Cybersecurity as a Web Developer (Angela Fehrnstrom)

okay now we're live uh i i wasn't expecting this so this is a bit of a bit of a scuff for me but um yeah sorry about that uh delay but uh here's angela fernstrom with sub security as a web developer all yours

this person and i am getting feedback from someone um there we go um very cyber security and privacy conscious person and was learning a lot more through the course of that relationship um but my professor said the mentalities just don't go together web devs want everything as open as possible and then security wants everything locked down and closed relationship didn't last but what did last is the importance of cyber security in my job because in my opinion web development and security not only can go together but really should so as a webmaster for what has quite frankly been a lot of projects over the years i've always felt that part of my job is to be at least

somewhat conscious of the security risks and concerns for each individual project sometimes those risks are a little bit much smaller they're things that just come with having any kind of online presence and then other times the risks are a little bit more serious and it really just varies depending on the project most of my career has centered around fields that tend to be a little bit more security sensitive than others might be i've worked for the idaho department of administration which is now the office of information technology services the idaho department of finance and i now work for the federal courts district of idaho and then in my volunteer time i typically end up creating websites

for youth or security organizations this has included several girl scout events b-sides boise b-sides idaho and then also idaho infraguard so throughout this please keep in mind i'm not a security professional i am a web developer who is doing her best to keep security a priority in her life and her career but i'm going to walk you through some of the websites and projects that i've worked with in the past and i'm hoping that with you seeing my thought process you can kind of see what someone outside the security community sees as a risk how they implement what sort of precautions they can and maybe get a little bit of an insight in how some of your devs might think

so first off let's take a look at some of the projects the first site is one that i'm pretty certain you've all visited it's actually the besides idaho website the event site for this event um security event websites that i've created they all tend to have the goal of conveying information event information like the time and place the event schedule how to get tickets how to submit a talk important links social media stuff community resources just all that sort of stuff the idaho infraguard idaho website is similar in a lot of ways they want to convey information about the organization how can you join how can what are some current and upcoming events what's contact information

links to those events and information about the local board so i've also worked on a lot of government websites part of my job at the department of administration was to help agencies that didn't have a web developer create and manage their websites the ones that i've worked on have primarily been information repositories for the public these websites share information about the agency like what they regulate which can sometimes be confusing they have contact information sometimes they have laws rulings and regulations that the agencies control sometimes the agencies share licensing information and requirements they have legal decisions fees and fines industry news stuff like that and then now working at the federal courts we also have information about

our judges we have information for lawyers if you get a jury duty notice we have information about that orders and rules and then also because of the way the idaho district court is structured we actually have probation and pre-trial services information as well so then covet starts and government websites have a ton of extra contact information they have extra forms they've got information about if the physical location is open or closed allowing more online submissions of forms sometimes agencies have implemented online chats and just across the board it's been a ton more traffic and then the last thing that i want to look at with you guys is a couple of girl scout websites the

first one it's pretty similar to the b-sides idaho site it's an event site event information registration form done the other one though um this is a site for an event that averages 1500 people and when we initially talked about the website the requirements had processing and storing of health histories medication info full contact info which includes phone number email address and physical address emergency contact information birthdays grade levels driver's licenses which is both the driver's license number and a scan of the card car insurance info information uh girl scout id numbers and then on top of all of that we're supposed to be processing credit card payments that one's going to be a mess so i'm sure you guys are picking up on

some of the risks that i did but i want to show you what i picked up on when i start working on these projects so first up the security sites security industry websites they have a reputation of being tested as a good word for it a few years ago some of the infragard chapter websites were actually targeted in a series of attacks by hacktivists the and then the infraguard site also kind of has an extra layer of risk because that falls into both security and government website categories as infraguard is a public-private partnership with the fbi on the topic of government websites there always a target like always some of the government website specific risks that i've personally seen

are being defaced denial of service attacks and accidentally posting non-public information which is also a fun one of course there's a ton of other risks and government sites aren't the only ones with these risks this is just in my experience one of the worst fears of a government agency is ending up on the news and any one of those will get you there almost immediately so that's a problem then lastly the one that i'm sure you guys are all cringing over is that girl scout website that first one i'm not as worried about registration form was on another site it wasn't actually any input on my site i'm also not quite as worried about these sites being hacked into or defaced

