Rietta
Rietta.com Security
You are reading The Rietta Blog, a publication about the web since 2005. If you enjoy this, you may also want to subscribe to our Web Application Topics Newsletter.

Automate Scheduled Security Scans With CircleCI

Continuous integration is a now common way of having constant feedback for teams. Being able to verify new code on whether it is working is important, but what about CVEs? CVEs are reported and patched constantly by open source communities and unless your team is scouring the web for dependency vulnerabilities daily, it can quickly become difficult to keep up. Not only time consuming, but if they are not dealt with swiftly, they will pose as a risk to the well-being of your business and user base. At Rietta, we have automated security scans by utilizing scheduled workflows on CircleCI. This blog post will briefly go over how you can set up an automated security scan that will help boost confidence when dealing with CVEs.

6 Easily Avoidable Mistakes New Developers Make When Asking for Help Online

The majority of software development includes asking a lot of questions. Administrating the Ruby On Rails Link Slack, I’ve seen some of the best and worst questions asked.

Good questions save time and effort for both the asker and answerer, follow these tips to become a superstar question asker and super power your development cycle with and without community assistance.

Migrate Away From SSL/Early TLS for PCI Compliance

Systems that handle payment information, particularly e-commerce systems, are regulated by PCI DSS. Changes to the PCI compliance requirements have reclassified the use of outdated and insecure versions of TLS (and its predecessor, SSL) as non-compliant. This has some significant impact across the software industry as the changes went into enforcement today, June 30, 2018. The key takeaways for us as web application developers are that we must ensure that our deployed systems are using modern and secure TLS configurations, and that we should now do so at the expense of supporting legacy web browsers that are non-compliant, namely old versions of Internet Explorer and Windows.

3 Developer Onboarding Tips From My Recent Experiences

Starting out in a new job can bring about feelings of excitement and eagerness. Those emotions can also be accompanied with doubts about being useful, anxiety, and imposter-syndrome. Having experienced everything listed above, I’ve learned some strategies to help overcome the negatives and be proactive.

Working with the Rietta team has been an amazing experience with comradery and mentorship. This article briefly explores my experiences at Rietta to help equip new developers with a plan to synergize and grow with a new team.

Harvest vs. Productive.io

Comments

Choosing a time tracking and invoicing solution can be tricky. There are a lot of different options and the best solution for your company might differ from other companies. This article compares and contrasts Harvest and Productive as of .

Stop Thinking About GA SB 315 in Terms of “Digital Homes”

Comments

Throughout the public debate over Georgia SB 315, a bad analogy has been repeated by others that a public business or institution’s website server is like an online home. And, because nobody lets strangers just walk into their own home, Georgia should set the expectation that no one, criminal or ethical, should be allowed to come into an organization’s digital “home” without permission. But this analogy does not match reality!

Governor Deal, Veto SB 315 Because White Hat Security Researchers Should Be Thanked Not Jailed!

Comments

Friday, April 13, 2018

Governor Nathan Deal
Office of the Governor
206 Washington Street
111 State Capitol
Atlanta, Georgia 30334

Dear Governor Deal:

I am writing you today on behalf of my Georgia-based security firm, asking that you veto SB 315. I am a long term Georgia resident, raised in the Atlanta area, and earned a B.S. in Computer Science and an M.S. in Information Security at Georgia Tech. My wife Danielle is a Mercer University alumna, and we are both conservative Christians who voted for you. My interests in computer security started early after I founded AtlantaWebHost.com eighteen years ago and started to see first hand how websites and servers were under continuous attack by malicious hackers. This first hand experience was the catalyst for pursuing a career dedicated to protecting websites and web applications from attackers.

Panera Bread Story Is an Example of Why Governor Deal Should Veto SB 315

Comments

An independent security researcher just uncovered Panera Bread’s negligent exposure of millions of customer records. He notified Panera in a responsible manner and even after 8 months had not fixed the flaw. The underlying problem was specifically serving private data on a public endpoint without strict authentication and access control. This is so basic that beginner API developers should know to avoid it. Moreover, it’s among the OWASP Top 10 (owasp.org), well known ways that databases become compromised through insecure web applications.

Georgia SB 315, Set to Criminalize Most Independent Security Threat Research, Heads to Georgia Governor Nathan Deal for Signature or Veto

Comments

This article has been updated since originally published to reflect the current status of SB 315, which is now heading to the Governor’s desk.)

The Georgia House of Representatives voted 107 to 63 to approve GA SB 315 (LC 29 8107S) (PDF / legis.ga.gov) on Tuesday, March 27, 2018, on the Senate voted 42 to 7 to accept the House changes in the last hours of the session on Thursday, March 29, 2018. This bill has been specifically crafted to make critical security threat research a crime now heads to Governor Deal’s desk for his signature or veto.

GA SB 315 protects the 94% of the Forbes 2000 public companies that have no way to report a security hole at the expense of the public. They do not need this protection. We need a way to hold them accountable so that they fix their vulnerabilities.

This chilling fact was part of recent US Senate testimony by Katie Moussouris, the security professional responsible for launching Microsoft’s and the US Department of Defense’s first bug bounty programs.

That means only 120 of these companies have a formal program to receive information about and actively fix security flaws that impact the public. The other 1880 will just as soon press criminal charges or civilly sue anyone who dares attempt to bring a security hole to their attention. Many of these companies would rather put their heads in the sand and pretend that they have no issues than to actually fix fundamental security problems with their IT systems. This is why we hear so much about cybersecurity insurance and companies and governments paying ransom to unlock their data rather than actually deploying comprehensive security controls in the first place.

Please contact Governor Nathan Deal and ask that he VETO SB 315! Tell him that our Internet security is too important to jeopardize with an overly broad bill that can be used to put innocent Georgians in jail and destroy the careers of law abiding citizens while doing nothing to hold the companies who put our data at risk accountable.

Georgia SB 315 Anti-hacking Law Dangerously Misses the Mark of Protecting People, Making Us All Less Safe

Comments

GA SB 315 (LC 29 8107S) (PDF / legis.ga.gov) just passed the House Judiciary Non-Civil Committee and will be voted on this week. While significantly improved through the committee process, it still creates a dangerously broad definition of Criminal Unauthorized Computer Access that is so sweeping, people will need permission before visiting any website.

This bill was drafted because Georgia law enforcement and the U.S. FBI could not find any law broken by a professional security researcher. This researcher tried to alert Georgia election officials of voter data inappropriately published publicly on the Internet by Kennesaw State University, a contractor for the Georgia Secretary of State’s Office. What he discovered through ordinary Google searching was that voters’ names, addresses, and other private information was indexed by Google and accessible by anyone. After months, he and another researcher discovered that the data was still available on the public Internet and brought it to the attention of the media. Only under the daylight of public attention was the data removed from the Internet in an embarrassing scandal.