 get started here. Um there's a last minute schedule change, so if you were expecting decoupled Drupal, we will be talking somewhat about decoupled Drupal, but we're going to be talking more about the security of decoupled Drupal. So if you're here for the actual decoupled Drupal talk, I will not be offended if you decide to leave. Um but hopefully you'll stick around and talk security with us. So um today we're going to talk about the future of internet security and what does um the current trends and the um progressions that we're making in Drupal um as it goes headless and as it becomes part of a greater ecosystem. Um what does what challenges does that bring to us? Uh first off um you're probably wondering who is this guy. Um my name is Chris Taitzel. I'm the founder and CEO of Locker. We are a secrets distribution network um handling the the storage of encryption and API keys and uh we have the service for for Drupal. Uh you can find me on Twitter at Tech Nerd Taitzel. Um go ahead and and tweet me during the the talk if you want, heckle me, do whatever you want. Uh on on D.o I'm Cellar Door. I just looked it up yesterday. I'm on my uh 7th year and 10th month uh if you will. Uh originally got involved with Omega uh early on in the Drupal 7 days uh and then have transferred uh recently to working with a team of developers to uh completely overhaul the entire encryption um series of modules. So encrypt and really yes um the key module file encrypt um field encrypt all those good stuff um so if you need to do encryption on Drupal uh come talk to me. It's scary to predict the future um and I will be the first one to say up here that chances are what I'm talking about uh may or may not happen um but it's stuff that we need to um at least think about and uh um and and be familiar with. And so when I think about trying to predict the future um back to the future too always comes in uh but I I I always look at it and I say well we may not have flying cars yet um but they actually did predict a future that is very close to where we are now. Um this was uh set in 2015 which in the 80s was so distant in the future it was doing these weird things like having these glasses that you could wear that had alternate realities in them uh well we have that today we don't have the double ties uh unfortunately I think that's a style that we should bring in but um the idea that you'd be sitting around the table with a pair of AR goggles on was something so distant that they wanted to uh to to put it in there. The other thing that that was uh slightly in there but uh using your thumb print as a way to pay for your cab you know in the future that was something crazy there's no money anymore you just use your thumb print and payments occur. Well we have Apple Pay now and and Google Pay and uh or Google Wallet and and paying with biometrics is now something we all do on a daily basis so this is this is nothing new. Uh they also predicted that we would be talking through our TVs to people um and unfortunately uh this is when he's getting fired via video conference but um this was just something absolutely crazy who would talk to their TV um and have a video conversation yet now um I would say most of us in this room do some sort of remote work with our colleagues on a daily basis over video chat. Um if you're a baseball fan they predicted that the Cubs would win the World Series one year off but still not too bad. Um self lacing shoes we actually do have these now um Nike decided to produce some limited series of these. So when we look at our current technology this is stuff that 20 years ago we were just blowing our minds over saying this could never happen this is fanciful this is Hollywood yet now at home I have an Amazon Echo and I walk in and I say Alexa turn on my kitchen lights and my kitchen lights turn on and I say turn up the heat and my heat turns on uh I don't have the coffee maker but I could say Alexa make me some coffee and it would make me some coffee um I can see who's at my doorbell from 100 miles away. This is the world that we're living in now where everything in our life is connected and everything that we have is constantly pulling data in um and and learning about us um and and it's a a fun future to be in but it's also one that that brings some questions to mind. And so your entire life now is connected um as your digital footprint expands so does the amount of personal data that you're giving out um you know you have services now that are watching what are you uh like how when do you change the temperature so they know when you come home from work right they know um some of your your refrigerators if you're um getting the new fancy ones they know when you're out of milk what you're eating what you're watching on tv um your habits of sleeping if you have sleep trackers under your pillow there there are so many things now that we can connect to our lives that personal data is just being collected about us in an ongoing fashion um and while I'm not saying this is entirely bad I for one absolutely love um the the idea of a connected home and a connected future as developers it puts an onus on us that we need to be responsible for the data that we're collecting and data that we are um are monitoring. And uh it is uh no surprise to anybody that breaches continue to occur this is kind of a a size map of the breaches recently um and you will see that uh there are some very very very very big breaches going on um one in particular right there at the top is Equifax where pretty much every American social security number which we unfortunately use to determine our credit is now leaked out into the the dark web and and uh we have a lot of personal issues uh coming down the pipeline from that. So with breaches happening daily and with um all of this data being collected about us um there has been some some economic um uh discussion around oil no longer being the most valuable asset in the world it's data uh if you look at the value of companies that collect data it's massive um and so the ability to collect analyze forecast and then act upon that is driving the next decade of growth in business um if you look at the the the new companies that are coming out that are getting a lot of the the investments it's around what artificial intelligence the ability to read large pools of data and then act upon it. And you have to look no further than um IBM um recently purchased the weather channel. Why would a tech company ever want to purchase the weather channel? Well the weather channel has the largest source of weather data. When