Frank Rietta - Software Developer

Frank’s role is to ensure that your project is designed for security and speed.

With over 16 years of career experience, he is specialized designing and implementing commercially reasonable security controls necessary to reduce the risk that an application is data breached.

He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology.

Frank is a public speaker, who talks about data breaches and information security topics. You can also follow him at @frankrietta on Twitter or @fsrietta on LinkedIn.

Use this PGP key to send sensitive content to Frank. His public key is also at rietta on keybase.

Posts by Frank Rietta

Ruby Gems Supply Chain Vulnerability

— 2019-09-06

Learn 5 practical steps to protect yourself from malicious backdoors in Ruby Gems.

Account Protection Policies to Cover Business Assets

— 2019-05-30

Utilizing two factor authentication, strong passphrases, password managers, and NIST standards; private company accounts can remain secure. Cover your assets!

Git Protection from Repository Attacks in 15 minutes

— 2019-05-09

Don't fall victim to Git ransomware by using the security features available to you. We'll show you how.

Are you accidentally storing private data in plain text?

— 2019-04-29

Learn how to prudently minimize the collection of passwords, authentication tokens, and customer private data in your debug logs to protect your company from legal liability.

Applying Agile and Security in Software Development Public Appearance at KSU

— 2019-02-08

Frank will be presenting Applying Agile and Security in Software Development at the IS General Speaker Series #3 on 2/28/2018 at KSU in Marietta.

Happy New Year 2019!

— 2019-01-01

Grateful for last year; excited for the new one. Update those copyright notices!

Stop Thinking about GA SB 315 in Terms of "Digital Homes"

— 2018-04-25

Some mistakenly say an ethical hacker is like a nice neighbor walking into your unlocked back door without permission! In reality, security research is about public businesses and institutions open to the public.

Governor Deal, veto SB 315 because white hat security researchers should be thanked not jailed!

— 2018-04-19

Rietta corporate letter to Governor Nathan Deal asking him to VETO GA SB 315, busting four myths that do not match up with the realities of Internet security. White hat security researchers, the good Samaritans of cybersecurity, should be thanked not prosecuted!

Panera Bread Story Is An Example of Why Governor Deal Should Veto SB 315

— 2018-04-03

Panera Bread exposed millions of customer records publicly online through shear technical negligence. I call on Georgia Governor Nathan Deal to VETO SB 315 to protect independent security threat researchers who bring these issues to the light of day so that the public may be protected.

Georgia SB 315, set to criminalize most independent security threat research, heads to Georgia Governor Nathan Deal for signature or veto

— 2018-03-27

As big companies buy cybersecurity insurance rather than fix fundamental security problems, Georgia clears the way for them to press charges or bring civil lawsuits against Good Samaritan researchers.

Georgia SB 315 anti-hacking law dangerously misses the mark of protecting people, making us all less safe

— 2018-03-26

If Georgia SB 315 becomes law, computer security experts will stop reporting vulnerabilities in good faith because doing so could lead to their criminal prosecution under dangerously broad anti-hacking law.

Lay off the marketing plugins. Equifax hit with fake Flash update.

— 2017-10-12

Equifax caught distributing malware. Be careful what you allow to be included in your website to avoid these sorts of hacks.

Automated Patching Will be New Reality

— 2017-10-11

How fast can you update your production web application after an update is released? The answer better be within minutes. Automated testing and deployment is the only way.

Equifax Missed Defense in Depth, Allowing a Massive Data Breach

— 2017-09-18

More than bad patch management, the weakness was Equifax's failure to design with the assumption that the front-end web server would be compromised.

Engine Yard's 17 Rails Security Tips

— 2017-09-05

Troubling ISP Privacy Repeal: The Data Will be Breached

— 2017-05-18

With a green light from Congress & President Trump, your ISP may begin some really creepy business practices that endanger your family's privacy and security.

Americans' Access to Strong Encryption is at Risk, an Open Letter to Congress

— 2017-05-03

The track record of data breaches demonstrates an uncomfortable truth: when sophisticated adversaries want to hack a network, they will ultimately win. With a government mandated encryption backdoor, hackers will make Americans less safe both at home and abroad.

Breach Prevention for Developers Talk at Kennesaw State University

— 2017-02-28

As an information security professional, it’s critical to know something about how custom web applications are developed and the impact that has on application security.

Intro to App Sec Podcast Interview

— 2017-02-22

Frank was the guest on the August 29, 2016, Intro to App Sec Episode of the Advanced Persistent Security podcast. Listen here.

The MongoDB hack and the importance of secure defaults

— 2017-01-12

If you have a MongoDB installation, now would be the time to verify that it is secure. Tim Kadlec has written a must read post.

