 Yn y prydysgwch, mae'n gweithio'n gweithio'n gweithio. Yn y prydysgwch, mae'n gweithio'n gweithio'n gweithio'n gweithio, mae'n gweithio'n gweithio'n gweithio. A blynyddiad y blynyddiad yng Nghymru. Yn y prydysgwch, mae'n gweithio'n gweithio'n gweithio'n gweithio, All right. Fortunately, my wife is not working for me here. Well what do I call it a bug? In slides for Google on the iPad it requires you to have an internet connection in order to present. Which is probably one of the worst features I've ever heard of. Because it should just be able to download it, it should be fine. OK, so when I just got to put into it that problem, so there your password is wrong. Is this a computer? All right, well how about this? Is this big enough for everybody or is this going to be an issue here? Just don't read ahead on me here. Is that going to be OK? OK, well if this pops on, we'll go ahead and try to present if it does connect to the internet. So if you're here for CSS grants I believe is what's published, I'm sorry. You can take a nap, you can relax, watch some YouTube, you're not going to offend me. I'm on 5%, but I unplugged in, so that's actually 5% increase now, so yes. The joys of having one US to UK adapter is that all of your devices are like barely powered at any time. So yeah, I apologize if this isn't the talk you're here for. You're not going to offend me if you want to leave. But we're going to be talking about organizational security. A lot of people like to know who is this guy and why am I up here. My name is Chris Taitzel. You can find me on Twitter at Techner Taitzel. Feel free to huckle me via Twitter. I'm totally fine with it. I make mistakes. I'll say something wrong and I'll definitely say something stupid, so go ahead and quote me on that. I'm on Drupal.org. Eight years, two months-ish under CellarGore. I'm the founder and CEO of Cellar of Media. I also have a company called Locker, which does encryption and key management. We'll hop into that stuff later. More and more now I'm an information architect and security specialist. I like to call myself a reformed themeer. I got into Drupal because I bought a theme off of monster themes. It sucked. So I just ended up rebuilding the entire theme layer myself and then hopped on Omega and kind of rode the Omega Wave in the Omega 3X days. My claim to fame is that I'm technically a third generation tech nerd. My grandpa started at IBM in the 50s. My dad said to hell with that when he grew up and said I'm going to be a teacher. He started at IBM in the 80s. I said to hell with that I'm going to be a doctor and then I started in the tech about nine, ten years ago. So I am proof that genetics are something you should never mix with. So let's just jump into it. The top five security myths are there are only five. There is one single most important vector to secure in your site. We hear this one so often. It's like oh I got a great firewall. Awesome. Cudos. You've got one layer of many that you need to build. So a lot of folks like to focus on one layer, focus on one thing and saying I do this really well. I'm going to be protected. No. Completely wrong. We hear this one a lot. My website host will take care of this for me again. Very wrong. Just because your host is compliant with regulation X, with requirement X, you still have to be using that host in a regulated fashion. So coming up here, GDPR, a host can be GDPR compliant and your site could not be. So don't rely on your site and your host to actually be taking care of your site security for you. Likewise, don't just think that if I have a really secure CMS, I'm going to be totally fine no matter where it is. Again, wrong. Drupal actually does a really good job, especially Drupal 8 now that we got rid of the PHP templating layer. By getting rid of PHP in the templating layer, we are now preventing more and more mistakes from occurring. But just because you're hardening your CMS, you can still put it on insecure software, you can still run it in insecure environments. And as we're going to talk about later, you will still run into places where you will be moving that data around and moving the site into insecure locations. I can automate my approach to security. I apologize. We are all technologists. We are end goals to automate everything and basically just sit back and let the machines do the work for us. Security is not one of those things because at the end of the day, there's always a human at the end of the keyboard. There's always a human at the other side of what you're building. And if there's a human at the other side, there will be... I just caught Wi-Fi. Awesome. Because there's a human at the other end, there's always going to be the necessity to plan for human interaction. So we won't be able to automate this whole thing. And then last, but this is the one we hear the most, is I am too small to be a target. That's the BBC Coke. These guys are the ones that they're going after. They're not going after my little site. And that's actually wrong. They're actually going after your site more than they're going after the larger ones because the larger ones are harder to get to. One of the things you need to learn about hackers, if you don't already know, is that they're lazy. They're like us. They procrastinate in their lazy. So what are they going to do is they're going to go around and they're going to knock on every