Frank Rietta - Founder & CEO
Frank’s role is to ensure that your project is designed for security and speed.
With over 16 years of career experience, he is specialized designing and implementing commercially reasonable security controls necessary to reduce the risk that an application is data breached.
He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology.
Posts by Frank Rietta
The convergence of Ruby on Rails and #AppSec Podcast Appearance
Frank Rietta guest on the Application Security Podcast with Chris Romeo
Rietta Makes it Betta Thank You Art!
Best thank you note form a client ever! Custom painting on canvas.
When Georgia was on the Brink of Outlawing Critical Computer Security Research, the Governor's Office Met with Me, and Vetoed it!
On April 25, 2018, nine information security professionals met with the Georgia Governor's office to discuss why the proposed criminal hacking law passed by both houses of the General Assembly was extremely problematic to Georgia's booming Information Security industry and risked putting the public at greater risk. Governor Deal vetoed the law a few weeks later.
Dependency Security and Hacking Rails with Jason Swett (Podcast)
Podcast interview about Ruby on Rails dependencies, security, state-sponsored hacking, and practical tips on how to protect your organization.
AppSec as a Requirement in the Development Process
A prediction that web application security will not be a post-development plugin you can add to your application in the decade of 2020-2030 and what you can do about it.
Patch Production Faster with Security-oriented Agile Development Practices
Companies take too long to patch production leaving plenty of time for threats to attack! Here's how to fix it with security-oriented Agile practices.
Ruby Gems Supply Chain Vulnerability
Learn 5 practical steps to protect yourself from malicious backdoors in Ruby Gems.
Account Protection Policies to Cover Business Assets
Utilizing two factor authentication, strong passphrases, password managers, and NIST standards; private company accounts can remain secure. Cover your assets!
Restrict Who Can Push to Matching Branches on Github
2019-05-09 (Last Updated: 2019-10-23)—
On GitHub, you can enable branch restrictions allowing only certain users, teams, or apps to be able to push to a protected branch.
Are you accidentally storing private data in plain text?
Learn how to prudently minimize the collection of passwords, authentication tokens, and customer private data in your debug logs to protect your company from legal liability.
Applying Agile and Security in Software Development Public Appearance at KSU
Frank will be presenting Applying Agile and Security in Software Development at the IS General Speaker Series #3 on 2/28/2018 at KSU in Marietta.
Happy New Year 2019!
Grateful for last year; excited for the new one. Update those copyright notices!
Stop Thinking about GA SB 315 in Terms of "Digital Homes"
Some mistakenly say an ethical hacker is like a nice neighbor walking into your unlocked back door without permission! In reality, security research is about public businesses and institutions open to the public.
Governor Deal, veto SB 315 because white hat security researchers should be thanked not jailed!
Rietta corporate letter to Governor Nathan Deal asking him to VETO GA SB 315, busting four myths that do not match up with the realities of Internet security. White hat security researchers, the good Samaritans of cybersecurity, should be thanked not prosecuted!
Panera Bread Story Is An Example of Why Governor Deal Should Veto SB 315
Panera Bread exposed millions of customer records publicly online through shear technical negligence. I call on Georgia Governor Nathan Deal to VETO SB 315 to protect independent security threat researchers who bring these issues to the light of day so that the public may be protected.
Georgia SB 315, set to criminalize most independent security threat research, heads to Georgia Governor Nathan Deal for signature or veto
As big companies buy cybersecurity insurance rather than fix fundamental security problems, Georgia clears the way for them to press charges or bring civil lawsuits against Good Samaritan researchers.
Georgia SB 315 anti-hacking law dangerously misses the mark of protecting people, making us all less safe
If Georgia SB 315 becomes law, computer security experts will stop reporting vulnerabilities in good faith because doing so could lead to their criminal prosecution under dangerously broad anti-hacking law.
Lay off the marketing plugins. Equifax hit with fake Flash update.
Equifax caught distributing malware. Be careful what you allow to be included in your website to avoid these sorts of hacks.
Automated Patching Will be New Reality
How fast can you update your production web application after an update is released? The answer better be within minutes. Automated testing and deployment is the only way.
