Wrapping Up

[00:00:00]
>> Steve Kinney: So questions, comments, concerns, cries of outrage, anything you want me to talk about that we didn't talk about? The one thing I will also say is the same idea, we didn't encrypt any passwords the whole way in, right? And again, that falls under you do it once, you can hash passwords the same way, which is there is a secret, right?

[00:00:23]
Actually, you can do a one-way hashing algorithm, which is that password will hash into the same thing every time just like jQuery did, right? And all those other things, and you store the hash version. You check the password they send you, which should be password 123 or whatever.

[00:00:38]
It should always hash in the same mess, right? And so when exfiltrates everything in your database, they theoretically only have the encrypted versions, which you can't go the other way with. The problem is, have you all ever heard of rainbow tables? Yeah, so when there is a data leak from somebody who didn't encrypt their passwords, right, there's a bunch of known passwords out there.

[00:01:01]
You run it through the encryption algorithm, you get the hashed versions, you can just use those, right? You can't use the hashed version. You just know that if I see f$a6#, whatever, that's really password 123, and then you're good to go. So the best practice there is what's called a salt, which is just something else.

[00:01:24]
The same way we had a secret for our cookies and we had a secret for our JOTS. You say, I'm gonna take the password and this other thing, and I'm gonna hash those together. So you would need both the other thing and the password in order to get there, and that's one additional layer of protection, right?

[00:01:40]
Having something that is at least harder to know that way if you lose. Sometimes, the name of the game is don't lose two things or don't lose everything. If you only have one thing and you lose it, it's everything. If you have two things, right? Then, you have the ability, maybe one thing was kept an environment variable.

[00:01:57]
So even if they did a SQL injection, you're good to go, right? Not good to go, you still have a lot of apologizing to do in the media, right? [LAUGH] But generally speaking, you can at least kind of have those pieces in place. Cuz you can even store that salt, you can have a different salt for every single user, that's just a random thing.

[00:02:19]
And cool, the hash is a two thing combined, so even if they had a rainbow table. They can't do anything with the hashed version, right? But then if you lose the salt, you've lost everyone's password. So, it's kinda getting kinda a lock. It works until you lose the keys and you two are locked out, right?

[00:02:40]
And these are the trade offs, and these are things. The one thing that I will say that we didn't cover as well, and again, this is now somewhat like we're getting to the true esoteric as we wrap up here, is there are many versions of this. The one that I've used in the past is, especially, honestly, if you're on AWS, you use AWS's.

[00:03:02]
If you're on Azure, use Azure's. If you're on Google Clouds, they all have stupid names that tell you exactly what they do and aren't cool at all. But they are ways that if you have multiple services that all need to share the same secret, updating a whole bunch of environment variables at once is untenable.

[00:03:18]
So this gives you a way to kind of manage that in whatever cloud service. I think there are third-party ones if you're cloud agnostic as well. I'm not, so whatever. But ways to kinda give you a secure place to put those keys, cuz losing those keys is bad, right, and then practice around rotating.

[00:03:39]
Things that are less web security, more security, rotate your keys, all that kinda stuff, don't leave stuff out in the open, so on and so forth. But that kind of for the pieces of the cookie security stuff, making sure we actually understand the CSPs and that. CSP and CORS sometimes get a bad rap, cuz when we're first starting an app, it feels like, why is nothing working?

[00:04:00]
Why is nothing loading? I hate this, how do I turn it off, right? But these are actually important mechanisms that taken thoughtfully and carefully and actually understanding philosophically how they work empowers you to actually have multiple layers of protection. Because the security hole comes from either something you never knew about or something when they real tired, right, and just a mistake that invalidates something.

[00:04:25]
So having those multiple layers and kind of configuring them properly becomes a really powerful concept. I have been lucky so far that I have not personally had to sit in the postmortem. I run the team, so if anyone's great screws it up on my team, it's my fault.

[00:04:43]
But I've never had to do that yet, knock on wood. I hope it's wood, but no, that's not anything anyone wants to do, right? And also, users and they're important, I guess. But yeah, yes, any final questions or anything Dustin, from the chat? [INAUDIBLE].
>> Steve Kinney: All right, thank you all so much, whoo.

[00:05:10]
>> [APPLAUSE]