single door until one of them opens up accidentally. And then they'll put the foot in the door. And then they're going to go around and knock on more doors until another one opens up and they'll put the foot in that door. So just because you're a small site doesn't mean you don't have something valuable. A lot of small sites don't realize, they will now because of GDPR and other regulations, that they do carry a lot of sensitive data in them. I've had more stories of just horrible, horrible data. I'll give you an example. I'm trying to protect my clients here, but we're in a safe spot. I had a client come to me and I built them a Drupal 6 site. And I said, hey, my form is going wrong. Can you help me out? So what's the form for? Oh, it's to buy tickets. Oh, I didn't really give you an e-commerce solution. And I pulled it up and they used web form to create a credit card checkout form that was saving the data to the database where they would then print it into an Excel spreadsheet to then hand to the office clerk who would then call in. I see a lot of groans in this and everything like, but this is what we deal with, right? So the small sites, they don't know what they're doing wrong. And so they are actually targets because of that. The other thing is that a lot of small sites run up. Sorry, did I throw you into convulsions here with that? Sorry. The other thing is that a lot of these small sites run on shared hosts. Shared hosts have resources that are valuable, crypto mining, all the way to DDoS attacks. If they can take over even your little shred of processing power, that's worth something. So they're going to continue to use that. And then as you can see here, there are myths that will go on for days. And we could write a whole book and just sit here and talk all day about myths that people come up with about security. So what do we do? What we do is we say, okay, we're going to take a defense in depth approach to security. Again, we're not going to do one layer, we're not going to do one thing. We're going to do a whole bunch of them. And the idea here is that rather than building a really, really tall wall, let's just build a lot of really hardware, hard hurdles to jump. And more hurdles that you put in place, the more likely somebody is that they're going to trip over one of them and fail. Or you're going to catch them after they hop over one or two of them. And so you can see here at the very external, it starts with policies, procedures and awareness. We're going to go into that. Today's talk is going to be a bit more organisational and a little bit less tech heavy, but if you guys want to ask tech questions, I'd be more than happy to answer. Physical, network, computer, application, device, there are multiple, multiple, multiple layers that we have to protect here. We can't just say, I got a firewall, I'm fine. Or I'm encrypting all my traffic via SSL, I'm fine. Wrong. We have to look at it in multiple ways. So what are we looking for? OWASP is a really good bar to set for yourself. And these are the top 10 from OWASP. These are actually under revision right now. A couple of these will be changing due to the more adoption of APIs and the microservice architecture, create some new, interesting vulnerabilities that aren't represented necessarily here. There's some debate about, obviously some conflict about what exactly we do as, as is always in the tech community, we like to argue amongst ourselves. And so they're currently being revised and they're going to be revised again. There are some proposed ones, but these are what's there. So looking at it, injection, so SQL injection, Drupal Geddon, how many people remember and went through Drupal Geddon? Wow, not too many people. That is awesome. This was kind of like the scariest thing that's ever happened is we all woke up one morning and realized that every single Drupal site in the entire world was vulnerable to a single attack. And with a SQL injection attack like that, somebody can get in, put an admin user on. Unfortunately, this was the time in Drupal 7 where we had the PHP filter. You can enable the PHP filter and take over God knows what on the entire website. So these are good, but these are baselines. So we had SQL injection, weak authentication and session management. Drupal actually does a fairly good job of authentication and session management, but there are ways to bolster that, which we'll talk about later. Cross-site scripting is fairly obvious. Insecure direct object references, security misconfiguration. This is kind of the catch-all of like, hey, you're just not updating things. Over in the US, we ran into this with Equifax. They decided not to update Apache Struts, and basically everybody's confidential information is now available on the web. Going on, we've got sensitive data exposure. This is a big one, especially with GDPR coming up. And how do you protect the customer's data? How do you make sure that the data that you have... So GDPR is more, and I hope you guys know about this, but GDPR is more about the right to know what's being collected on you, the right to being forgotten, but then also what do you do with that information when you are collecting it? So sensitive data exposure in Drupal specifically. There are convenient libraries for this, and I know because our teams built them, that with encrypts now in Drupal 7 and Drupal 8, there