mixed with Watson their supercomputer and their AI they can now put logistics of weather into the algorithms that Watson's using to compute shipping routes and forecasting uh weather for power grids and cell towers. This is all happening around us and the the data that um that is being collected is is growing um all the time. Uh an article on the economist uh I'll read this for you because it can get a little wordy here but it says whether you're going for a run watching TV or even just sitting in traffic virtually every activity you do creates a digital trace. As devices from the watches to cars to that connect to the internet the volume of data is increasing. Some estimate that a self-driving car will generate up to a hundred gigabytes of data per second. Meanwhile artificial intelligence such as machine learning extract more value from that data and algorithms can predict when a customer is ready to buy a jet engine needs servicing or a person is at risk of a disease uh industrial giants such as GE and Siemens now think of themselves as data firms. They're no longer these industrial giants they are they are data firms they are collecting data they're pooling that data together to then um forecast and analyze and put it into their products. So successful companies collect data um whether you think um the the data is important at this time um collect it. And and I as a security professional um you don't hear that much but I would say collect data um and collect the right data and protect it properly. But collecting data now even if you don't think you have a use for it is going to be valuable to you in the future so you can run historical data. Um and then use that data to drive your decisions to back up your theories and and lead your company and your product and your team. Uh no longer do we just have to guess uh what's going on we can analyze the data that's coming in from our our products and our our services. And uh and we can we can start using that to our advantage. An example of this that I've recently heard is uh in the not so distant future um we'll have refrigerators um that can tell what products you're pulling out of the refrigerator. And based on the products that you're pulling out of the refrigerator and your your wifi router at home knowing what devices are connected to it it can go ah you pulled out chocolate and wine and it's only you and your spouse at home it's date night. And so when you go to the couch and you sit down and you turn on Netflix instantly comes up with romantic comedies and dramas for date night. It will now start sensing your house will start sensing what you are doing without you knowing about it and providing that feedback to you in real time. That's amazing. That's products that we should encourage and we should we should want to build. However the IOT world is turning into what I call the I O H T the internet of hacked things. And we can see this recently when uh a massive uh DDoS attack was orchestrated using DVR and I O T devices and it took down the entire eastern seaboard of uh of the U.S. and and actually rippled out into Europe and and elsewhere as well. All internet traffic shut off. Now this is a DDoS attack to the scale that we had never seen before because there were millions upon billions of devices out there that are calling into a service. It's no longer how big of a server farm can use use spin up. You now have access and and connected devices everywhere and so we need to start protecting those. Um cars uh a good example was Jeep had a vehicle that was shown to have a flaw in the um in the bios in the in the computer and it was actually programmed to come to a stop while one of the reporters was in it. So a hacker in a in a separate isolated environment was able to use the cellular connection to access the car and and apply the breaks and and make the car come to a stop. It's a fairly scary idea if all of a sudden all cars around the world just stop. Um and so every connection to the web, everything we do creates a new attack surface and a new way for that data to be lost. And and personal data um is everywhere. Yet a lot of the times when you're building websites or you're building services you go ah it's not that that much you know uh information or it's not that personal right. Um so we're gonna do a quick survey. Uh if everyone can raise your hands real quick. It's the last session of the day so we need to get a little energy out here. Um if who is uh keep your hand up if you are from the European Union. Alright um who uses an android phone? Keep your hand up if you use an android phone. Uh how many people have a pet at home? Alright we are down to one two three four people in the room by asking three questions that I can find on your twitter feed. That's pretty simple to to narrow down. And so what you're seeing now is that identity theft is no longer stealing credit card numbers. It's collecting random data from around the web that all these little data breaches will have. And I can piece together who you are just by seemingly innocent data. And this is used uh for corporate espionage. We can go in and steal data on our competitors and get the leg up on them. Political gain as we've seen recently um in both the US and the EU. Um and so what we need to do is A we need to inform um our our our our customers and our users what we're collecting from them and we need to get that consent. And the nice thing now is that that's not just a good thing to do. That used to just be hey be a good person and tell somebody what you're gonna collect on them. But now it's the law. Uh and and regulations are increasing as more and more of these breaches occur. Um unfortunately until recently poor security and data breaches have become just the cost of business. It was oh well we'll get a fine and we'll pay it because we're a rich big company and we can afford to do that. And I don't want to have to go through the process of implementing security because I'll just pay for it. And so there's acronyms for every industry. You have PCI um dealing with card data. You have HIPAA, FERPA, FSMA over in the US. Uh and more importantly uh for here you have uh the GDPR which is going to drive a lot of decisions that that you make as you start to build your services and your systems uh going forward. Uh GDPR um was enacted two years ago or a year and a half ago and it comes into uh oh I have 2017 there. I apologize 2018. Uh May 25th 2018 is when enforcement begins. And so they gave it a two year period for all businesses to come in and say okay we're gonna we're gonna bring up our systems