CPU Benchmark - Raspberry Pi vs AMD Athlon vs Mac Mini

— 2016-12-01

In a battle of the CPU's the Raspberry Pi does not win, the AMD Athlon 3200 still holds its own after nine years, and the modern Intel Core i5 beat them both as would be expected. They all have a use in the home systems lab still!

28th Anniversary of the Morris Internet Worm

— 2016-11-02

Rails: Set Max Length on Fields

— 2016-10-22

Bad Password Practices are Responsible For Most Data Breaches. You Can do Better.

— 2016-05-10

Verizon DBIR says 61% of data breaches are the result of bad password practices. Your app can avoid some of the pitfalls with a few precautions, especially using slow hashes and 2FA.

Calls to Ban Effective Encryption Continue Despite Data Breach Crisis

— 2016-04-22

Calls for the U.S. Congress to ban effective encryption are repeated despite the current information security crisis in which data breaches are regular news.

U.S. Senate Bill Seeks to Ban Effective Encryption, Making Security Illegal

— 2016-04-08

Senators Feinstein, Burr published a bill in the United States Senate that would effectively ban effective encryption. This bill essentially says you can not have any conversation or data exchange that the government can not access if it wants to.

It is not just one iPhone, the FBI wants a future where it is impractical to deploy strong encryption without key escrow

— 2016-03-16

The FBI wants a future where it is illegal or impractical to deploy strong encryption without key escrow, which is a key backup system that is insecure at scale. Data breach risks will increase as our devices become less secure.

Use bcrypt or scrypt instead of SHA* for your passwords, please!

— 2016-02-05

TL;DR; SHA1, SHA256, and SHA512 are all *fast hashes* and are bad for passwords. BCRYPT is a *slow hash* and is good for passwords. Always use slow hashes, never fast hashes.

Ruby Application Security Talk Featured in Ruby Weekly Issue # 268

— 2015-10-15

What is an Abuser Story (Software)

— 2015-10-11

In software development and product management, an abuser story is a user story from the point of view of a malicious adversary. Abuser stories are used with agile software development methodologies as the basis for defining the activities that should be actively blocked or mitigated by the software and proven by automated regression testing.

What is Application Security?

— 2015-09-28

The first real investor meeting post investment

— 2015-06-17

A client recently shared Gordon Daugherty's article on how once investment is brought on, the lead investor is going to have a board seat and things become formal.

Uniqueness Validation Race Condition in Ruby on Rails applications

— 2015-05-04

It's easy for race conditions to slip into your code and out into production. 'validates :field_name, uniqueness: true' is not enough to prevent duplicates in your database; here's how to enforce data integrity with both validations and unique indexes.

10th Anniversary Blog

— 2015-04-08

Adding a Rake Task for SQL Views to a Rails Project

— 2015-03-30

I add and update SQL views to my databases with 'rake db:views'; it's wonderful!

How to use Story Points to Estimate a Web Application Minimum Viable Product

— 2015-03-17

A user story is a concise description of functionality valuable to a user. Once Points are estimated for each, a ballpark budget may be computed.

Project Roadmaps can Manage Uncertainty in Startups' Web Applications

— 2015-03-17

How to communicate about realistic budgets and a timeframes because success requires clear communication on Estimates, Targets, and Commitments.

Get the Current Year in the Ruby programming language

— 2015-03-13

'' gets the current year in Ruby, but there are other options in the standard library.

New Video! Understanding & Defending Against Data Breaches

— 2015-02-19

Security incidents that lead to customer data breaches, which have been happening at an increasing rate. Most of these incidents are preventable, some would have even been stopped by simply having two factor authentication for staff member access.

Two new videos! How a Ruby on Rails developer can help prevent a Data Breach

— 2015-01-09

Videos of the data breaches and Ruby on Rails are now up on YouTube! Level up on your security knowledge because good software security needs to be a moral stance!

How To Protect Against the POODLE SSLv3 Vulnerability

— 2014-10-16

Commercial Information Security Classification System

— 2014-10-13

Raspberry Pi crypto key management project!

— 2014-10-02

A dedicated offline crypto key management system OpenPGP and an SSL Certificate Authority set up for air-gapped operations using a Raspberry Pi B.

Free, Universal SSL with Cloudflare

— 2014-09-29

Software security is a moral duty

— 2014-09-21

All too often robust security is put off because the cost of prevention is felt upfront & the cost of breach is to realized at an uncertain future time. But there is another way.

Learn how Upworthy scaled a Ruby on Rails application to serve massive traffic

— 2014-09-19

Upworthy's backend is built on Ruby on Rails with an effective use of the Fastly CDN to deliver very high performance at scale.

New OpenPGP Key, 0xC004BAE3 (2014)

— 2014-07-27

After 11 years, I have chosen to transition my OpenPGP/GnuPG cryptographic key pair from a 1024-bit to a 4096-bit RSA key. The new key is ID 0xC004BAE3. Please review the fingerprint and update your keychain accordingly.

