since 1999

Frank Rietta - Founder & CEO

Frank’s role is to ensure that your project is designed for security and speed.

With over 16 years of career experience, he is specialized designing and implementing commercially reasonable security controls necessary to reduce the risk that an application is data breached.

He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He is a lifetime member of the Open Web Application Security Project (OWASP).

Frank is a public speaker, who talks about data breaches and information security topics. You can also follow him at @frankrietta on Twitter or @fsrietta on LinkedIn.

Use this PGP key to send sensitive content to Frank. His public key is also at rietta on keybase.

GitHub Activity

rietta’s contributions

Posts by Frank Rietta

Prioritizing cybersecurity (Pluralsight)

The structure and siloing of a large enterprise organization can thwart security efforts. Here is a tip on how to overcome.

How to win the race with hackers when new vulnerabilities are publicly disclosed!

Keeping deployed web applications up-to-date is imperative to prevent data breaches. Here's how to use automated testing of custom web application software to patch quickly after a support chain vulnerability is publicly disclosed.

Case Study: Migration of Public Service On-Prem to AWS Cloud

How Rietta planned and implemented a multi-step process to fully migrate a monolithic on-prem Rails application to the the AWS cloud using Docker, AWS Elastic Container Service, the AWS Secrets Manager, and more.

Case Study: Complex Insurance Document Solution with LibreOffice, Docker, and AWS

How Rietta built a complex document solution that seamlessly deploys to AWS using purely open source technology.

Top 5 Tips and Tricks on Developing with Docker

A five tips and tricks I've built up working daily with Docker professionally for three years.

You Can be the Victim of a Cybersecurity Attack: Do Your Part. #BeCyberSmart.

Be cyber smart by recognizing that you can be the victim of a cyber security incident and that you have to keep your Internet connected custom software securely configured and patched up-to-date at all times. Do Your Part. #BeCyberSmart.

Dockerizing Development Saves Serious Money for Small Agency

Systematic investment in Docker is paying off big time. From a agency owner's perspective this is why the up front investment was worth it.

Paying Ransomware is Harmful: Invest in proactive defense instead.

Paying the pirates has never been a good idea. The long history shows that paying the ransom only increases the financial incentives for more ransoms. Here is how you can use Threat Actor / Capability modeling and practically free counter measures to protect yourself.

Top 5 Cyber Security Self-Defense Tips for Businesses with Custom Applications

Since there is no Internet coast guard coming to your aid, here are the top five tips for your company to be better prepared for your own self-defense against cyber attack.

Lava lamps providing randomness for security!

Lava Lamps as a security tool is an old idea, once covered by a patent. This is why I proudly display a Lava Lamp in my office within my web cam shot.

Practical APPSEC starts with people first, processes second, and technology last

Technology purchases cannot solve application security. Improving security is a matter of people, processes, and technology. Here's how to invest developer education and processes first.

Brad Cox has died

Dr. Brad J. Cox Ph.D., influential computer scientist, co-inventor of the Objective C object oriented programming language, influencer of modern programming based on reusability of software components, has died.

Disable Low Quality Webcam Microphone in Ubuntu Linux 20.04

How to ensure your high quality microphone is always used and not the low quality USB webcam audio when joining Google Meet, Zoom, Microsoft Teams, and other video calls. Block list the webcam sound with udev and use it only for video, not audio.

Financial Plan for a New Computer Under Warranty

As a computing professional, top end computers are a necessity for your livelihood. Here's how setting aside just $69/month will ensure you can buy a new computer at any time and have the funds for guilt free technology splurges.

Development time is money, therefore I RAID

Why I optimize for redundancy via RAID and multiple computers as a developer for whom development time is money instead of relying on a single high end laptop.

The convergence of Ruby on Rails and #AppSec Podcast Appearance

Frank Rietta guest on the Application Security Podcast with Chris Romeo

Rietta Makes it Betta Thank You Art!

Best thank you note form a client ever! Custom painting on canvas.