to um to standard. Uh and we're now seeing as us developers are um master procrastinators. We are now just starting to uh implement some of these systems and everyone's starting to um feel that this is uh uh something that we need to start paying more and more attention to. And this is not just the cookie warning that has been around for uh for a while. Now you have to have security by design. As you're building your services you need to say what data are we collecting on our users and how are we protecting that? And you need to provably have that security by design. Um you also have uh data portability and the right to be forgotten. So I should be able to take my data wherever I go because even though the data is in your servers it's mine it's my personal data. And then I also have the ability to say I don't want you to store my data anymore. Well what happens and this is uh a cloudy point that that I haven't seen uh any firm uh uh decisions on yet but what happens in the backups? You can delete it from your from your real system and your live system but you now have years worth of backup data that you then have to dig back through and delete that person. Um are there going to be systems for for crawling through backups? These are all things that we need to start thinking about. Um and then the protection of personal data uh the anonymization, the pseudonymization uh and encryption of data is going to be something that you're going to need to do. And so um whether you think about it or not like we showed in a couple of seemingly innocent questions we can narrow down the crowd uh to three people. Uh you need to start thinking about what is personal, what personal data am I collecting? And uh and what do I need to do with this? Do I need to anonymize it so that uh so that it's just uh I'm I'm collecting data without the personal piece of it uh so we can bundle it together and find trends. Or if it is personal uh personally identifiable you need to protect it through some sort of uh encryption. Uh and and this is the scare tactic that everyone will tell you about in in GDPR and and the one that uh is getting the most notoriety. Um this is for the top top level most egregious um uh data breaches uh but there is it is written that you can get up to four percent of your global revenue as the maximum fine. Um we're finally starting to see uh incentive for large businesses to no longer write off security as just the cost of business. So what does this mean for us as Drupal? Um Drupal 8 has kind of this dichotomy. You can either be Drupal as a full stack website and we're just going to serve the whole thing from Drupal. Um or you can do Drupal as a headless um data source. And uh and so those of you who are coming in later whatnot uh apologies this is not the headless Drupal um discussion you were you were planning to come to but we are going to talk about headless Drupal. Um and and more and more now as we look at how do you use headless Drupal in um modern applications uh it's um being a centralized data source for the IOT world. It's being used in all of these applications and so now we have to think about what are we doing with that data that we we get. Now uh OWASP is uh in the the final stages of trying to put together a 2017 revised top ten um security um uh security topics to to go through and these are the top ten um uh incidences. You'll notice that A7 and A10 are both uh TBA. Those were previously written and then there were some um as there normally is in the community. Some discussion around whether those are actually um defined well enough and so they've decided to pull back the official version uh and revise it again. But if we look down uh we have injection which we all know from Drupal get in. That was a lot of fun for us all a few years ago. Um authentication and session management I would say that Drupal does this fairly well. We we um handle our sessions uh in session tokens well. We have um user authentication and the um the hashing that goes on for user passwords is very secure. Um cross site scripting that's up to all of us to make sure that we aren't just putting code back out into the browsers. Uh access control, security misconfiguration, um sensitive information disclosure. Um the one that was being debated was uh insufficient attack protection. So now this is talking about uh the use of firewalls. Um if you are running a modern web application you should have some sort of firewall in front of it. Um there are attacks being attempted constantly against your sites. As you are sitting here now there are people trying to break into your sites. And I don't say that to scare you. I say that to let you know that you know we need to be able to to put at least a first line in defense. And when we talk about security we talk about layers of defense. The uh defense um in-depth approach. And so uh A7 will eventually turn into um some sort of uh recommendation around a WAF or or using a CDN. So Cloudflare or um some of the hosting providers now have it included um in their offering. Where they provide that web application firewall. And I've um talked with some of the hosting providers and it's very interesting uh to be on a call with them and they say oh sorry we gotta go we have a DDoS happening. Um and they're just constantly monitoring the system instead of you having to sit on the beeper and wait for it. Um uh CSRF cross site request forgery um using components with known vulnerabilities. I eat Equifax who had open source software that was um left for two months um Apache Struts which was left for two months unpatched and that's what um what they got through in. Uh and then number ten um is uh TBA but it's discussed to be unprotected APIs. Which uh will be the center part of what we do in a headless Drupal environment. So if you have an API and you start uh allowing that data to be available via an API. How are you protecting it? Uh luckily Drupal does allow for authentication um into the API and allow you to protect the data uh that you're serving up in a headless environment. But if you are building APIs that are unprotected or you just turn on um you know the REST API and Drupal 8 and not think about it. You could actually be exposing uh underlying data that you um that you may not know. And so in a headless Drupal environment this is what we look at uh now. It's no longer just Drupal as a full stack. Um this is actually a um very uh simplified architecture that we drew up for a client. Um and you can see here that they've got uh Mailchimp for email marketing. Um they've got Salesforce for the CRM