Introduction to OpenPGP: Decrypt this Message

— 2014-07-07

In this first part of Introduction to OpenPGP, learn to password protect a file using GnuPG, which supports symmetric encryption in addition to its more powerful asymmetric mode.

Retake the Net for Privacy!

— 2014-06-05

What a Ruby developer can do to help prevent a Data Breach - 2014

— 2014-06-05

Humana data breach in Atlanta for an unencrypted USB disk

— 2014-05-30

Avoid thrashing to release your project on time and budget

— 2014-05-29

ModSecurity and Fail2Ban as an Intrusion Prevention System

— 2014-05-27

Defense in Depth

— 2014-05-22

Joe Moore has Pair Programmed for 27,000 Hours

— 2014-05-20

My new tenkeyless Code Keyboard!

— 2014-05-16

The Code Keyboard Kenkeyless (87-key without a Number Pad) with Cherry MX Green is a great programmers' keyboard.

YubiKey Authentication Devices

— 2014-05-15

John Saddington and Obie Fernandez at the Atlanta Ruby Users' Group

— 2014-05-14

OpenSSL Vulnerability, Patch 1.0.1 Immediately

— 2014-04-07

Research and Development Tax Credit

— 2014-03-04

As a company building software that has a risk of failure, the government wants to provide financial incentives to you, dollar for dollar.

Find Top Referral Sources with Raw Apache Access Log

— 2014-02-22

The easy raw to find your website referrers (HTTP referer) from a raw Apache access file with grep, sort, and uniq on the command line.

Issue #6: February, 2014, Web Application Topics Newsletter

— 2014-02-18

Get and compare the current Git branch in BASH

— 2014-02-16

When using Git, this is the easy way to get the current branch within a BASH script and use it to conditionally execute the most appropriate code with an if/else.

My Touch Typing Journey Continues

— 2014-02-14

How I am teaching myself to truly touch-type, without taking any peaks, with Type Fu, the DAS Keyboard Ultimate, and going about my daily work as a consultant.

Reset MySQL Root Password with One Command

— 2014-02-11

One simple command to reset your MySQL root password on Debian/Ubuntu Linux. Don't overthink this one.

Anti-virus for Mac for PCI Compliance

— 2014-01-23

PCI-DSS Requirement 5 says that anti-virus must be installed and used on all computers, including Mac OS X. Here is why and some good options to choose.

Gradually and then suddenly

— 2014-01-19

Why & How We Remote Pair Program (2013)

— 2014-01-07

Joppar's 'Tips on Securing Your Mobile App' Infographic Quoted Me!

— 2014-01-06

Voice-driven Applications on the Brain

— 2013-12-06

Using Rails and SQL Views for a Report

— 2013-11-28

All about how to use SQL views with read-only ActiveRecord models in Ruby on Rails. They're very fast!

Secure Passwords & Passphrases

— 2013-11-25

Grep to Extract E-Mail Addresses from a Text File

— 2013-10-11

Upcoming Remote Pair Programming Talk at the Atlanta Ruby Users' Group

— 2013-10-05

Want to Learn Ruby on Rails in Atlanta?

— 2013-09-28

What is a Maintained Post?

— 2013-09-27

The Dvorak Keyboard with the Mouse on the Left-hand side

— 2013-09-26

Seth Godin shared that the way to success is trust on Dave Ramsey's podcast

— 2013-09-25

Is the Colemak or Dvorak keyboard layout best for you?

— 2013-09-20

What is Object-Oriented Programming (OOP) really talk by Bob Martin

— 2013-07-25

Happy Father's Day

— 2013-06-16

OpenSSL: Encrypt Data with an RSA Key with PHP

— 2013-06-13

Enhance Early Adoption with Mobile Friendly Themes

— 2013-06-06

I Like Blogger; Moderating Comment Form Spam

— 2013-01-16

Default HTML Values with a Rails View Helper

— 2013-01-15

SQL Converter 3.4 Beta for Windows

— 2012-12-01

Setting up Ubuntu for Rails Development - part 2

— 2012-10-24

Setting up Ubuntu for Rails Development

— 2012-10-21

Using IPTABLES to Require CloudFlare for All HTTP/HTTPS Traffic

— 2012-09-10

WGET to Keep New Rails Site in Memory

— 2012-07-10

Thoughts on Creating Better Web Videos

— 2012-07-07

Atlanta Code Retreat on July 28th

— 2012-06-29

Really Bad Passwords (with Unsalted Hashes)

— 2012-06-08

Building Secure Web Applications (Info Graphic)

— 2012-06-05

New GIT Time Extractor Gem

— 2012-05-06

mod_deflate: Dramatic website speed increase with Apache compression on Ubuntu Linux

— 2012-04-18

How to supercharge your mobile visitor's experience with mod_deflate, which tends to provide a 62% to 72% savings on bandwidth required to deliver each page.