really isn't a reason why you shouldn't be able to implement quick, easy encryption in Drupal for any field, form, whatever you want. It's there and it's available. Cross-site request forgery, using components with known vulnerabilities. And keep things up to date, and the unvalidated redirects in forwards. So these are the top ten that OWASP sets out and says, hey, these are the things that we're seeing most attacked. This doesn't account for, you know, crypto mining in the JavaScript. This doesn't account for credit card payments and how we're processing credit card payments and using tokenization instead of passing the credentials to the server. So there are more of these to be updated, but these are good ones to look at. When looking at all of those, you can kind of boil it down to three. It's the CIA triad. It has absolutely nothing to do with our US agency, the CIA, so don't be afraid. They're probably listening in on this, but that's completely different. But when it boils down to it, security all comes down to confidentiality, integrity and availability. Confidentiality we all understand, right? Encrypt the data, keep it private. The integrity of it. So the integrity of the systems, SQL injection, making sure that everything's up to date. But availability is the one that a lot of people don't pay as much attention to and are actually more prone to now, and we're actually seeing more and more of the attacks coming through in this availability. This is your DDoS attack. These are your attacks that are just trying to take down the site in general. Now, you may ask, like, why would a DDoS attack or anything like that be, why is it that bad? I mean, if the site goes down, it's not like anything's lost, right? Correct. You didn't lose the specific data, but you're also losing function. You're losing commerce. You're losing your presence on the web. So though it may not be a data integrity issue, availability is a huge business liability that we all need to look out for. So, with that, DDoS is the growing threat attack. It is where, because of our environment of having connected devices, we saw this a couple of years back with the IoT, that you're able to now take all these internet-connected devices from thermostats to fridges to microwaves or whatever and turn them into a giant botnet to take down sites. This can be because you don't agree with what the site said. This can be because you want to expose other vulnerabilities within it or you can just want to take the mouth line for the fun of it. But we're seeing this as a growing trend. So the question is, how do you protect yourself against a DDoS attack? And the idea with a specific DDoS attack is that they are trying to basically run an arm trace against you and see how much do you have versus how much do they have and can they overload all your resources until your site just falls on its face. Now, the way that you can prevent that or try to stay ahead of it is to spread your attack surface as wide as possible. So this is why having a CDN, we say, is really good for the marketing team because it makes all those images fast and the videos low and everyone's really happy about it. But from a security perspective, you're actually in a much better position because you're able to spread that attack surface out to the localized regions. So when you're coming out of Russia, it's going to hit that Russian pop and take the Russian pop down. So maybe the Russian version of the site isn't going to be shown, but for the 90% of the world that is visiting it, it'll still be up and running and everything's valid in there. So it's a way to kind of spread that attack surface and, again, think about it in layers and hurdles instead of big walls. If you all of a sudden see pops starting to go down, you have a chance to react to it before it ripples itself out to where your main customers are rather than, oh crap, the whole thing's down, now what do we do? So the second stat here is actually pretty amazing. 500 and 79 gigabit per second traffic. Like that is massive. And because of our connected world and because of our connected devices, this is now possible. Does anybody remember the Dyn attack? A couple of years back. It was basically, thank you, US government. A US government created weaponized code that somebody got a hold of and decided for shits and giggles that they would release it on the web and see what it does. And it ended up taking down the DNS backbone for like three quarters of the US internet. That backbone is made to withstand this much traffic and it still goes down. That's the type of attacks that we're going against and by spreading ourselves out, by giving ourselves a wider footprint with the CDN and just based on general cloud availability and being able to scale out, we're going to be able to hopefully run that arms race faster than and shut it off before the attacker does. So we're going to go through some practical steps in just your website environment. Again, if you guys want to ask more technical questions, that's totally fine. I'm aiming this more in kind of a general business sense of why we want to protect our website environment. We actually see this a lot. We see it more often than we should. Luckily, because of the way that cloud services are running, we're seeing it less and less. But this is still an issue where your entire business, everything you don't