When Georgia was on the Brink of Outlawing Critical Computer Security Research, the Governor's Office Met with Me, and Vetoed it!

On April 25, 2018, nine information security professionals met with the Georgia Governor's office to discuss why the proposed criminal hacking law passed by both houses of the General Assembly was extremely problematic to Georgia's booming Information Security industry and risked putting the public at greater risk. Governor Deal vetoed the law a few weeks later.

Dependency Security and Hacking Rails with Jason Swett (Podcast)

Podcast interview about Ruby on Rails dependencies, security, state-sponsored hacking, and practical tips on how to protect your organization.

AppSec as a Requirement in the Development Process

A prediction that web application security will not be a post-development plugin you can add to your application in the decade of 2020-2030 and what you can do about it.

Patch Production Faster with Security-oriented Agile Development Practices

Companies take too long to patch production leaving plenty of time for threats to attack! Here's how to fix it with security-oriented Agile practices.

Ruby Gems Supply Chain Vulnerability

Learn 5 practical steps to protect yourself from malicious backdoors in Ruby Gems.

Account Protection Policies to Cover Business Assets

Utilizing two factor authentication, strong passphrases, password managers, and NIST standards; private company accounts can remain secure. Cover your assets!

Restrict Who Can Push to Matching Branches on Github

(Last Updated: 10/23/2019)

On GitHub, you can enable branch restrictions allowing only certain users, teams, or apps to be able to push to a protected branch.

Are you accidentally storing private data in plain text?

Learn how to prudently minimize the collection of passwords, authentication tokens, and customer private data in your debug logs to protect your company from legal liability.

Applying Agile and Security in Software Development Public Appearance at KSU

Frank will be presenting Applying Agile and Security in Software Development at the IS General Speaker Series #3 on 2/28/2018 at KSU in Marietta.

Happy New Year 2019!

Grateful for last year; excited for the new one. Update those copyright notices!

Stop Thinking about GA SB 315 in Terms of "Digital Homes"

Some mistakenly say an ethical hacker is like a nice neighbor walking into your unlocked back door without permission! In reality, security research is about public businesses and institutions open to the public.

Governor Deal, veto SB 315 because white hat security researchers should be thanked not jailed!

Rietta corporate letter to Governor Nathan Deal asking him to VETO GA SB 315, busting four myths that do not match up with the realities of Internet security. White hat security researchers, the good Samaritans of cybersecurity, should be thanked not prosecuted!

Panera Bread Story Is An Example of Why Governor Deal Should Veto SB 315

Panera Bread exposed millions of customer records publicly online through shear technical negligence. I call on Georgia Governor Nathan Deal to VETO SB 315 to protect independent security threat researchers who bring these issues to the light of day so that the public may be protected.

Georgia SB 315, set to criminalize most independent security threat research, heads to Georgia Governor Nathan Deal for signature or veto

As big companies buy cybersecurity insurance rather than fix fundamental security problems, Georgia clears the way for them to press charges or bring civil lawsuits against Good Samaritan researchers.

Georgia SB 315 anti-hacking law dangerously misses the mark of protecting people, making us all less safe

If Georgia SB 315 becomes law, computer security experts will stop reporting vulnerabilities in good faith because doing so could lead to their criminal prosecution under dangerously broad anti-hacking law.

Lay off the marketing plugins. Equifax hit with fake Flash update.

Equifax caught distributing malware. Be careful what you allow to be included in your website to avoid these sorts of hacks.

Automated Patching Will be New Reality

How fast can you update your production web application after an update is released? The answer better be within minutes. Automated testing and deployment is the only way.

Equifax Missed Defense in Depth, Allowing a Massive Data Breach

More than bad patch management, the weakness was Equifax's failure to design with the assumption that the front-end web server would be compromised.

Engine Yard's 17 Rails Security Tips

Troubling ISP Privacy Repeal: The Data Will be Breached

With a green light from Congress & President Trump, your ISP may begin some really creepy business practices that endanger your family's privacy and security.