as i might be for government site or the security industry stuff the other website though that big website that one touches on some of my absolute deepest fears as a web developer we're not collecting any analytics so we don't have to worry i'm not as worried as much about kappa but we are dealing a lot with hipaa pci pii laws and it's for kids so the site is going to process a ton of information for over a thousand miners plus all of the adult volunteers that are involved and then on top of that when i'm working on a girl scout website one thing that i am always worried about it um are predators and then posting too

much information about the event photos that are being shared to promote the event again not only is this straying really really far into regulatory waters and privacy issues these are kids that we're worrying about so as a web developer how do i deal with these issues for the simpler sites like the security sites and that first event website for girl scouts one of my go-to methods of sort of securing the site is just making it as flat as possible i've been told that this could be called security through simplicity i don't know if that's real term but i like it and i'm keeping it so i'm using it um i obfuscate email addresses i sanitize the form input if the

organization insists on having one stuff like that again if we use the b sites idaho site as an example that site is all html css and javascript there's no input from the users the page is put together on the server it's sent to your browser css makes it look pretty javascript makes it do fancy things because i'm using bootstrap that's it it's not a perfect website it's not the most interactive it's not the most amazing or groundbreaking thing you've ever visited but a simple flat website is exactly what we needed for the event so that's what i delivered and that tends to be the case for most events that i've worked with when working on a government website i

thankfully have other teams that i can work with and lean on i have worked i work with the security team server team networking teams to make sure that the infrastructure in and of itself is secure to begin with and then on top of that i have to do my job so in one instance as part of the web team we were dealing with a denial of service attack the solution that we came up with was to set up the system to dump requests from a given ip if they sent too many requests in a certain amount of time other times the server team has sent through an urgent update that we need to install like right now

we've also set up alerts for suspicious activity and we can configure that to be sent to specific teams if needed for example one of the agencies that i've worked with they send an email to the security team if an ip gets a certain number of errors in a given amount of time so in addition to working with other teams i have to make sure that i'm following secure coding practices again go to method of this is kind of a simple flat site that i mentioned before offers fewer attack vectors harder to get into stuff like that but honestly in today's world that's not always an option especially with everyone interacting with everything online so stuff like sanitizing form input

training end users making sure patches and updates are always installed up and up to date those things all become very important government also has an added kind of risk of is this really for public consumption that's a problem um to mitigate this i will usually double check everything that someone sends to me to post i'll check with my manager i'll check double check with the person hey are we sure this needs to be posted but really that's something that shouldn't be only on me as the developer that needs to be a cultural and training thing in the agency and then we're going to look at that girl scout website so pretty sure you can understand why i was

like nope i'm not doing this those requirements are way too much i don't want to mess with hipaa pci pii this hits all three of those and i'm not avoiding them to hide what i'm doing and it's not necessarily because i'm afraid of them it's because i don't know how to do them right all i know is enough to know that these things are an issue this is a volunteer group we don't have the funds to hire a security professional who does know how to do these things right and honestly that's a lot of work so the first thing that we looked at is assess the need of the site do we really need to be collecting all

of that information and unfortunately the answer was yes the only thing that we could actually remove from that list of requirements was the mailing address so what do we do now we outsourced so first thing we did was we found a service that actually specializes in excuse me in youth camp health histories literally all they do that's their thing so what we're going to do is we're going to direct the girls and the adults to their site to complete the health histories and then as we've been working with the service we were actually able to customize the forms that we give to the adults to accept the driver's licenses car insurance information that we need

this company they've got security in place they know what they're doing they have their hipaa stuff figured out this is what they do so we don't have to worry about that as much also from a more physical security standpoint having everything in a really organized easy to access location for our nurse on site is going to be really helpful as well the next thing we looked at was payment there's a little bit of wonkiness with how girl scout rewards works that means we can't just like automatically send them to a payment page um so we were having a little bit of trouble with that but the solution that we came to was we will be creating paypal invoices