want them to have access to, sits on the exact same environment that your marketing site does. Do you really want your ERP, all of your financial data, all of your HR data, trade secrets, whatever that is, be exposed via the weakest link, which is a marketing site, an insecure WordPress site or an insecure Drupal site can sit there and take down your entire infrastructure? Again, what hackers do is they try to get their foot in an easy door and once they do, they use that as a point to pivot about the entire organization. This has seen it, for instance, the Ashley Madison attack that occurred a few years back. They didn't use any authentication past the firewall. Basically, once you got in that same password was access to everything. They got in through a simple front end vector and then they were able to ripple themselves through absolutely everything in the entire organization. If you ask me, I'm kind of glad they did. But they were able to expose all the nastiness that was going on inside because they put everything into one giant bulk container. This is the reason why I propose and push people to go forward to manage hosts, get away from trying to host everything yourself, because when you do, you're going to try to make it as easy as you can on yourself and you're going to try to put them all into the same environment. This should go without saying now, but HTTPS does matter. SSL does matter. Google is actually warning the nasty security certificates in Valid. They're now extending that to if the page has a password entry on it and it's not using SSL, it will throw the same warning as if it had a bad SSL certificate. In other words, customers will start seeing really, really nasty. This is horrible. You shouldn't use this website even if you're using a Valid or if you're using an invalid cert or if you're using no cert at all. In addition to that, Google has now announced that they're going to stop, they're going to be putting the insecure in the browser bar for all domains that are not running SSL. That's going to start phasing into all of their products. So now, even if you may just have a simple marketing site and nothing fancy on there or whatever, you're going to be branded as insecure. With Let's Encrypt and all the other options out there, there really is no reason that you should not be using SSL now. It also unlocks a lot of potential and features, so if you want to start using geolocation, notifications, anything with the smartphones and the device orientation, those are all requiring that you use SSL now, so you have to. Again, a lot of the argument about SSL in the past is that it's performance heavy. It's going to cause my site to slow down. From a server perspective, negligible now. That's not the issue. It does cause a couple of extra round trips to occur, and this is why having a CDN again not only does it make you secure from a DDoS attack and spreading everything out, if you can get that handshake to occur sooner in the chain, then you don't have to negotiate and do as many round trips so you can actually speed up that SSL process by using a CDN. Once we've established that you have your marketing site and everything away from your main and your core resources, once we've established that you are using SSL, let's talk about the fact of why are we still using passwords. I don't know how many of you have a multi-million-dollar budget to protect your passwords. I don't, and these guys do. So why are we trying to do their job better than they can? They provide us simple integrations, so federated logins, social logins such as Twitter, Facebook, and Google. 99% of your users will have those. So if they have that ability to use something that is more secure, let them. A lot of those now have two-factor authentication, or, hey, we noticed that somebody in North Korea is trying to log in to your Google account, probably isn't you, can we make sure that it is? I don't know if you guys have it, but we don't have the resources to run that type of validation on every single request that comes to our site. So using a social or enterprise login system, if you're in a larger enterprise or in your EDU, you already have that backbone available to all your other systems. Expose it to your Drupal site and allow Drupal to use that instead of trying to use your own passwords, because amazingly enough, every year when they publish the top 10 passwords, ABC123, QWERTY, password 123, people try to get crazy and password with a zero instead of an O. All that type of crazy stuff, it doesn't really mean anything. The other thing is that the more unique passwords that you put in place, and one of the things that they're surprisingly good in the US, that they're starting to do is they're pulling back on the level of complexity that are required in passwords, and saying entropy is now more required. So in other words, rather than saying, hey, you have to have three digits, two symbols, but the symbols can only be these three, and you have to use your first cats, your first initial, and all this weird stuff into your password, and say, create a password that's longer than 20 characters. If it's longer than 20 characters, it can be all lowercase, and you're still going to have a higher entropy than trying to take a 10-digit password and mix it up with letters and symbols. The other thing that you also run into is two-factor