Americans' Access to Strong Encryption is at Risk, an Open Letter to Congress

The track record of data breaches demonstrates an uncomfortable truth: when sophisticated adversaries want to hack a network, they will ultimately win. With a government mandated encryption backdoor, hackers will make Americans less safe both at home and abroad.

Breach Prevention for Developers Talk at Kennesaw State University

As an information security professional, it’s critical to know something about how custom web applications are developed and the impact that has on application security.

Intro to App Sec Podcast Interview

Frank was the guest on the August 29, 2016, Intro to App Sec Episode of the Advanced Persistent Security podcast. Listen here.

The MongoDB hack and the importance of secure defaults

If you have a MongoDB installation, now would be the time to verify that it is secure. Tim Kadlec has written a must read post.

CPU Benchmark - Raspberry Pi vs AMD Athlon vs Mac Mini

In a battle of the CPU's the Raspberry Pi does not win, the AMD Athlon 3200 still holds its own after nine years, and the modern Intel Core i5 beat them both as would be expected. They all have a use in the home systems lab still!

28th Anniversary of the Morris Internet Worm

Rails: Set Max Length on Fields

Bad Password Practices are Responsible For Most Data Breaches. You Can do Better.

Verizon DBIR says 61% of data breaches are the result of bad password practices. Your app can avoid some of the pitfalls with a few precautions, especially using slow hashes and 2FA.

Calls to Ban Effective Encryption Continue Despite Data Breach Crisis

Calls for the U.S. Congress to ban effective encryption are repeated despite the current information security crisis in which data breaches are regular news.

U.S. Senate Bill Seeks to Ban Effective Encryption, Making Security Illegal

Senators Feinstein, Burr published a bill in the United States Senate that would effectively ban effective encryption. This bill essentially says you can not have any conversation or data exchange that the government can not access if it wants to.

It is not just one iPhone, the FBI wants a future where it is impractical to deploy strong encryption without key escrow

The FBI wants a future where it is illegal or impractical to deploy strong encryption without key escrow, which is a key backup system that is insecure at scale. Data breach risks will increase as our devices become less secure.

What is the difference between bcrypt and SHA256?

TL;DR; SHA1, SHA256, and SHA512 are all *fast hashes* and are bad for passwords. BCRYPT is a *slow hash* and is good for passwords. Always use slow hashes, never fast hashes.

Ruby Application Security Talk Featured in Ruby Weekly Issue # 268

What is an Abuser Story (Software)

In software development and product management, an abuser story is a user story from the point of view of a malicious adversary. Abuser stories are used with agile software development methodologies as the basis for defining the activities that should be actively blocked or mitigated by the software and proven by automated regression testing.

What is Application Security?

The first real investor meeting post investment

A client recently shared Gordon Daugherty's article on how once investment is brought on, the lead investor is going to have a board seat and things become formal.

Uniqueness Validation Race Condition in Ruby on Rails applications

It's easy for race conditions to slip into your code and out into production. 'validates :field_name, uniqueness: true' is not enough to prevent duplicates in your database; here's how to enforce data integrity with both validations and unique indexes.

10th Anniversary Blog

Adding a Rake Task for SQL Views to a Rails Project

I add and update SQL views to my databases with 'rake db:views'; it's wonderful!

How to use Story Points to Estimate a Web Application Minimum Viable Product

A user story is a concise description of functionality valuable to a user. Once Points are estimated for each, a ballpark budget may be computed.

Project Roadmaps can Manage Uncertainty in Startups' Web Applications

How to communicate about realistic budgets and a timeframes because success requires clear communication on Estimates, Targets, and Commitments.

Get the Current Year in the Ruby programming language

'Time.new.year' gets the current year in Ruby, but there are other options in the standard library.

New Video! Understanding & Defending Against Data Breaches

Security incidents that lead to customer data breaches, which have been happening at an increasing rate. Most of these incidents are preventable, some would have even been stopped by simply having two factor authentication for staff member access.

Two new videos! How a Ruby on Rails developer can help prevent a Data Breach

Videos of the data breaches and Ruby on Rails are now up on YouTube! Level up on your security knowledge because good software security needs to be a moral stance!

