1 00:00:00,000 --> 00:00:04,796 [MUSIC] 2 00:00:04,796 --> 00:00:07,610 We've covered a lot of information so far. 3 00:00:07,610 --> 00:00:09,390 Great job pushing through. 4 00:00:09,390 --> 00:00:13,640 In this final stage we're going to discuss how to maintain the security of your 5 00:00:13,640 --> 00:00:18,100 existing applications, APIs and services. 6 00:00:18,100 --> 00:00:21,930 We've talked about encrypting the traffic to and from your site, 7 00:00:21,930 --> 00:00:25,950 adding two factor authentication, and even adding rate limiting. 8 00:00:25,950 --> 00:00:28,240 But security doesn't stop there. 9 00:00:28,240 --> 00:00:32,600 Security is a constant concern not a list of boxes to check. 10 00:00:33,790 --> 00:00:35,680 Let's start with a story. 11 00:00:35,680 --> 00:00:39,680 Imagine that you've just deployed your new application to production. 12 00:00:39,680 --> 00:00:44,390 Day after day, users join more quickly than your team ever expected. 13 00:00:44,390 --> 00:00:45,980 Your team continues adding more and 14 00:00:45,980 --> 00:00:49,400 more features, making the application even better. 15 00:00:49,400 --> 00:00:54,440 Than one day, an engineer notices some odd entries in the log. 16 00:00:54,440 --> 00:00:59,660 Upon further investigation, you see that some service that you didn't create 17 00:00:59,660 --> 00:01:06,200 is making requests to a server not owned by you or anyone else at your company. 18 00:01:06,200 --> 00:01:08,390 Yikes, it looks like you've been hacked. 19 00:01:09,760 --> 00:01:13,010 After discovering the issue, your team quickly responds, 20 00:01:13,010 --> 00:01:17,720 removes the rogue malware in your system, and investigates how it all started. 21 00:01:17,720 --> 00:01:22,540 After hours of looking, it turns out the hackers exploited a security flaw 22 00:01:22,540 --> 00:01:24,730 in the Ruby on Rails source code. 23 00:01:24,730 --> 00:01:26,720 Not even your own code. 24 00:01:26,720 --> 00:01:30,500 However, no one on your team ever updated Rails, 25 00:01:30,500 --> 00:01:33,840 after moths of the application running in production, 26 00:01:33,840 --> 00:01:38,270 which has led to some very nasty media coverage, customer emails, 27 00:01:38,270 --> 00:01:44,190 extremely harmful reputation damage and the firing of your chief security officer. 28 00:01:44,190 --> 00:01:46,880 This leads us to the following key takeaway. 29 00:01:48,010 --> 00:01:50,000 Keep your applications updated and 30 00:01:50,000 --> 00:01:53,100 patch any security flaws as updates are released. 31 00:01:54,170 --> 00:01:58,940 Patching you applications and keeping them updated means that security flaws will get 32 00:01:58,940 --> 00:02:04,080 fixed as soon as they are discovered by the maintainers of the software you use. 33 00:02:04,080 --> 00:02:08,320 Not keeping code up to date has led to numerous incidents at companies 34 00:02:08,320 --> 00:02:10,040 across the world. 35 00:02:10,040 --> 00:02:13,830 For example, the 2017 Equifax breach 36 00:02:13,830 --> 00:02:18,330 was possible because of a Java web framework vulnerability. 37 00:02:18,330 --> 00:02:21,089 The 2017 WannaCry ransomware attack 38 00:02:21,089 --> 00:02:26,090 exploited some Microsoft Windows framework vulnerabilities. 39 00:02:26,090 --> 00:02:31,380 These flaws cost hundreds of millions of people their personal information. 40 00:02:31,380 --> 00:02:33,050 In the case of WannaCry, 41 00:02:33,050 --> 00:02:38,050 not patching these flaws shut down entire hospitals for days on end. 42 00:02:39,080 --> 00:02:42,770 It's easy to tell people to patch their software, but how do you do it? 43 00:02:43,780 --> 00:02:46,963 Answering this succinctly and for all companies and 44 00:02:46,963 --> 00:02:49,820 possible edge cases is impossible. 45 00:02:49,820 --> 00:02:54,780 However, strategies do exist for patching and updating applications and 46 00:02:54,780 --> 00:02:58,380 services over the lifetime of their deployment. 47 00:02:58,380 --> 00:03:02,728 These strategies generally follow a process similar to the following. 48 00:03:02,728 --> 00:03:06,560 Keep an [SOUND] inventory of all the services and 49 00:03:06,560 --> 00:03:09,680 applications you have in deployment. 50 00:03:09,680 --> 00:03:14,590 Also, keep an inventory of all their associated assets, libraries, and 51 00:03:14,590 --> 00:03:16,330 software used. 52 00:03:16,330 --> 00:03:21,620 Next, you and your team should plan away to standardize all of your production 53 00:03:21,620 --> 00:03:27,510 systems to be using the same libraries, versions and operating systems. 54 00:03:27,510 --> 00:03:31,180 Keep track of the various update channels. 55 00:03:31,180 --> 00:03:33,790 After you have your applications documented and 56 00:03:33,790 --> 00:03:38,435 tracked Next, define the security controls you have in place. 57 00:03:38,435 --> 00:03:41,525 [SOUND] Now you can determine priorities. 58 00:03:41,525 --> 00:03:46,630 Cross-reference your assets and security controls against the risk 59 00:03:46,630 --> 00:03:49,920 associated with not updating these systems. 60 00:03:49,920 --> 00:03:53,462 Once you have a prioritized list of patches and updates to make, 61 00:03:53,462 --> 00:03:59,860 define a weekly, monthly, and quarterly schedule to perform these updates. 62 00:03:59,860 --> 00:04:02,690 Now, follow the plan. 63 00:04:02,690 --> 00:04:07,000 And most importantly, follow the plan. 64 00:04:07,000 --> 00:04:10,850 This will allow you to keep your systems patched and your users safe. 65 00:04:12,140 --> 00:04:17,027 Keep in mind that the strategy we just discussed is not the only one and 66 00:04:17,027 --> 00:04:18,465 many others exist. 67 00:04:18,465 --> 00:04:23,339 If you would like to go more in depth on patching strategies, there are great 68 00:04:23,339 --> 00:04:28,290 resources at the popular SASNS Information Security site, as well as OWASP. 69 00:04:28,290 --> 00:04:31,580 We will add links to these in the teacher's notes.