authentication, fatigue, or password fatigue. Yes, you can have a really, really strong password, but your really, really strong password to every other really, really, really strong password that they have to do, and your two-factor authentication is in addition to all the other two-factor authentication that somebody has to go through, and once you put that much burden on the user, they're lazy. They're going to try to find a way to get around it. So what do they do? You can have two-factor authentication. They're going to write that on the post-it note and stick it on their monitor. They're still going to write the password on their monitor, or on the sticky note and put it on their monitor, and they make them only remember one thing and one thing only. It gives you a better sense of knowing that they're going to be provably using secure passwords. And again, these guys' budget for passwords is much larger than all of ours, so let's let them do their thing. When it comes to key management, this is kind of my big project, because this is all of what my product manages. How many people knew about OneLogin or the OneLogin breach? A couple of folks. So OneLogin is this enterprise identity management single sign-on across all of your apps. We're just going to hold all your passwords for you. I'll read the quote here, and then I'll explain. A review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another smaller service provider in the US. The actor created several instances in our infrastructure to do reconnaissance. One of the things that we're finding and we're trying to swap as fast as we find it is over-provisioned AWS keys, and just in general over-provisioned cloud keys. These cloud providers are giving you a lot of really cool capabilities and a lot of cool technologies to use. But if you use the one key to rule them all, the one key that accesses your entire cloud and you go and put that into Drupal, where's Drupal going to save it? One of two places, the database or your code. Both of those are bad. If I get your database, I now have an AWS key that has access to everything in your AWS environment. So that's exactly what happened here. There was a small marketing site that was on a provider that they're trying to distance themselves from it, right? But they gave basically the master key to somebody likely in this, and I've seen it happen before, hey, I want to use the S3 module to store images in S3 so that we can then, you know, store them in S3 and use CloudFront and all that fun stuff. Great. Well, here's a key. Go use it. Well, that key is the master key. They got that. They're able to get into their cloud, into the BPC, actually spin up their own instances inside there. And because they have that API key, they're able to access all the encryption, they're able to access all the databases, they're able to have carp launch to everything inside, and so basically one login came back out and said, oh, by the way, everything you gave us has been compromised. It doesn't matter. You're going to have to re-roll all of your credentials, which at the core of the company is what they do. So not only is this just like bad practice, it creates a giant liability for your company, and that your company and all of their infrastructure can be compromised from one single key that one person thought would be easier to use for the S3 bucket. So make sure you know what you're putting into your website. Make sure you know what tokens are being stored, what passwords are being stored, where they're being stored, and how. In Drupal specifically, in Drupal 7 and Drupal 8, we created the key module. The key module is plug-able. You can use it to store your keys wherever you want. But it kind of acts as a centralized spot where all of your credentials can be and you can monitor what keys are being used, where are they being used, by who, and then you have a place where you can easily roll them in the event that something like this occurs and you need to go back and redo everything. So now that we've kind of talked through practical security in your website, one of the things that doesn't get discussed as much, but that definitely needs to, is just creating a security mindset. How do we create our teams to be secure? Big, big, big caveat, not a lawyer. Feel free to sue me for as much as you've paid to get this information, which is nothing. And so, yeah. Big disclaimer, everything I'm saying here, take it with a grain of salt when it comes legally, but professionally, I hope I have some credibility with you guys. First off and foremost, document absolutely everything. Most companies should and will have expected best practices. We expect you to have encryption turned on, trial encryption on your laptops. We expect employees to be able to in the event of losing a laptop, what happens. All of those procedures are there. Document project specific security. Now this is something that a lot of people don't do, but thanks to GDPR we'll start doing because part of the idea behind GDPR is security by design. The idea that you can provably show at the beginning of the project or somewhere throughout we decided that we're going to put security as a forefront in what we're doing. So in order to do that, we need to look at what data is in the system inherently, what data is being collected by the system, and then show that we're doing this all by design. That