and all the sales data that's coming out. All connected into a Drupal 8 site that's then talking with Node. That then talks to React. You have um the symbol down here in the bottom is uh Amazon S3. So you've got data and images and such that are being stored in S3 by Drupal that are then being pulled in from React. This is a complex architecture. There is a lot of data moving amongst all of these pieces. And so the the the thing you have to think about is how are you protecting each one of these endpoints. And then how are you protecting the data and what data are you sharing amongst them because you have to assume that if one of these gets breached um the data that's in it um can also be breached. And so um from Drupal to Mailchimp you need to protect that connection out to Mailchimp because all of a sudden you can have um your entire marketing email list um scraped. I was talking to somebody once who had their Mailchimp API key stolen and uh the hacker came in and deleted 10,000 users out of their their their mailing list. Well for Mailchimp to put those users back in it's a double opt in. So they would have to send an email out to everyone saying hey do you want to sign up for the email address or the email list that you've already signed up for because we had a breach and your email address is now gone and deleted. That's not something they wanted to do and so they had to end up just losing 10,000 users out of their database. So arguably uh Drupal has uh of the open source CMS world. I would I would say that Drupal has the best um op it is the best option for complex data modeling. I always tell folks uh if you have a simple site uh a couple of pages don't use Drupal. You're you're gonna have a hole in your desk the size of your forehead um just trying to create a brochure site on Drupal. Um and that's getting better and in D8 um with the layout stuff that that Jury's was uh showing it's it's getting much much better. But uh the way that we model entities in in starting in Drupal 7 and we started modeling the entities and then the API uh first design of uh of Drupal 8 and now as we're starting to bring things like media and others into core we're creating an experience in Drupal um for the authoring experience not just the consuming experience. Uh and so Drupal as a data source now is uh is a very powerful way to model some complex data that you can then expose via your endpoints. And so um as you're as you're building uh these uh these complex um uh data models you need to start thinking about what data are you collecting and then how are you putting that together because now we can easily put together an address field or a phone field or an email field uh and then and then you now have that data on your system uh you need you need to protect it and you need to um manage it properly. In addition to Drupal uh serving as the API source Drupal itself is connecting out to other APIs all the time and and more and more as we move into a micro site uh in a micro service world uh Drupal is just a small small piece of the the puzzle and we've got uh things like payment gateways uh we've got email marketing and uh uh SMTP we've got authentication we have APIs we have encryption we have cloud providers we have shipping this isn't unusual to have four or five of these APIs on a single site that you would be connecting into um if you're building a headless Drupal site that's uh that's an e-commerce site you're gonna have almost all of these in there uh and then now you're you're passing off um data out to these providers uh for instance with payment providers um the the credit card information should never be passing through your servers anymore uh most of the the modern APIs for uh for payment gateways provide you a tokenized way to to do the payments using javascript in the browser use that if you're if you're um under PCI you're now lowering your your um your risk level and your your uh amount of self assessment that you have to do if you can offload it all the way down to the javascript layer um for things like the uh the SMTP um if I'm out there um sending emails and in some uh uh cloud providers or if you're in a managed hosting environment that shares IPs um you need to have some sort of uh email relay in order to send email out from your site well uh unfortunately uh currently the SMTP module stores your password in the database um and it stores it in the clear I've actually had to recover one of my client's email address passwords because they forgot it uh and I said oh just a second I got it for you and I pulled up their database and I scraped through cause I knew where to look and I pulled out their uh their email info and and password and he's like well how do you have that and I go oh well the website has it so I have it um so we need to start thinking about how do we uh how do we protect all of these APIs that we're connecting out to as well and the reason for this is uh uh there's been recent attacks that have have attacked just that um as we're in this microservice world and everything's connected uh one login a big um uh I am provider in the US how many people have known of one login or use one login just a few okay um it's it's more popular in the in the US enterprise world um they have some of the largest companies in the world um and it's kind of a single sign on so all of the employees in the in the company login to one login or uh into the service and then it will authenticate into everything from mail to your CRM and everything else well they had um a threat this is a direct quote from their from their blog we know that a threat actor used one of our AWS keys to gain access to our AWS platform via an API from an intermediate host with another smaller service provider in the US now they won't give you more details on this but it's very easy to to uh think of a scenario where this is a Drupal site um say you're running a headless Drupal site that's connecting out to your Amazon S3 bucket like we're showing in our example uh if that API key is not provisioned properly uh it has master power within uh AWS and that's exactly what happened to one login they use that API key not only to get into their AWS account but then they started um spinning up rogue servers that were scraping data out of the out of the databases and because the encryption keys were also stored within uh within Amazon and it's all you know protected they they they were doing things properly uh but because that one API key was stolen they were able to then scrape the encryption keys and get all of the data out and so one login had