First on stage was Jan, starting with an introduction into IT-Security and how and why developers should care. He pointed out that IT-Security has to be implemented at many levels, as it takes more than a secure password to protect a system well. Showing us why you should enable Perfect Forward Secrecy and use Transport Layer Security all-over your users connections. He also gave advice about secure emailing with PGP and S/MIME. In addition, he explained how harmful the Sony data breach has been for the company—shockingly harmful. Bottom line Jan told us to use encryption over all levels: connections, storages, etc.
Our second session, held by Johannes, addressed the Security of Package Managers. Even though package managers are our friends and facilitate to our workflows tremendously their use can harm us. Johannes brought the audience to think about their habits—are they secure enough? With the question of whether or not everyone knows: How are the utilized open source packages implemented? In addition he showed, hands on, how easily it is to implement hidden malicious source code into pre and post hooks of common package installers like NPM,RubyGems or pip. Furthermore Johannes told witty anecdotes about big security breaches from all sorts of companies. Last but not least he introduced us to RubberDuckyUSB. A security-awareness-thingy showing us how easy it is to break into someone’s system while having physical access to it.
We’re looking forward to our next meeting on 2014-04-24. Upcoming Monster on Rails in April we’ll be talking about Docker and mobile app development with Phonegap.