How To Protect Against the POODLE SSLv3 Vulnerability

Commercial Information Security Classification System

Raspberry Pi crypto key management project!

A dedicated offline crypto key management system OpenPGP and an SSL Certificate Authority set up for air-gapped operations using a Raspberry Pi B.

Free, Universal SSL with Cloudflare

Software security is a moral duty

All too often robust security is put off because the cost of prevention is felt upfront & the cost of breach is to realized at an uncertain future time. But there is another way.

Learn how Upworthy scaled a Ruby on Rails application to serve massive traffic

Upworthy's backend is built on Ruby on Rails with an effective use of the Fastly CDN to deliver very high performance at scale.

New OpenPGP Key, 0xC004BAE3 (2014)

After 11 years, I have chosen to transition my OpenPGP/GnuPG cryptographic key pair from a 1024-bit to a 4096-bit RSA key. The new key is ID 0xC004BAE3. Please review the fingerprint and update your keychain accordingly.

Introduction to OpenPGP: Decrypt this Message

In this first part of Introduction to OpenPGP, learn to password protect a file using GnuPG, which supports symmetric encryption in addition to its more powerful asymmetric mode.

Retake the Net for Privacy!

What a Ruby developer can do to help prevent a Data Breach - 2014

Humana data breach in Atlanta for an unencrypted USB disk

Avoid thrashing to release your project on time and budget

ModSecurity and Fail2Ban as an Intrusion Prevention System

Defense in Depth

Joe Moore has Pair Programmed for 27,000 Hours

My new tenkeyless Code Keyboard!

The Code Keyboard Kenkeyless (87-key without a Number Pad) with Cherry MX Green is a great programmers' keyboard.

YubiKey Authentication Devices

John Saddington and Obie Fernandez at the Atlanta Ruby Users' Group

OpenSSL Vulnerability, Patch 1.0.1 Immediately

Research and Development Tax Credit

As a company building software that has a risk of failure, the government wants to provide financial incentives to you, dollar for dollar.

Find Top Referral Sources with Raw Apache Access Log

The easy raw to find your website referrers (HTTP referer) from a raw Apache access file with grep, sort, and uniq on the command line.

Issue #6: February, 2014, Web Application Topics Newsletter

Get and compare the current Git branch in BASH

When using Git, this is the easy way to get the current branch within a BASH script and use it to conditionally execute the most appropriate code with an if/else.

My Touch Typing Journey Continues

How I am teaching myself to truly touch-type, without taking any peaks, with Type Fu, the DAS Keyboard Ultimate, and going about my daily work as a consultant.

Reset MySQL Root Password with One Command

One simple command to reset your MySQL root password on Debian/Ubuntu Linux. Don't overthink this one.

Anti-virus for Mac for PCI Compliance

PCI-DSS Requirement 5 says that anti-virus must be installed and used on all computers, including Mac OS X. Here is why and some good options to choose.

Gradually and then suddenly

Why & How We Remote Pair Program (2013)

Joppar's 'Tips on Securing Your Mobile App' Infographic Quoted Me!

Voice-driven Applications on the Brain

How to use SQL views to Build Reports with Ruby on Rails

(Last Updated: 10/29/2019)

Reports can be complex to develop. Sometimes SQL views help us rationalize these complex reports. Rails doesn't ship with SQL view support by default, but the Ruby Gem Scenic is very effective at utilizing SQL Views in Rails.

Secure Passwords & Passphrases

Grep to Extract E-Mail Addresses from a Text File

Upcoming Remote Pair Programming Talk at the Atlanta Ruby Users' Group

Want to Learn Ruby on Rails in Atlanta?

What is a Maintained Post?

The Dvorak Keyboard with the Mouse on the Left-hand side

Seth Godin shared that the way to success is trust on Dave Ramsey's podcast

Is the Colemak or Dvorak keyboard layout best for you?