basically tell all of its customers we're sorry you trust us to hold all of your passwords and now you have to go change all of your passwords um that's something that none of us want to have to do and so how do what do we do right so I've I've been talking about the the threats and the um and the concerns that we have but what do we do what can we do in order to secure ourselves uh and for me security starts at the top um you uh you want to grow a team mentality uh of security in this ever changing environment um and so if you're if you're a project manager or you're a team lead or a product lead um it's up to you to foster um security in a in a secure consciousness within your team this is uh a comic that I always love to use um it starts off here and it says uh first uh he said for the security we'd like to hire somebody and then they say oh no no no that's not a priority at this time how many people have heard that um no that's not a priority at this time um we'll get started first and we'll see about that later and then later on they say well hey you know the project is almost done maybe we should do that security audit nope nope nope we don't have time we don't have budget you know how many people have heard I don't have budget for that um and then you say well the site's been online for a little bit and we haven't done any really security testing I'm getting kind of nervous and he goes no no don't worry about it we'll take care of it later and then all of a sudden they come in the room freaking out because they've been hacked um this is the mentality that we need to break in our teams um and we need to start back at the first square in that initial discussion around project planning project budget we need to start putting security first and putting security into our our um into our best practices and so when you have uh a team and uh and you're you're wanting to implement best best practices um don't discount the security concerns of your team members if somebody has a security concern listen to it follow it up it's worth your time uh even if you're gonna spend five hours on it now it's gonna save you five hundred hours later or five million dollars later right um and then always ask yourself what if this information gets out um as I said earlier you know collect data collect it collect it collect it and analyze it uh but you should always be thinking about what if the information that I'm collecting gets out um and if it's information that shouldn't get out if it's information that is potentially damaging if it gets out then either think about not storing it and and processing it and and deleting it or or just not not requesting it at all um if you're if you're doing a a website that is uh for um e-commerce and you're asking somebody for credit card number and birthday and all sorts of stuff does that do you really really need that or is that just information that you're collecting because you want to have it um and and the risk of of of holding on to that data is gonna be more than uh than if it gets out use tools and services um to prevent an attack before it happens um I I have all of my developers use um password um vaults uh we use one password I love one password um there's also uh last pass which is web based we can talk about that later if you want to talk about that um there are also open source and um and more um localized versions um if you're a Linux nerd and want to do everything on your own device um but use some sort of password vault um the the most frustrating thing for me in in uh raise your hand if you've had somebody send you the root password to their uh server before um I see some nods and some laughs cause it happens all the time uh I just had a uh a client the other day um send me an email when we're migrating their site and I said oh here's the uh username and password for my DNS registrar great now I have an extra couple hours of work to do because now I have to go change only that password but I then realized he had that password on multiple services and so we now have to go change everything um so use a password vault um I always say the best password is the one that you don't know um I set my one password to be like 40 characters um and if somebody doesn't allow me to have 40 characters that means their service is not secure like I absolutely hate it when somebody sits there and says oh you have to have between 8 and 12 characters and this and this and don't don't even bother um so use this get your team to use it pass um secrets through that uh one that I don't have listed up here is called key base um and it is uh think of it as um encrypted slack and um it creates a pair of private uh public private keys uh and it does um asymmetric encryption uh via chat so end to end encryption it allows you to um have a chat but then it also opens up a drop box like file system on your um on your machine where you then have folders for everybody and you can just drop a um a file in there and it will encrypt it and send it to um uh and so we've used that with clients when we have to pass uh key files or anything like that we can do it end to end encrypted through a service like key base um highly highly recommend it and then like I mentioned earlier use a WAF use a CDN use something at that frontline protection um like for instance with Drupal get in uh folks that were using a WAF were able to um you know you still had to update and we still recommended it but you could do it a little slower you didn't have to do it within seconds otherwise you're going to be attacked because you could start filtering out those attacks at the firewall um and and more and more this is just becoming best practice you just need a some sort of WAF or CDN in front of your service and if you don't you're you're putting yourself at uh at risk and if an incident occurs first thing you do breathe just breathe it's going to be okay this has happened to everybody it'll happen again um stay calm and I always say if if you're if you stay calm you're going to avoid making poorer decisions um in in the height of all the the calamity around it you may end up doing something you you uh regret uh backup the data the first thing you need to do is create a backup snapshot um don't don't think twice about that um A it's great for a postmortem so you can spin up that in uh backup in an isolated environment and see exactly what got breached and how but then also depending on your regulatory environments um whether you're in education or or corporate um structures will actually require you demand you to create a backup um of the of