we actually took security as a concept at the beginning rather than bolting it on at the end, which always ends up occurring. These data audits are really fun. If you come into a new site we've done these with automated scans and stuff and it's like, oh look, you've got 20,000 credit cards in here. Awesome. Now we're going to go out to delete them and why are we collecting them and where are we collecting them. And then it's just really good to be able to show your client like here's all the data in your system. Did you know that this is here? Did you know you're collecting this and do you really want to? But this is one that I've heard of recently that a lot of people are documenting and when shit hits the fan what do you do? If you were to go to your CMO or whoever is in charge of the brand of your company and say, hey, BBC just called you it's two o'clock in the morning and they're asking about that hack that just got reported on Twitter. What are you going to say? Chances are they don't know and chances are if it's two o'clock in the morning they're going to say something really stupid that's going to trip them up and you're going to be digging yourselves out of that hole in addition to the breach. So you need to look at every layer here and start documenting. What's PR going to say? When the breach occurs PR is going to do this. Legally, okay, we're going to grab the lawyers we're going to get them in the room as fast as possible and figure out who's liable for what and how do we mitigate that. We're going to get DevOps in. How did it occur? How do we prevent it from happening again? And then if necessary to criminal authorities, who are we going to contact? How do we contact them? Who's going to be the one managing those contacts and those investigations that will have to occur afterwards? If you have this binder just sitting there waiting hopefully never to be used when it does happen you can just pull it out and everyone has a sheet that they're running by and everyone is in lockstep it's going to help your brand and the event that you're actually having pulled this binder out your brand is going through some damage it's going to protect your customers because you're going to have a quick response plan of here's what we're going to do here's what we're going to shut off here's what we're going to turn on and it just kind of creates a sense of calmness. So in the event that you do have a breach liability again I'm not a lawyer Do you have liability insurance? Most companies do. Does that liability insurance cover cybersecurity? Most of them don't. So make sure that you actually ask your insurance broker hey am I covered in the event of a cybersecurity breach am I covered in the event of a data breach and if not get protection for that because one of the former FBI directors is famously quoted as saying there's two types of businesses in the world those that have been hacked and those that will be hacked and they're pretty much turning into those that have been hacked and those that will be hacked again most people need to operate under the assumption that you will be hacked at some point so having this insurance and having this cover you in the event of that especially if you're an agency like I run an agency if one of our clients is breached and they put that back and pin that back on us then we have insurance to cover it because I don't know if many agencies can do this but if you're at risk of the liabilities for a data breach hands up how many small agencies are in the room or folks that run deaf shops or are part of deaf shops how many of you guys can write a 100,000 pound check tomorrow and be in the business right so that's the thing is like if you have a data breach you have to realize that you're going to potentially have to be writing a giant check let your insurance company write it this is the big one we hear all the time my clients aren't requesting us to do this no they're not requesting it but they're requiring it they expect you to know what you're doing so you need to be able to build that into your contract build that into your practices so that you can show your clients yes this is something we are doing even though you haven't asked us to yes it's going to add a little bit more to the budget but you're going to be really happy when that day comes when all of your competitors are hacked and you're not and along those lines make sure you have good contracts make sure you have it laid out with who is it liable for what in the event of that customer who brought me their website that I had built them that then collected all the credit card forms or all the credit card information I right away said look just for all clarity here liability wise I did not create this I'm not touching this I'm not downloading and I'm not accessing any of this credit card information because I don't ever want to see any of this information to be liable for it make sure that you have in your contract who's liable for what and how and when because you may be really cheery cheery with your clients and your customers now so maybe you might not be and that's normal but when the data breach occurs nobody's going to be friends and everyone's going to be pointing fingers and you want to be able to look at a contract and say no according to our contract that we both signed a year ago you're the one liable for this not me yeah what's