Big data a big deal for SQL Server 2012, users say

— 2012-04-17

What is Protected Personally Identifiable Information? Do I really have to hash users' passwords?

— 2012-04-05

New Lines in Cell Data: The SQL Converter Expert Conversion Service Can Handle It!

— 2012-04-02

Startup Riot 2012 is done; congratulations to the winners

— 2012-02-22

[Rails] Good Random Positive Integer

— 2012-02-03

OpenSSL: Generating an RSA Key from the Command Line

— 2012-01-27

In 42 seconds, learn how to generate 2048 bit RSA key. And then what you need to do to protect it.

Rails: Point DNS to to Test Wildcard Subdomains on WEBrick

— 2012-01-24

Rails: Gmail Reply-To on Contact Form Email

— 2012-01-18

Wikipedia *blackout* tomorrow in protest to SOPA/PIPA

— 2012-01-17

Rails: TypeError: nil can't be coerced into Float

— 2012-01-14

In Rails, whinny nil exceptions are a real pain. I like to use to_f when computing float values because nil.to_f is 0.0.

OpenSSL: Encrypt a File with a Password from the Command Line

— 2012-01-09

Integrate Blog Content with your Rails 3 Website with Pure Ruby Code and RSS

— 2012-01-02

How to automate copyright notice updates in Ruby on Rails

— 2011-12-26

Conditionally Including Resources on SSL or non-SSL to Avoid Mixed Content Security Warnings in Ruby on Rails

— 2011-12-21

When building content that can be delivered on an encrypted HTTPS connection it is necessary to reference all of the embedded resources, 3rd party badge images, embedded YouTube videos, etc, from an HTTPS url. Otherwise a mixed content error will imply to your users that the website is not safe, ouch!

Adding RANDOM alias to RAND in MySQL without Changing Ruby on Rails Code

— 2011-12-19

SQL Converter 2 for Excel Website Update

— 2011-12-17

SQLCONVERTER.COM Major Website Update

— 2011-12-15

iPhone + Mobile Camp Birmingham

— 2009-12-23

Basics of iPhone Development @ SIEGE 2009

— 2009-09-11

Authentication Without Encryption for Ham Radio

— 2009-08-17

Crypto can be used for secure authentication without obscuring the meaning of communications - by KI4AWF.

Startup Professionals Musings: Startups: Top 10 Funding Sources

— 2009-03-10

Randomized Field Names in a Product!? Say no to CAPTCHA images!

— 2009-01-16

Atlanta Security Conference Website

— 2008-08-18

Tired of Contact Form Spam?

— 2008-01-25

Software Marketing Metrics

— 2007-01-29

The SIC-2007 Call for Papers is Hot off the Press

— 2007-01-21

Happy Copyright Notice Update Day!

— 2007-01-01

Six days left until Copyright Notice Update Day

— 2006-12-26

Georgia Tech to Compete in Network Security Contest

— 2006-12-07

SQL Converter 2 for Excel is Available

— 2006-11-03

The new City of John's Creek

— 2006-11-03

SQL Converter for Excel - version 2.0.4 BETA released

— 2006-09-05

Support Does Not Scale. Customer Service Does.

— 2006-08-10

A.R.M. Yourself Against SQL Injection

— 2006-08-08

SQL Converter for Excel - version 2.0.3 BETA released

— 2006-08-02

A very brief update on my happenings

— 2006-04-13

Business Analysis of Web Application Information

— 2005-12-26

How to use an Excel spreadsheet to pull data from a web application's SQL server and then perform business analysis on it.

Extend Firefox: Your Guide to Writing Firefox Extensions

— 2005-11-09

A product website without pricing information is really annoying!

— 2005-08-14

Saying no to PayPal Phishing Attacks

— 2005-08-09

Upcoming Beta Release: SQL Converter 2 for Excel

— 2005-07-25

Less is more! Google offers less talk

— 2005-07-21

WinZIP sold and needs technical improvements.

— 2005-07-18

Vector Graphics and Icon Licenses

— 2005-07-17

A Little Huffman Coding with Java Tricks

— 2005-05-16

Improving my personal efficiency with KDE.

— 2005-05-07

In 2005, I was using KDE on FreeBSD as my laptop OS. Here's a look into how KDE and Komposé improved my productivity.

Re: David Bartosik: Why Robots.txt by Matt Benya

— 2005-05-07

SWT and Swing in the News, Again.

— 2005-04-30

Part I: Introduction to SQL Injection

— 2005-04-23

GTACM Elections Success

— 2005-04-20

Symposium and Onward; SQL Lint

— 2005-04-14

The Start of Something Interesting

— 2005-04-08

Web Application Security & Performance

— 0001-01-01