the uh infected site and then of course do a postmortem um but as a team leader or or a supervisor don't blame um it's it's um it's not worthwhile to pass blame uh instead sit down analyze and learn from the mistake uh and make sure that it doesn't happen again um I I heard a famous story recently of the uh the S3 outage that occurred this last year on on Amazon and took out um the whole uh basically the whole eastern data center was going down and everything that relied on S3 which uh come to find out was pretty much everything in Amazon um was crashing around and it was all because one developer uh ran one command wrong um and just started dropping tables in in uh in a database somewhere and then all of a sudden it was supposed to clean up one isolated environment and by keying in the wrong command it ended up just taking out the entire nation's worth of of S3 so um stuff like that happens don't blame don't yell and and Amazon didn't fire that employee they they wrote this is what they did it was a mistake and it's actually our mistake that we even let that happen um so that's the that's the approach we need to have specifically for Drupal um the in Drupal 8 there is the encrypt module um we have completely overhauled it it's um lock solid it's really great um we did break it into a couple of pieces so it does implement um frameworks for encryption rather than providing its own out of the box and we made it that way on purpose so you have to use it with um in conjunction with a module called real AES which will um implement the diffuse library and do um uh AES encryption through there we've also broken out uh the key management into the key module so the key module will manage all of your encryption keys but it will also uh now be a central place for you to store all keys all API keys within the system any any secret that you want to store you can store in the key module um highly highly recommend password policy just like I don't like going to insecure sites we shouldn't create them ourselves and so use password policy to to demand that your users um have strict passwords and then some sort of two factor authentication there is the the TFA module which um integrates I believe with Google authenticator um and in a few others to allow you to tap into other services that provide TFA um but two factor authentication uh for those of you that don't know it's um something you have and something you are and so um it it's a way of providing an extra layer of of security there. I will give a shout out for Garter um if you have not yet looked at Garter um this is my greatest recommendation I think that um what is in here should eventually make its way to core at some point um because this basically is a distribution that collects together all of the security modules from around Drupal puts them into one single distribution uh and the beauty of Drupal 8 is you can actually install distributions after you've built the site so um you can go put this onto your Drupal 8 site and this works great with all the uh with headless as well but um it is uh it it helps Drupal meet the regulatory standards that are are are coming out and it's constantly being updated by a team of security professionals um and and it it enforces best practice um in Drupal 7 the distribution for instance turned off the PHP filter and it would not allow anybody to turn the PHP filter on because it shouldn't have been turned on in the first place um things like that that may be simple to um simple to overlook uh using a distribution like Garter really uh really protects you so definitely go use Garter um and then I've mentioned it a couple of times um the price of DevOps uh I don't like doing DevOps um and that's because I'm a developer um I'm a a business owner I don't have time to run the servers I don't want to sit on the beeper and so this is one of my favorite quotes and it was kind of an offhand quote from Drew Gorton over at Pantheon um at uh midcamp uh last year but if your website's worth more than five dollars pay more than five dollars for hosting um I can't say it enough like just don't don't try to do it yourself um unless that's what you really want to do or for some reason have to but um there are there are plenty options um in the Drupal community and elsewhere for managed service providers that will allow you to do that um and and I would and this is um don't do security alone um just because uh just because you you have to build it yourself doesn't mean you're you're building it alone um open source does not mean that you're you're uh software is less secure and and actually the opposite it's more secure you have more eyeballs on it and and it's being updated more often um but with that comes the caveat of do your updates um i.e. Equifax if you have a uh security vulnerability that's known and it's it's out there you need to go and update it um and then like I like I said uh just in the last slide focus on what you do best um as a team and as a company and and I have a big uh passion of letting the experts do their job and so if it's what we do I will hire the expert to do the job I don't want to be the smartest person on the team um because then we're doing it all wrong I want to go find the smartest people and if it's somebody else then I'll pay them to do it so like I said I don't do DevOps because I don't want to have to to maintain my server security I want to rely on a trusted partner to do that because that's all they're doing um and then continually reevaluate and reevaluate and reevaluate and ask yourself what data are we collecting um was this data something that we didn't think was a big deal um you know two months ago three months ago two years ago when we first built this but now yeah that probably shouldn't be there or maybe we should go back and do this um it's never too late um to to have a security mindset and um just the one thing I want to make sure you guys leave with today is that um security doesn't mean you you you're not going to have any fun um I think the the ability and the raw capability of having um Drupal as a headless uh and a and a data source a centralized data source in some of these IOT environments there are uh there are even modules now that will let you create um Alexa um integrations or echo integrations uh so you can start doing um voice commands that's great um do that I I encourage you guys go build the future of the web um and Drupal um with um without a concern like don't don't let don't let security be the buzz kill um but at the same time be be cognizant of what you're doing and and think about