
- What is the interplay between security and user experience and simplicity?
- What are some every day security tips folks could make use of?
- What are your grounding principles in security?
Algorithms in school have more value as a historical/cultural subject than they do as a strictly practical subject. If you're not learning that real people thought of them and that there are real subjective concerns being weighed, you're not learning algorithms. #DevDiscuss
Time for #DevDiscuss 😻
Tonight's topic is ALGORITHMS 🤖
Some jump-off questions:
- Where do "algorithms" fit in with practical day-to-day development?
- Which named algorithms are noteworthy and worth learning?
- How should we teach algorithms compared to other concepts?
Re security v simplicity: I never consistently could stick with a password manager until I started using 1Password. It’s not the security, it’s the UX
#DevDiscuss
This might be fairly obvious advice but: Leave security to the experts. Don’t roll your own cryptography solution. Use one that is tried and tested. Always assume that people have solved for the mistakes you will inevitably make #Devdiscuss
Time for #DevDiscuss
Tonight's topic is: Practical security tips
Let's start:
- What is the interplay between security and user experience and simplicity?
- What are some every day security tips folks could make use of?
- What are your grounding principles in security?
Time for #DevDiscuss
Tonight's topic is: Practical security tips
Let's start:
- What is the interplay between security and user experience and simplicity?
- What are some every day security tips folks could make use of?
- What are your grounding principles in security?
secrets, config management, and secure coding principles are severely undertaught in classrooms IMO. Just to get a good basis I had to do an independent study, and it’s a subject where guidance is more important than elsewhere #Devdiscuss
Right, which is why UX is important further down the stack that just in end user tools. If your crypto or auth tools are hard, people won’t use them #DevDiscuss
We less ISSOs focused solely on compliance and binary yes/no declarations, and more security practitioners actually bringing their skill set to solution design. #DevDiscuss
We need fewer ISSOs focused solely on compliance and binary yes/no declarations, and more security practitioners actually bringing their skill set to solution design. #DevDiscuss
Physical security keys/FIDO U2F devices like YubiKey as a method of 2FA is something I’ve been using for a while for personal and work stuff. A steal considering the fact that no personal info is stored in there, strong encryption and it has no cap on uses.
#DevDiscuss#2fa
From a security guy that codes id say:
Protect yourself: 2FA all the things and get a password manager
Protect your data: never trust user input
Protect your users: encrypt and hash and know when to use each
#DevDiscuss
Only store what data you need to store. define what data needs to be protected for your org and what could happen if said data was compromised #devdiscuss
In case you need more convincing not to reuse passwords 😅 “Mongo HQ got compromised because Adobe got compromised. An executive from Mongo HQ was using the same password that was in the Adobe password breach.” https://t.co/V4aJ07Znq1#DevDiscuss
I think in practical terms, personal security is about doing a bit of work upfront so that staying secure is really easy in the long run.
It seems like if we don't seek out a stable security return, we're always behind the eight ball. #DevDiscuss
I’ve always wondered what makes people trust password managers to hold all their ~ sensitive ~ data? Should password managers be used in conjunction with two factor auth? #DevDiscuss
From a developer's perspective, security comes from adopting shared principles that help answer questions we haven't considered yet.
This is opposed to than adhering to a lot of specific rules which account for past problems, rather than future problems. #DevDiscuss
Security, imo, is a Hygiene. And Hygienes, IMO, are allll about work up front / planning and less about discipline. Eating well often means planning your meals. Keeping your house clean often means figuring out where things belong *ahead of time. Etc. #DevDiscuss
#devdiscuss Logs or it didn't happen. Seriously, imagine you are a security person trying to figure out what happened after the fact. Consult the #OWASP logging cheat sheet!
in relation to software/web development:
1. manage and version lock your dependencies
2. humans are the weakest part of the information security chain
3. Whenever possible, use SSL/HTTPS
#devdiscuss
Yes. Use your security knowledge and historical context to create code that is positioned to handle the crazy shit it will encounter. Then test all the crazy shit you can muster. #DevDiscuss
Security for devs:
Use Apple’s Touch ID fingerprint API (or android equivalent) if you write apps that require users to login. I generally try to stay away from writing/building my own encryption because why would I want to do that when someone else can do it better
#DevDiscuss
#devdiscuss Logs or it didn't happen. Seriously, imagine you are a security person trying to figure out what happened after the fact. Consult the #OWASP logging cheat sheet!