closer to the event for the remainder of the balance and then that invoice will direct them to paypal's website where they can pay the invoice with a card again paypal has pci figured out they have security in place they know their stuff last thing is the pii we can't get around needing all of that information because running a huge event like that we need information but what we can do is avoid storing it on with the website so if we figured out that if we collect just the name and the girl scout id we can actually cross-reference that with the information that we get from our council office get the data that we need like the

birthdays the grade level stuff like that and then we can actually store that offline so just by addressing the scope of the site we were able to eliminate almost everything that i was worried about still have a lot of information we still have a lot of input to sanitize but at least we're now at a point that i'm not having nightmares about being the cause of a hipaa or pci breach and pii is no longer stored someplace that's easily accessible online so girl scouts again along with those issues i do have to worry about how much is being shared girl scout sites they're not necessarily hidden they're not like password protected and stuff like that

but they're also not promoted i don't do any seo work on them i don't submit them to google i don't do anything like that most of these sites they can really only be found if you follow the links directly from the council website or the newsletters that they only send to registered girls and adults we are very careful about what information we share about the event and the only photos of girls if there are any i have done several events but there are no photos of girls shared on the website are ones that we know have signed photo release forms and the parents are okay with it um last names never shared and often we use camp names or nicknames instead

of the first names so it's again a little bit yeah um this is an instance that honestly i feel like just the mere existence of having a website makes a risk and so we can't be perfect but what we can do is just absolutely everything we possibly can to protect the girls and their data so ultimately what my professor said it indicated to me as a student a level of animosity between the web development and security industries but i've never actually encountered that some of the web developers that i've worked with have actually been some of the most security conscious people i've met outside of the security industry which going off what my professor was

saying would be a big surprise at some level all of us as web developers are very aware of the fact that honestly of all the i.t positions we're one of the ones with the most public facing contact but everything that i've seen and all of the web developers i've met indicates to me that we want to help you we don't want to make your job harder we just don't know how to help and that's really where you can come in as a security professional work with your developers to assess what's actually needed for functionality of the site help your developers understand why something might be a risk because you might see a risk that we are like why is

that a problem um also another thing that i've noticed is we're often all not up to date on the latest security news so i'm subscribed to a couple of cyber security newsletters i've got several friends in the cyber security community i often receive news about security risks from them instead of the web development newsletters that i'm subscribed to that's news about urgent security updates for a content management system like wordpress or drupal or joomla hosting platform breaches other website web related security news that can come from my security contacts as much as two days before my web industry sources so really just letting your developer know as soon as you hear about something can really be helpful because if you're

frustrated that they're not jumping on something that was just announced they might not even know about it yet um so i've been told that then this is an actual quote i can't remember who said it but i've been told i know more about cyber security than any web developer has a right to know honestly i don't think that should be a bad thing um because a security conscious developer is actually going to make your life as a security professional much easier so and that is what i have let me just move this over here so i can actually speak again so far do we have any there are um questions uh hang on mute unmuting myself on zoom would be a

really good idea uh yes there are some questions uh what are your thoughts on website builders such as wordpress and do they ship with good and or bad security out of the box i would say that if you don't really know what you're doing something out of the box like that is better than trying to figure it out it's a little bit easier security wise wordpress is always always in the news for something some sort of attack some sort of security issue that they have so if you are going to use something like that just make sure you are as absolutely up to date on all patches as possible and considering how frequently they release them ain't that the truth

yeah it seems like almost daily sometimes it really does it really does um one of my jobs is a webmaster and i it's wordpress based and i see them all the time here's an update he's not that he's an update yeah uh another question do you think cyber security concepts ought to be taught or required uh more for developers either formally or as part of continuing education i honestly i think it's important for everyone um not just developers even just you know anyone going through anything i think security is really really important um but yeah as a developer i do think that it's something that should at least have concepts talked about in class in

um whatever training you're going to because it's right now it's such a drastic there's such a divide between the worlds like when i was in school we never talked about security stuff except for because i knew people in the industry um and i i really do think that that's something that should be brought in more and addressed for everyone but yes for developers included i tend to agree with that one uh that looks like it for questions so that's uh that's gonna be us uh thank you for your time that's appreciated and i gotta click this button over here