it um constantly and um yeah go use Drupal and some really fun applications and and I'm I'm excited to see what um what becomes of of Drupal 8 and the potential that it has because it it it's really great so with that uh I thank you um the slides I'll put them up on on the uh on the website here shortly afterwards what's that yeah so this was a replacement talk that got added at the last minute so they're um they're re provisioning all those so that's why it's hidden because technically you're not supposed to see it but um which they're doing great security I guess um but I'll get the I'll get it online I'll talk with Amanda and we'll we'll make sure that it's online um I'll make them available and if you guys uh have any questions again tweet email um find me and I'd be happy to talk so with that we've got uh just about 10 15 minutes here for um discussion or you can go grab a coffee and and get to the uh the end so thank you and if you do have a question they've requested that we use the microphones because all this is being recorded and so they want to um be able to record your lovely voice for all of YouTube to hear. Yeah first of all thank you um very interesting more for the first part of your talk um it directly comes up to my mind uh the word singularity the word the word singularity yes it's becoming more and more popular so in general saying uh we will cross a point where we can't uh say what's behind that so um more or less the last singularities for example the mobile web or the internet uh the WW um the world world web so to speak. Yep. But can you imagine any singularities uh by the example you gave in the beginning of the talk? That's a great question. Um yeah I think that um when you talk about the idea of a singularity where um where your your kind of reach a point of no return um I would say that we've already hit that um I am living proof of it I have a iPad with an um an iPhone and an Apple Watch I am constantly connected now and like I said I walk into my house um I'm actually going to be programming it so that when my Apple Watch connects to the Wi-Fi my lights will turn on and my heat will turn on and all that type of stuff we've we've reached that singularity point I don't think there's any returning from it um now it's just a matter of what do we do and how do we protect ourselves when it comes to AI there's a lot of varying um opinions out there on on what AI should do um one of my favorite um stories around AI is uh when they first built Watson um they told it to read the web that was its task just go read the internet um and that is just mind boggling to think of a single application reading the entire web but then um when it was uh when they were asking it questions um it actually started swearing back at the engineers um and it had read urban dictionary and not only knew what swear words were but it used the contextual um ability to swear back at the the users um and they they kind of went back in and said okay read the whole web but that part um and so I I think we're there um and I and I think that it's just a matter of of we're developers and and I grew up um I'm a third generation developer um and IBMer and so I grew up uh writing code when I was a kid my dad would always tell me computers are only as dumb as we make them and they're only as smart as we make them too and so it's up to us to to be the ones that that control that so yeah that's a great question I've actually never had that question come up. What's your opinion about the uh the new iPhone X authentication feature and about the facial recognition? Yes and about the security implications. And in what was the second part? Uh and the security implications of sharing your uh your biometrical data? So Apple I I actually commend Apple for a lot of their security um they um they have what's called the secure enclave in the phone um and it is um an isolated local basically um encryption a a black box for encryption if you will um they have said and everything that they have said um to date sounds very good is that that data will be um stored in the secure enclave so it won't leave that um could they potentially then um pull up an entire database of every person's face in the entire world? Sure um but as as well as we saw in the U.S. uh about a year ago year and a half ago um which was yeah almost two years ago now um with the San Bernardino um terrorist incident is that um they stood up to the FBI and said no we're not going to um weaken our security in order to uh to comply with the the legal orders um so I I I at one point um and a bit you know skeptical of of having biometrics but at the same time it's safer than a password um I like that. I like that it's being stored in that secure enclave and and everything that I've read about and seen about the secure enclave is that it is is a a kind of a lock box for data if you will um that's easily erasable and that's how you actually wipe a phone um as you you it doesn't actually delete the data on the phone it just deletes the secure enclave and you'll never access anything on the phone again um and so uh yeah but it's it's um it services like that that um if weakened or if in the wrong hands become a very large security concern of you now have everybody's face you now have everybody's fingerprint or you have everybody's conversations right? I I purposely don't have uh an amazon echo at the office because I don't want um even the the ability for um constant listening and monitoring to go on so um I'm I'm totally fine with with using smart technology I love it I'm a nerd so I I feed off of that stuff but I'm also very kind of cognizant of where I'm putting that technology in my life. I've got another question because it just briefly um touched it so what's your opinion on uh last pass I believe yeah I I'm also had a quite a time uh analyzing every password manager, password world situation and um colleague of mine uses last pass and he's highly confident I definitely see the benefits of it uh how to use it but uh yeah to my uh research it's inherently not secure just because there's you're storing the passwords on their service you don't have any access to it so. Yeah um this is being recorded and it'll be distributed so I probably won't um bad bad talk anybody because of that um uh too much but I I agree and that's why I agree I I actually personally prefer something that's more hardware based than than web based um there have been security incidents with um last pass already. Secure information didn't get leaked but um it just shows that there are um holes that that can be exposed