Equifax Missed Defense in Depth, Allowing a Massive Data Breach
More than bad patch management, the weakness was Equifax's failure to design with the assumption that the front-end web server would be compromised.
Engine Yard's 17 Rails Security Tips
Troubling ISP Privacy Repeal: The Data Will be Breached
With a green light from Congress & President Trump, your ISP may begin some really creepy business practices that endanger your family's privacy and security.
Americans' Access to Strong Encryption is at Risk, an Open Letter to Congress
The track record of data breaches demonstrates an uncomfortable truth: when sophisticated adversaries want to hack a network, they will ultimately win. With a government mandated encryption backdoor, hackers will make Americans less safe both at home and abroad.
Breach Prevention for Developers Talk at Kennesaw State University
As an information security professional, it’s critical to know something about how custom web applications are developed and the impact that has on application security.
Intro to App Sec Podcast Interview
Frank was the guest on the August 29, 2016, Intro to App Sec Episode of the Advanced Persistent Security podcast. Listen here.
The MongoDB hack and the importance of secure defaults
If you have a MongoDB installation, now would be the time to verify that it is secure. Tim Kadlec has written a must read post.
CPU Benchmark - Raspberry Pi vs AMD Athlon vs Mac Mini
In a battle of the CPU's the Raspberry Pi does not win, the AMD Athlon 3200 still holds its own after nine years, and the modern Intel Core i5 beat them both as would be expected. They all have a use in the home systems lab still!
28th Anniversary of the Morris Internet Worm
Rails: Set Max Length on Fields
Bad Password Practices are Responsible For Most Data Breaches. You Can do Better.
Verizon DBIR says 61% of data breaches are the result of bad password practices. Your app can avoid some of the pitfalls with a few precautions, especially using slow hashes and 2FA.
Calls to Ban Effective Encryption Continue Despite Data Breach Crisis
Calls for the U.S. Congress to ban effective encryption are repeated despite the current information security crisis in which data breaches are regular news.
U.S. Senate Bill Seeks to Ban Effective Encryption, Making Security Illegal
Senators Feinstein, Burr published a bill in the United States Senate that would effectively ban effective encryption. This bill essentially says you can not have any conversation or data exchange that the government can not access if it wants to.
It is not just one iPhone, the FBI wants a future where it is impractical to deploy strong encryption without key escrow
The FBI wants a future where it is illegal or impractical to deploy strong encryption without key escrow, which is a key backup system that is insecure at scale. Data breach risks will increase as our devices become less secure.
What is the difference between bcrypt and SHA256?
TL;DR; SHA1, SHA256, and SHA512 are all *fast hashes* and are bad for passwords. BCRYPT is a *slow hash* and is good for passwords. Always use slow hashes, never fast hashes.
Ruby Application Security Talk Featured in Ruby Weekly Issue # 268
What is an Abuser Story (Software)
In software development and product management, an abuser story is a user story from the point of view of a malicious adversary. Abuser stories are used with agile software development methodologies as the basis for defining the activities that should be actively blocked or mitigated by the software and proven by automated regression testing.
What is Application Security?
The first real investor meeting post investment
A client recently shared Gordon Daugherty's article on how once investment is brought on, the lead investor is going to have a board seat and things become formal.
Uniqueness Validation Race Condition in Ruby on Rails applications
It's easy for race conditions to slip into your code and out into production. 'validates :field_name, uniqueness: true' is not enough to prevent duplicates in your database; here's how to enforce data integrity with both validations and unique indexes.
10th Anniversary Blog
Adding a Rake Task for SQL Views to a Rails Project
I add and update SQL views to my databases with 'rake db:views'; it's wonderful!
How to use Story Points to Estimate a Web Application Minimum Viable Product
A user story is a concise description of functionality valuable to a user. Once Points are estimated for each, a ballpark budget may be computed.
Project Roadmaps can Manage Uncertainty in Startups' Web Applications
How to communicate about realistic budgets and a timeframes because success requires clear communication on Estimates, Targets, and Commitments.
Get the Current Year in the Ruby programming language
'Time.new.year' gets the current year in Ruby, but there are other options in the standard library.