that? backup your backup of your backup I can't say enough I have saved more sites by being like oh there's a backup that happened an hour ago awesome back we go and I've lost sites or had to recreate sites where it's like oh that didn't happen early on and it bit me once or twice I'll never do it again this shouldn't have to be something I say in this room but just use it don't ask you'd be surprised at how many tech conferences I go to and I get like should we use it? yes don't FTP into your servers it's bad enough so the three Bs of a breach breathe backup and build breathe this is the first one that I don't think enough people take to heart when you're hacked it's stressful how many people have gone through a hack oh quite a bit of people was it a fun time? you know let's do it again stop and I've had to do this with our team it's stop take a breath collect yourself because you're going to make knee jerk reactions that are going to cause yourself more issues and more damage down the road if you're just trying to put out fires fast so take a step back breathe control contain the situation and then back it up that way you can go have a post more to later and say what the hell happened and why otherwise if you're just in there fixing oh I fixed it well you don't know how it happens you don't know how to prevent it from happening again and then again build build fast build whatever you need to do to get the site back up to remediate the issue or to fix the whole but this all comes back to employee education so how do you actually educate your employees or educate your team on having that security mindset I like to partner up and have buddy programming junior devs with senior devs code reviews it's very important that the best way us developers learn is from others and from Google and Stack Overglow and so because of that we're constantly seeking advice from others and seeking out how to how to work with the technology that we have the best place to do that is those that have already been there so partner up your junior devs with your senior devs take your post mortem seriously don't just be like well that's done now we're off to the next one actually look at it what went wrong what procedures went wrong did I freak out and run around the room yeah probably shouldn't have done that okay let's go let's figure out what the procedure is next give time for the developers to recap and review code before releasing again don't just cowboy code let's push it out and pray that nothing goes wrong review it have other people review it this goes back to the buddy system and then this is an interesting one but reward failure when a breach occurs it sucks but reward finding that breach right if you can find a bug in your own code or a breach or a hole in your own code before it actually gets exploited that's not something that's like oh why did you code that wrong you should have never done that my favorite example of this is does everyone remember when s3 Amazon s3 went down in the US and like internet just started burning to the ground it was all because of one dev fact fingered a single command line that they were supposed to do some routine clean up in s3 and it ended up just like deleting all of the buckets right Amazon came out in their post mortem and said the failure was not the employees it was ours in giving him the ability to make that mistake and I thought that was really powerful to be able to say yeah they failed but it's our failure and letting them fail and rewarding that failure and rewarding that being open with that that possibility principle of least privilege don't let employees access things they shouldn't this shouldn't be something that I have to talk about but again it's something that I hear over and over again I heard of a company recently that every employee on the first day got rude access to the servers don't do that that's bad you trust your employees awesome I don't so people need to earn that and people always make mistakes so make sure that all of your permissions or all of your actions are based on capabilities not on permission because if it's based on just permission alone in saying like I can delete that then if somebody is impersonating me then they can delete X but if I should never even have the ability to delete that in the first place if it's capability based then it's like I shouldn't be able to do that so if you start moving towards capabilities and away from this like ambient authority of just once you have the password you can do everything that starts to secure more and more pieces of your infrastructure but remote workers this is again shouldn't have to be said but GDPR follows you everywhere so all of your remote workers are covered by GDPR protect your devs and you protect your clients and your business so it starts with the devs encrypted data protects your employees so if you encrypt your data and then send it to your employees they can't decrypt it they're not able to be an attack vector for it so that's why we promote encryption of data within Drupal because you send it to a remote worker there's laptop gets stolen great good luck decrypting it you have the key to decrypt that production data secure team communications keybase.io if you haven't already used it go grab it it's like Slack but encrypted and it's awesome so you need to share that password with somebody on your team and you're not