Speech of Dmytro Shapovalov, Infrastructure Engineer at Cossack Labs, at Ruby Meditation #25 Kyiv 08.12.2018
Next conference - http://www.rubymeditation.com/
Making secure applications is not easy, especially when encryption tools are difficult and incomprehensible. We will talk about typical data security problems in web apps and how to implement encryption properly. We will review cryptographic approaches and exact tools that ensure that no sensitive data leaks from the application or database.
Announcements and conference materials https://www.fb.me/RubyMeditation
News https://twitter.com/RubyMeditation
Photos https://www.instagram.com/RubyMeditation
The stream of Ruby conferences (not just ours) https://t.me/RubyMeditation
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Meditation 25
1. Data encryption
for Ruby web applications
Dmytro Shapovalov
Infrastructure Engineer @ Cossack Labs
2. Who we are?
• UK-based data security products and services
company
• Building security tools to prevent sensitive data
leakage and to comply with data security
regulations
• Cryptographic tools, security consulting, training
• We are cryptographers, system engineers,
applied engineers, infrastructure engineers
• We support community, speak, teach, open
source a lot
3. What we are going to talk
• Data breaches problem
• Approaches to the protection of sensitive data
• What we can and can not protect with encryption
• Integration encryption into a Rails application
4. What does humanity have
to protect information?
Strong enough block crypto algorithms
Rijndael
(AES)
Twofish Serpent
Tons of structured information
+
5. Data breaches continue rising
2018
• Facebook : 87 Million
• Under Armour : 150 Million
• Saks Fifth Avenue : 5 Million
• SingHealth : 1.5 Million
• British Airways : 0.38 Million
• Ticketfly : 26 Million
• Marriott : 500 Million
• Quora : 100 Million
• Instagram : plaintext passwords in the URL? Really?
6. So what should we do?
1. Classify and specify data that we want to protect
2. Classify and analyze risks
3. Determine threats
4. Choose techniques and tools
5. Integrate into application
7. Data classification and risks
All data
user service
• Biographical information
• Looks, appearance and
behaviour
• Private and subjective
• Workplace, education
• Health, sickness and genetics
• Accounts, passwords
• Certificates
• Keys, tokens
8. Data classification and risks
All data
user service
• Compliance risk
• Legal risk
• Reputational risk
• Quality risk
9. Types of data breaches
Unknown
15%
Physical loss
12%
Insider
1%
Disclosure
22%
Hacking
49%
https://www.privacyrights.org/data-breaches
10. OWASP top 10 security risks — 2017
• Security
Misconfiguration
• Cross-Site Scripting
(XSS)
• Insure Deserialization
• Using Components with
Known Vulnerabilities
• Insufficient Logging &
Monitoring
• Injection
• Broken
Authentication
• Sensitive Data
Exposure
• XML External Entities
(XXE)
• Broken Access Control
https://www.owasp.org/index.php/Top_10-2017_Top_10
14. Decrease risks in application
• Authentication & Authorization (inc. API), principle of least
privileges
• Filter input data, escaping output
• Implement weak-password checks
• Use less complex data formats
• Compartmentalization — classify data and apply controls
• Use strict DB queries
• Security by default
• Use secure connections
• Log everything
• Hash passwords and encrypt sensitive data
15. Protection of passwords
Yes, plaintext passwords are a little insecure
• DO NOT operate with plaintext passwords
• use one-way hash functions whenever it possible
22. Common data security mistakes
• TLS is enough
• Poor cryptographic design
• Using database storage encryption only
• Insecure key management model
• Poor authentication