New Video! Understanding & Defending Against Data Breaches
Security incidents that lead to customer data breaches, which have been happening at an increasing rate. Most of these incidents are preventable, some would have even been stopped by simply having two factor authentication for staff member access.
Two new videos! How a Ruby on Rails developer can help prevent a Data Breach
Videos of the data breaches and Ruby on Rails are now up on YouTube! Level up on your security knowledge because good software security needs to be a moral stance!
How To Protect Against the POODLE SSLv3 Vulnerability
Commercial Information Security Classification System
Raspberry Pi crypto key management project!
A dedicated offline crypto key management system OpenPGP and an SSL Certificate Authority set up for air-gapped operations using a Raspberry Pi B.
Free, Universal SSL with Cloudflare
Software security is a moral duty
All too often robust security is put off because the cost of prevention is felt upfront & the cost of breach is to realized at an uncertain future time. But there is another way.
Learn how Upworthy scaled a Ruby on Rails application to serve massive traffic
Upworthy's backend is built on Ruby on Rails with an effective use of the Fastly CDN to deliver very high performance at scale.
New OpenPGP Key, 0xC004BAE3 (2014)
After 11 years, I have chosen to transition my OpenPGP/GnuPG cryptographic key pair from a 1024-bit to a 4096-bit RSA key. The new key is ID 0xC004BAE3. Please review the fingerprint and update your keychain accordingly.
Introduction to OpenPGP: Decrypt this Message
In this first part of Introduction to OpenPGP, learn to password protect a file using GnuPG, which supports symmetric encryption in addition to its more powerful asymmetric mode.
Retake the Net for Privacy!
What a Ruby developer can do to help prevent a Data Breach - 2014
Humana data breach in Atlanta for an unencrypted USB disk
Avoid thrashing to release your project on time and budget
ModSecurity and Fail2Ban as an Intrusion Prevention System
Defense in Depth
Joe Moore has Pair Programmed for 27,000 Hours
My new tenkeyless Code Keyboard!
The Code Keyboard Kenkeyless (87-key without a Number Pad) with Cherry MX Green is a great programmers' keyboard.
YubiKey Authentication Devices
John Saddington and Obie Fernandez at the Atlanta Ruby Users' Group
OpenSSL Vulnerability, Patch 1.0.1 Immediately
Research and Development Tax Credit
As a company building software that has a risk of failure, the government wants to provide financial incentives to you, dollar for dollar.
Find Top Referral Sources with Raw Apache Access Log
The easy raw to find your website referrers (HTTP referer) from a raw Apache access file with grep, sort, and uniq on the command line.
Issue #6: February, 2014, Web Application Topics Newsletter
Get and compare the current Git branch in BASH
When using Git, this is the easy way to get the current branch within a BASH script and use it to conditionally execute the most appropriate code with an if/else.
My Touch Typing Journey Continues
How I am teaching myself to truly touch-type, without taking any peaks, with Type Fu, the DAS Keyboard Ultimate, and going about my daily work as a consultant.
Reset MySQL Root Password with One Command
One simple command to reset your MySQL root password on Debian/Ubuntu Linux. Don't overthink this one.
Anti-virus for Mac for PCI Compliance
PCI-DSS Requirement 5 says that anti-virus must be installed and used on all computers, including Mac OS X. Here is why and some good options to choose.
Gradually and then suddenly
Why & How We Remote Pair Program (2013)
Joppar's 'Tips on Securing Your Mobile App' Infographic Quoted Me!
Voice-driven Applications on the Brain
How to use SQL views to Build Reports with Ruby on Rails
2013-11-28 (Last Updated: 2019-10-29)—
Reports can be complex to develop. Sometimes SQL views help us rationalize these complex reports. Rails doesn't ship with SQL view support by default, but the Ruby Gem Scenic is very effective at utilizing SQL Views in Rails.
Secure Passwords & Passphrases
Grep to Extract E-Mail Addresses from a Text File
Upcoming Remote Pair Programming Talk at the Atlanta Ruby Users' Group
Want to Learn Ruby on Rails in Atlanta?
What is a Maintained Post?
The Dvorak Keyboard with the Mouse on the Left-hand side
Seth Godin shared that the way to success is trust on Dave Ramsey's podcast
Is the Colemak or Dvorak keyboard layout best for you?