um and that's why I prefer one pass um one password is because it's it's um a local encrypted um file that is then synced via the cloud to whatever other device you want um but all of the encrypted data is stored locally and it's decrypted locally um and it's not sent out uh your keys aren't stored elsewhere um and and they they have no way of of backtracking that um that information back to you. Um have you ever ever heard of key pass? Yes. Open source. Yep so key pass um is a great that's what I was like if they're if you're a linux nerd and you want to um you know bake your own uh there's key pass um vault by HashiCorp is very good at doing that as well um so yeah there are there are hardware based or or local based solutions and and and that's what I would recommend is is um whatever you do keep it local um I just in inherently um um skeptical of the web at times and so yeah. I read a story in the Twitter a couple months ago so it must be true right? Yeah. But uh just for the sake of argument uh I think there was a story about a case in America where um I believe a developer was charged with a crime for what was essentially something an employer or a client that told them what to do uh and so as you said you can put something to one side about the developer making a technical mistake but I was wondering about your opinion about the ethics of a developer being given a job and realizing that they could be doing something that may be somewhere down the line the employer doesn't get charged but the developer does over time. I would say to that employee give me an email I'd gladly hire you because that's an employee that I'd want to have somebody who has ethics um and to the employer um I have words that I probably shouldn't say on a microphone to them so um yeah I think that um at the end of the day um we're lucky enough to be in a position where um the the job pool is abundant for us right now and so if you ever are put in that position um you should you should act over on conscience over dollars um I don't know if it was the same one um because I don't know if the person was prosecuted but um that's actually the basis of the Ashley Madison hack um was uh and that was uh out of Canada but um they were um for those of you that don't know Ashley Madison was a website where they would pair you with other people looking to have um extra marital affairs. Horrible website, bad premise but um what they would do is they would say oh you want to delete your account well we're still gonna have your information and if you really want us to delete your account we're gonna charge you an extra $30 um but they never actually deleted your account they they still stored it um and then in addition to that they had farms of developers creating fake accounts to lure people into the service um and one of the developers got sick and tired of it one day and and took the credentials and left um and because their their system was so bad um once you got in one door the whole system was exposed and so they they went in systematically leaked everything um am I a proponent of of hacking in that situation no um reported to the authorities but um but it is it's another case of those those things where employees are asking people to do unethical things so in that case I would say no um the the employee shouldn't do anything on it um and and I hope with with GDPR and hopefully eventually we'll get something like that um fingers crossed that we can do anything in the U.S. but hopefully we'll be able to do something along those lines in the U.S. um that the idea of privacy by design and security by design makes those conversations um non-existent anymore because they're regulated to have to happen early on in the process so yeah third one um have you ever had a look at WeChat um in China because um I once got to the attention that since China is quite locked from the rest of the internet yep um but is very poor with uh personal data and um I once saw a very nice video explaining that um while I was eating at a very restaurant I paid this very restaurant a restaurant I recommended this restaurant a friend saw this and he paid as well and he had a connection to his deliver boy and so on and none of them ever left the application of WeChat so they they were chatting and this is quite big with security risk but at the same time it's also a capital venture. Correct um and so WeChat um in various other applications um WhatsApp and and the like um with end to end encryption are kind of the bane of um governments that are wanting to lock down um privacy and in security of their their folks um even here in the EU there's talk in the UK of um after brexit they want to weaken encryption so that the government can can decrypt anything they want um I for one am a proponent of end to end encryption I think it's um it puts the power into the people's hands that need it um some folks say that uh it empowers too much and I would say that again we've reached that singularity and it's gone Pandora's box is open um you can't do you can't you know pull math out of the internet it's just not gonna happen so um in that situation in like a WeChat where everything's happening via the application sure it's a it's a huge risk but um in an environment like it's um like it is behind um the great firewall um that might be what's necessary in order to circumvent some of the the data privacy because when you enter those countries you have to assume that everything you do is being watched monitored and recorded and so um yeah so end to end encryption and and for those of you that are building applications especially with Drupal and such um there was a recent um blog post on it I'm not um I still have to to dive into more of the specifics on it um but there are some of the beginning stages of a uh end to end encryption around Drupal as well where you can actually encrypt from the browser out um stored encrypted and then come back to somebody else um and use kind of Drupal as a as an encrypted relay so um there are there are ways to do that in which provides security through obscurity and there are ways to do it with um actual um good end to end encryption but a lot of the times um asymmetric encryption like that is is difficult to get the average consumer to get their mind around end to end encryption so you kind of have to do it for them behind the scenes. Alright with that we'll uh we'll let you guys go the the end session is happening over there once they do open up the the slides online I'll uh I'll post a tweet out and and let you guys all know and thanks again for coming.