Interview with Ryan Chenkie, Part 1: Security in the digital world
Agiledrop is highlighting active members of different open-source communities through interviews focusing on their projects and initiatives, as well as trends and innovations in the digital sphere.
We had a great, in-depth discussion about security in the digital world and more specifically about security in the Angular framework. Part one of the interview will be dedicated to the broader topic of digital security, while part two, which will be published next week, will focus on security in Angular.
I run a one-man-shop, which is just me doing consulting, called Elevate Digital. I mostly build applications for companies; most of my clients are companies that are doing some kind of digital transformation. They’re taking an old manual process, either in paper or Excel sheets, and I take their business process and wrap it into an application to streamline their whole operation.
That’s one area; I do a lot of training as well, so, teaching other developers how to write applications and how to do specific things, such as security-related things - I’ve got a book and some courses specifically about security in Angular applications.
That’s taken from my time at Auth0, a company I used to work at that’s mostly concerned with authentication and identity. I learned a lot there about authentication and security, and I teach a lot about that still to this day.
I’ve been a guest on a number of Angular-related podcasts. I also do my own podcast which is dedicated to those that are both entrepreneurial types and developers; it’s called The Entrepreneurial Coder Podcast and it focuses on sort of business plus coding.
I’ve been in the Angular community now since I would say maybe 2016, that was when I really got into, and my involvement comes in a few different ways. I’m a GDE for Angular, which means that I speak about Angular at different events quite often, I do content - write blog posts and make videos about Angular-related topics.
So, I do some stuff with Google, and I’ve spoken at ng-conf a number of times, as well as at a number of other Angular conferences and meetups around the world. I’ve done a lot of speaking over the last few years and a lot of it has focused on Angular and related topics.
I actually spoke as a part of the online ng-conf this year. I spoke mainstage last year, and did like a sidestage the year before, but this year it was just a workshop - which is still fun. So, since I’d done my obligations for ng-conf early, I was able to just enjoy other speakers’ sessions.
Of course, everything going on in the world, it’s very chaotic and very sad what’s happening, and of course one of the impacts of that is that we can’t be in person at conferences.
I personally am one of those people that finds it difficult to maybe get the same amount of value from a conference if it’s remote, if it’s virtual, because I think a lot of the value that we all get from a conference is just being able to speak to one another outside of the sessions, being able to converse and get to know one another.
The content was still great and I was excited to tune in, but it is sad that we have to miss that in-person conference that we all like.
2. Moving on to security - why is security such an important aspect of the digital?
That is a good question. I think for developers, especially if you’ve been in the industry for a while, if you’re concerned about making things safe on the web, you have this conceptualization that of course security is important.
Because, when you’re dealing with digital, when you’re dealing with software, you don’t ultimately have a ton of control over how the software you create is going to be used in the end.
What I mean by that is you can of course - and you should - model your application to have safeguards and build it in such a way that you take users down the specific path and the specific flows that you want them to.
But, especially when you’re building for the web, you really don’t have a lot of control over who’s going to try to maliciously use your application in certain ways, who’s going to try to break into it.
And, much more so than being worried about somebody trying to break into your house everyday, I think you have to be more worried about someone trying to break into your application every day because the scenario is different.
Somebody trying to break into your house is a big event, it’s a criminal thing; it doesn’t happen very often, thankfully. But people trying to break into an application - they can do it from wherever, they can be anonymous, there’s often not a lot of recourse for how companies can even try to figure out who it was that was trying to break in.
So there’s a much larger surface area, a much larger footprint that you have to be worried about rather than if you were dealing with some kind of physical building. The ways in which people are going to try to break into those two different things are different. On the digital side, there’s a much bigger possibility that many different people are going to be trying to break into it.
And once you ship it for software, it’s kind of out of your hands in terms of who’s going to be trying to do what with it. So, with that in mind, I think it’s important for developers to put as many safeguards as possible in place.
You want to be trying to prevent malicious actors from trying to break into your application, you want to prevent people from trying to steal your and your users’ data, you want to prevent people who shouldn’t be there from trying to hit your APIs, trying to brute force usernames and passwords, right?
All of these things that go into proper application security are crucial, but, unfortunately, they’re often not that well thought-of ahead of time by developers, and they’re not always super easy to implement either, it can be challenging to cover all your bases.
So, security for digital, just to sum up, is really crucial because once you ship your software you’re at the mercy of whoever it is out there that might be trying to connect to your software somehow, and you really don’t know what they’re going to try to do.
Putting those safeguards in place is key for you to have some confidence and be able to rest easy knowing that, okay, it’s going to be very difficult for somebody to try to steal something from my application.
Something I didn’t realize until I really got into building software for my clients and shipping it and seeing how it is in the wild - there’s people trying to break into things every second of every day in many applications, so it’s important to cover all your bases if you can.
And some people might argue that there are fewer ramifications with a cyber attack than there would be if somebody tried to break into your house. Like, somebody breaking into your application, nobody’s going to be physically hurt, at least not immediately, but it has real consequences.
There are companies that go bankrupt, there are lawsuits that get leveled, there are millions and millions and millions of dollars that have been paid out to the people who ultimately suffer - the users whose data gets stolen in the worst of these cases.
It has real-world, real-life ramifications. It’s not just, oh, somebody was able to get in and able to put up some message of their own or whatever, that’s old-school hacking. Today’s hacking is stealing personal information, it’s holding things for ransom; it has real-world consequences for sure.
3. How do you think the state of online security will progress in the years to come?
Well, my hope is that there will be a lot of attention paid to security at the early stages of all these new applications that are going to be coming online this decade. Especially given what’s happening here in early 2020, that’s going to be necessitated by companies needing to focus more on digital.
One of the things that will happen for the web, security-wise, is that we’ll have better security than we’ve seen in historical applications, by virtue of the fact that there will be some brand new applications that are emerging.
And I think we’ll probably see more cases of big corporations that have really old applications exposed for their misconfigurations and bad configurations.
We always see this in the news: some company got hacked, and it turns out they weren’t hashing their users’ passwords, they weren’t encrypting any sensitive data in their databases. I think we’ll see more of that happen, unfortunately, but I think that’s going to put a focus on doing things the right way.
Big companies have for a long time gotten away with building things in an insecure fashion, but more and more these days we’re seeing this happen, especially because people are calling it out all the time now.
There’s no longer this false sense of security that companies can have where they’re like “Oh, users probably would never even realize this anyway”.
I think people are going to wake up to the fact that you need to implement things securely, and in that same vein, I think we’re going to see more and more companies with shoddy security practices exposed.
The example that I’m thinking of is Zoom who have been called out recently for doing things in a very shady manner. The installer that they have for Mac kind of hijacks the operating system in a way that is doable, but not really - it operates like malware almost, it doesn’t have true end-to-end encryption.
We’ve taken it for granted for a long time that Zoom is doing things right, they’re a newer company, they seem to be doing well, right? We make all these assumptions, so I think we’ll see more and more that people, like those who have called out Zoom on Twitter, are going to be calling out others who aren’t doing things in a proper way.
Another thing that I wanted to mention that I’m really excited about is this new spec for web authentication, where instead of a typical username and password, you can use a strong authenticator, like your fingerprint on your Mac, for example, to be the way that you log into applications.
I think we’ll see more and more people using that, which is going to be great, because usernames and passwords are just not a good way to do security. They never have been, and I think that many of the problems that we’ve been exposed to over the years will go away once we have widespread adoption of web authentication.
We hope you enjoyed reading Ryan's insights on digital security. Tune in early next week for part two of our interview in which we'll focus on security in Angular and how to best secure Angular applications.