What is Object-Oriented Programming (OOP) really talk by Bob Martin
Happy Father's Day
OpenSSL: Encrypt Data with an RSA Key with PHP
Enhance Early Adoption with Mobile Friendly Themes
Default HTML Values with a Rails View Helper
SQL Converter 3.4 Beta for Windows
Setting up Ubuntu for Rails Development - part 2
Setting up Ubuntu for Rails Development
Using IPTABLES to Require CloudFlare for All HTTP/HTTPS Traffic
WGET to Keep New Rails Site in Memory
Atlanta Code Retreat on July 28th
Really Bad Passwords (with Unsalted Hashes)
Building Secure Web Applications (Info Graphic)
New GIT Time Extractor Gem
mod_deflate: Dramatic website speed increase with Apache compression on Ubuntu Linux
How to supercharge your mobile visitor's experience with mod_deflate, which tends to provide a 62% to 72% savings on bandwidth required to deliver each page.
Big data a big deal for SQL Server 2012, users say
What is Protected Personally Identifiable Information? Do I really have to hash users' passwords?
Startup Riot 2012 is done; congratulations to the winners
[Rails] Good Random Positive Integer
Generate OpenSSL RSA Key Pair from the Command Line
2012-01-27 (Last Updated: 2019-10-22)—
In 42 seconds, learn how to generate 2048 bit RSA key. And then what you need to do to protect it.
Rails: Point DNS to 127.0.0.1 to Test Wildcard Subdomains on WEBrick
Rails: Gmail Reply-To on Contact Form Email
Wikipedia *blackout* tomorrow in protest to SOPA/PIPA
Rails: TypeError: nil can't be coerced into Float
In Rails, whinny nil exceptions are a real pain. I like to use to_f when computing float values because nil.to_f is 0.0.
OpenSSL: Encrypt a File with a Password from the Command Line
Integrate Blog Content with your Rails 3 Website with Pure Ruby Code and RSS
How to automate copyright notice updates in Ruby on Rails
Conditionally Including Resources on SSL or non-SSL to Avoid Mixed Content Security Warnings in Ruby on Rails
When building content that can be delivered on an encrypted HTTPS connection it is necessary to reference all of the embedded resources, 3rd party badge images, embedded YouTube videos, etc, from an HTTPS url. Otherwise a mixed content error will imply to your users that the website is not safe, ouch!
Adding RANDOM alias to RAND in MySQL without Changing Ruby on Rails Code
iPhone + Mobile Camp Birmingham
Basics of iPhone Development @ SIEGE 2009
Authentication Without Encryption for Ham Radio
Crypto can be used for secure authentication without obscuring the meaning of communications - by KI4AWF.
Startup Professionals Musings: Startups: Top 10 Funding Sources
Tired of Contact Form Spam?
Software Marketing Metrics
The SIC-2007 Call for Papers is Hot off the Press
Happy Copyright Notice Update Day!
Georgia Tech to Compete in Network Security Contest
The new City of John's Creek
Support Does Not Scale. Customer Service Does.
A.R.M. Yourself Against SQL Injection
Proactively validate all input strings. Use ARM - Accept it, Reject it, or Modify it.
Business Analysis of Web Application Information
How to use an Excel spreadsheet to pull data from a web application's SQL server and then perform business analysis on it.
Extend Firefox: Your Guide to Writing Firefox Extensions
A product website without pricing information is really annoying!
Saying no to PayPal Phishing Attacks
Upcoming Beta Release: SQL Converter 2 for Excel
Less is more! Google offers less talk
WinZIP sold and needs technical improvements.
A Little Huffman Coding with Java Tricks
Improving my personal efficiency with KDE.
In 2005, I was using KDE on FreeBSD as my laptop OS. Here's a look into how KDE and Komposé improved my productivity.
Re: David Bartosik: Why Robots.txt by Matt Benya
SWT and Swing in the News, Again.
Part I: Introduction to SQL Injection
Symposium and Onward; SQL Lint
The Start of Something Interesting
Web Application Security & Performance
0001-01-01 (Last Updated: 0001-01-01)—
Timeless tips for improving security & performance for critical web applications.