What is Object-Oriented Programming (OOP) really talk by Bob Martin

Happy Father's Day

OpenSSL: Encrypt Data with an RSA Key with PHP

Enhance Early Adoption with Mobile Friendly Themes

Default HTML Values with a Rails View Helper

SQL Converter 3.4 Beta for Windows

Setting up Ubuntu for Rails Development - part 2

Setting up Ubuntu for Rails Development

Using IPTABLES to Require CloudFlare for All HTTP/HTTPS Traffic

WGET to Keep New Rails Site in Memory

Atlanta Code Retreat on July 28th

Really Bad Passwords (with Unsalted Hashes)

Building Secure Web Applications (Info Graphic)

New GIT Time Extractor Gem

mod_deflate: Dramatic website speed increase with Apache compression on Ubuntu Linux

How to supercharge your mobile visitor's experience with mod_deflate, which tends to provide a 62% to 72% savings on bandwidth required to deliver each page.

Big data a big deal for SQL Server 2012, users say

What is Protected Personally Identifiable Information? Do I really have to hash users' passwords?

Startup Riot 2012 is done; congratulations to the winners

[Rails] Good Random Positive Integer

Generate OpenSSL RSA Key Pair from the Command Line

(Last Updated: 10/22/2019)

In 42 seconds, learn how to generate 2048 bit RSA key. And then what you need to do to protect it.

Rails: Point DNS to 127.0.0.1 to Test Wildcard Subdomains on WEBrick

Rails: Gmail Reply-To on Contact Form Email

Wikipedia *blackout* tomorrow in protest to SOPA/PIPA

Rails: TypeError: nil can't be coerced into Float

In Rails, whinny nil exceptions are a real pain. I like to use to_f when computing float values because nil.to_f is 0.0.

OpenSSL: Encrypt a File with a Password from the Command Line

Integrate Blog Content with your Rails 3 Website with Pure Ruby Code and RSS

How to automate copyright notice updates in Ruby on Rails

Conditionally Including Resources on SSL or non-SSL to Avoid Mixed Content Security Warnings in Ruby on Rails

When building content that can be delivered on an encrypted HTTPS connection it is necessary to reference all of the embedded resources, 3rd party badge images, embedded YouTube videos, etc, from an HTTPS url. Otherwise a mixed content error will imply to your users that the website is not safe, ouch!

Adding RANDOM alias to RAND in MySQL without Changing Ruby on Rails Code

iPhone + Mobile Camp Birmingham

Basics of iPhone Development @ SIEGE 2009

Authentication Without Encryption for Ham Radio

Crypto can be used for secure authentication without obscuring the meaning of communications - by KI4AWF.

Startup Professionals Musings: Startups: Top 10 Funding Sources

Tired of Contact Form Spam?

Software Marketing Metrics

The SIC-2007 Call for Papers is Hot off the Press

Happy Copyright Notice Update Day!

Georgia Tech to Compete in Network Security Contest

The new City of John's Creek

Support Does Not Scale. Customer Service Does.

A.R.M. Yourself Against SQL Injection

Proactively validate all input strings. Use ARM - Accept it, Reject it, or Modify it.

Business Analysis of Web Application Information

How to use an Excel spreadsheet to pull data from a web application's SQL server and then perform business analysis on it.

Extend Firefox: Your Guide to Writing Firefox Extensions

A product website without pricing information is really annoying!

Saying no to PayPal Phishing Attacks

Upcoming Beta Release: SQL Converter 2 for Excel

Less is more! Google offers less talk

WinZIP sold and needs technical improvements.

A Little Huffman Coding with Java Tricks

Re: David Bartosik: Why Robots.txt by Matt Benya

Improving my personal efficiency with KDE.

In 2005, I was using KDE on FreeBSD as my laptop OS. Here's a look into how KDE and Komposé improved my productivity.

SWT and Swing in the News, Again.

Part I: Introduction to SQL Injection

Symposium and Onward; SQL Lint

The Start of Something Interesting

Web Application Security & Performance

(Last Updated: 01/01/0001)

Timeless tips for improving security & performance for critical web applications.