With respect to misquotes of Ben Franklin, we do sacrifice Liberty for Safety all the time. When there are threats to our freedom, we try to strike a balance between neutralizing the threat while maintaining as much of that freedom as we can. #DevDiscuss
Time for #DevDiscuss
Tonight's topic is: Practical security tips
Let's start:
- What is the interplay between security and user experience and simplicity?
- What are some every day security tips folks could make use of?
- What are your grounding principles in security?
That is, security exists because of security threats, so the goal is to mitigate the threats while being as unobtrusive as possible. The best way to not get hacked is to not use a computer at all, right? But we don't need to go that far to stop/slow a hacker. #DevDiscuss
For potential @PassitDotIO users, our goal is to convince them that their security scheme is probably not good enough. Usually this isn't hard; people are quick to say "I know this isn't a great solution, but…" when asked about their password management schemes. #DevDiscuss
For the devs, we need to be just as focused on design and simplicity as we are on security. Most password managers are incredibly safe, but some are very hard or unintuitive to use, and that's coming from someone who's good at picking up new software. #DevDiscuss
Patching on security controls onto an application is always much, much harder than architecting for security.
Plan for security early in the development lifecycle.
#devdiscuss#introsec
From the managers' perspective, security doesn't add anything *visible* or useful to the end user, so it's not important... That's the problem! They'd rather have you work 30 days on a stupid useless report than make sure the app is secure! #DevDiscuss
For the devs, we need to be just as focused on design and simplicity as we are on security. Most password managers are incredibly safe, but some are very hard or unintuitive to use, and that's coming from someone who's good at picking up new software. #DevDiscuss
Just found out @milkstarz has 35 re-used passwords in 1Password, which a) taught me a great feature I didn’t know about and b) made me spit water all over his PC #DevDiscuss
In reply to
@waterproofheart, @ThePracticalDev, @Yubico, @milkstarz
Been making a video game that is offline/local since late September, and all the devs agreed on not handling any possible security issues. Listing any data temperament (values in XML files) during play through as 'mods'.
"We welcome the players to mod our game!" #DevDiscuss
Keep you application as simple as possible. More features and more dependencies means a larger surface area for attack.
And that risk grows exponentially as new features/dependencies interact with each other.
Simpler applications also are usually easier to use.
#DevDiscuss
Time for #DevDiscuss
Tonight's topic is: Practical security tips
Let's start:
- What is the interplay between security and user experience and simplicity?
- What are some every day security tips folks could make use of?
- What are your grounding principles in security?
Can we do security horror stories? At a previous job I was poking around the DBs one of my first days and noticed to my horror that all of the passwords were in plaintext!
I raised hell with my manager and issued an emergency patch to start hashing the passwords...
#DevDiscuss
A few days later the release goes through and I notice a few lines of code added to my fix to basically store, alongside the new hashed passwords, the plaintext passwords as well.
I asked my manager what's up?
#DevDiscuss
He said they decided to leave them in for now until they can be 100% sure my fix didn't break anything.
10 months later when I left the company those plaintext passwords were still there in the database alongside the hashed ones... 🤦🏽♂️
#DevDiscuss
Consider a tool like HashiCorp’s Vault for secrets management. Vault allows you to do things like expire credentials and have them generated on demand. Great for dealing with things like creds for DBs your app needs to connect to. #DevDiscuss
#DevDiscuss joining in late but just few days ago successfully wrote a custom script that helps document references for a research paper I am writing. There are plenty available already, but wanted to write my own. And learn. So yay!
Started a really rad new job last week as a Community Manager for @GremlinInc. Talking to folks about Chaos Engineering, which is really fun. #DevDiscuss
I think that users are allowed to use bad passwords too often in websites/applications. If a user tries using 'password123' they should get a prompt letting them know it's not secure and a link to read more about good password practices. #devdiscuss
