Continuous integration is a now common way of having constant feedback for teams. Being able to verify new code on whether it is working is important, but what about CVEs? CVEs are reported and patched constantly by open source communities and unless your team is scouring the web for dependency vulnerabilities daily, it can quickly become difficult to keep up. Not only time consuming, but if they are not dealt with swiftly, they will pose as a risk to the well-being of your business and user base. At Rietta, we have automated security scans by utilizing scheduled workflows on CircleCI. This blog post will briefly go over how you can set up an automated security scan that will help boost confidence when dealing with CVEs.
The majority of software development includes asking a lot of questions. Administrating the Ruby On Rails Link Slack, I’ve seen some of the best and worst questions asked.
Good questions save time and effort for both the asker and answerer, follow these tips to become a superstar question asker and super power your development cycle with and without community assistance.
Systems that handle payment information, particularly e-commerce systems, are regulated by PCI DSS. Changes to the PCI compliance requirements have reclassified the use of outdated and insecure versions of TLS (and its predecessor, SSL) as non-compliant. This has some significant impact across the software industry as the changes went into enforcement today, June 30, 2018. The key takeaways for us as web application developers are that we must ensure that our deployed systems are using modern and secure TLS configurations, and that we should now do so at the expense of supporting legacy web browsers that are non-compliant, namely old versions of Internet Explorer and Windows.
Starting out in a new job can bring about feelings of excitement and eagerness. Those emotions can also be accompanied with doubts about being useful, anxiety, and imposter-syndrome. Having experienced everything listed above, I’ve learned some strategies to help overcome the negatives and be proactive.
Working with the Rietta team has been an amazing experience with comradery and mentorship. This article briefly explores my experiences at Rietta to help equip new developers with a plan to synergize and grow with a new team.
Throughout the public debate over Georgia SB 315, a bad analogy has been repeated by others that a public business or institution’s website server is like an online home. And, because nobody lets strangers just walk into their own home, Georgia should set the expectation that no one, criminal or ethical, should be allowed to come into an organization’s digital “home” without permission. But this analogy does not match reality!
Friday, April 13, 2018
Governor Nathan Deal
Office of the Governor
206 Washington Street
111 State Capitol
Atlanta, Georgia 30334
Dear Governor Deal:
I am writing you today on behalf of my Georgia-based security firm, asking that you veto SB 315. I am a long term Georgia resident, raised in the Atlanta area, and earned a B.S. in Computer Science and an M.S. in Information Security at Georgia Tech. My wife Danielle is a Mercer University alumna, and we are both conservative Christians who voted for you. My interests in computer security started early after I founded AtlantaWebHost.com eighteen years ago and started to see first hand how websites and servers were under continuous attack by malicious hackers. This first hand experience was the catalyst for pursuing a career dedicated to protecting websites and web applications from attackers.
An independent security researcher just uncovered Panera Bread’s negligent exposure of millions of customer records. He notified Panera in a responsible manner and even after 8 months had not fixed the flaw. The underlying problem was specifically serving private data on a public endpoint without strict authentication and access control. This is so basic that beginner API developers should know to avoid it. Moreover, it’s among the OWASP Top 10 (owasp.org), well known ways that databases become compromised through insecure web applications.
The Georgia House of Representatives voted 107 to 63 to approve GA SB 315 (LC 29 8107S) (PDF / legis.ga.gov) on Tuesday, March 27, 2018, on the Senate voted 42 to 7 to accept the House changes in the last hours of the session on Thursday, March 29, 2018. This bill has been specifically crafted to make critical security threat research a crime now heads to Governor Deal’s desk for his signature or veto.
GA SB 315 protects the 94% of the Forbes 2000 public companies that have no way to report a security hole at the expense of the public. They do not need this protection. We need a way to hold them accountable so that they fix their vulnerabilities.
This chilling fact was part of recent US Senate testimony by Katie Moussouris, the security professional responsible for launching Microsoft’s and the US Department of Defense’s first bug bounty programs.
That means only 120 of these companies have a formal program to receive information about and actively fix security flaws that impact the public. The other 1880 will just as soon press criminal charges or civilly sue anyone who dares attempt to bring a security hole to their attention. Many of these companies would rather put their heads in the sand and pretend that they have no issues than to actually fix fundamental security problems with their IT systems. This is why we hear so much about cybersecurity insurance and companies and governments paying ransom to unlock their data rather than actually deploying comprehensive security controls in the first place.
Please contact Governor Nathan Deal and ask that he VETO SB 315! Tell him that our Internet security is too important to jeopardize with an overly broad bill that can be used to put innocent Georgians in jail and destroy the careers of law abiding citizens while doing nothing to hold the companies who put our data at risk accountable.
GA SB 315 (LC 29 8107S) (PDF / legis.ga.gov) just passed the House Judiciary Non-Civil Committee and will be voted on this week. While significantly improved through the committee process, it still creates a dangerously broad definition of Criminal Unauthorized Computer Access that is so sweeping, people will need permission before visiting any website.
This bill was drafted because Georgia law enforcement and the U.S. FBI could not find any law broken by a professional security researcher. This researcher tried to alert Georgia election officials of voter data inappropriately published publicly on the Internet by Kennesaw State University, a contractor for the Georgia Secretary of State’s Office. What he discovered through ordinary Google searching was that voters’ names, addresses, and other private information was indexed by Google and accessible by anyone. After months, he and another researcher discovered that the data was still available on the public Internet and brought it to the attention of the media. Only under the daylight of public attention was the data removed from the Internet in an embarrassing scandal.