using a password manager which is the next one down you should be using a password manager but if you're not you can send it over keybase it's encrypted between you two it also has like a really cool encrypted file share so similar to the Dropbox but too encrypted and it forces it out amongst your team that they use that and then try to push it onto your clients yes it's possible I have like a happy moment in my heart every time a client's like hey can I keep any of my passwords yes you're not emailing me your password anymore this is good and then there's other customers who send me their password via email and then we have to go and do everything all over again UB Keys or other two factor authentication devices are awesome, they're cheap, they're easy plug them in, yep right there you just plug them in and use them and because two factor is something you know and something you are that UB key is a physical device that you have to have with you and then last but not least sales and marketing I don't think we have many sales and marketing in the room here because this is more of a technical conference but use services and vendors that are vetted payment systems, it's really annoying and hard for developers but I built this really cool tool and then you went and installed this like really weird widget in the sidebar and then it just broke the whole site and caused a massive data breach sales and marketing need to kind of clear what they're putting into the site most of the website responsibilities now are coming underneath marketing as agencies you're probably finding yourselves working more with the marketing departments and you are at the IT departments these tend to be less technical people and they talk to them about what the security requirements are and why it's important not to put credit cards in the database when in doubt just don't post it this goes back to the in general just if you don't have if you don't need to collect the data or you don't need to post the data don't and then the last thing is just like if you are around security or you're trying to market security to your customers don't use FUD fear, uncertainty and doubt it's just kind of it'll work but is it really how you want to sell your service you're going to get hacked you're going to be liable for all this damage give them a sense of empowerment by using this or by us doing this extra service or by us using this extra product you're going to be empowered to be safer you're going to be empowered to do more and that I'm going to find and I've found through marketing our own product empowerment works just as well and at the end of the day you can sleep at night knowing that you're not using fear to market all of your products so with that I don't think we have much time if any for questions very quick one the most secure way of sending the username and password again, IT based everything so if it is it's like signal or any of those others that are two-way encrypted it requires you to both have it basically is public-private key encryption between two people but in a very easy to use chat-like form so every time you click on somebody's username it opens up a secure channel negotiates that secure channel and then you can start passing information keybase.io quick to tell us what locker is oh sorry I don't like promoting myself too hard on these so locker we have a plug-in that plugs into the key module also into WordPress yes I know I do WordPress as well basically the idea is that Drupal has two things available to it the database and the file system both of which are passed around more than candy in the dev team and both of which are very insecure methods of storing your secrets so we take those encrypted and store them in our they have more acronyms and letters next to it regulated vault basically of secrets and it allows your website not to store any of the secrets on the site but still have the faxes to them as if they were right there so if you are on pantheon or using pantheon your site actually will already know who you are and then the other fun thing about it is that you are in prod environments and so by doing that if you set a key in production it will never be pulled in dev and likewise dev to production so when you migrate your database back you are not actually having to reset because I don't know about you guys but I have never toggled that mistakenly and charged credit cards and things that I shouldn't have but if you were to do that it would prevent you from doing that or sending the test email to everyone so the tricky question is that's us giving you all secrets no, you are giving me an encrypted blob which I am storing on your behalf and giving you back because what happens is is before it even leaves Drupal it's encrypted again and sent to me not me but stored in the cloud so I always joke that we could actually publish our database publicly and it wouldn't mean anything because you would have to have the alternate key to do it so totally secure actually helps me regulation and if you want to talk to me about its implications in GDPR and the right to be forgotten we are actually coming up with some really cool stuff that will actually nuke customer data into the past in all of your database backups and all that too how do you customers usually react to the media security in terms of in terms of budget in terms of budget so you have to