Rietta: Web Apps Where Security Matters
You are reading The Rietta Blog, a publication about the web since 2005.

Two New Videos! How a Ruby on Rails Developer Can Help Prevent a Data Breach


Two new videos of the data breach talk and class that I lead in August and December are now up on YouTube! I hope that it helps you level up on your security knowledge because good software security needs to be a moral stance.

Next public talk

I am scheduled to give a presentation to this topic for the Nash.rb Users’ Group on Thursday, February 5, 2015 at the Emma office in Nashville, TN. If you are in town and can make it out, I would love to meet you.

December, 2014, at Tech Talent South

Data Breaches and Ruby developers, with live exploits via Chrome – Classroom https://www.youtube.com/watch?v=OYg46fnX7so

TechTalentSouth tweet about the Data Breaches class on December 4, 2014

August, 2014, at the Atlanta Ruby Users’ Group meetup

How a Ruby/Rails developer can help prevent a Data Breach https://www.youtube.com/watch?v=w-4U3Eyb6xg

Key Takeaways

  • Security is hard, but morally obligatory
  • It is important to have a defense in depth strategy that starts within the development process
  • Real applications can be exploited even if security tools say there is nothing wrong to report
  • Entrepreneurs and business people tend to think they can choose the level of security appropriate for their system, but there are legal and moral obligations when other peoples’ data is at risk, see Commercial Information Security Classification System.
  • Whenever someone asks you “is XYZ secure?,” consider three questions:
    • Secure against what? A question about your threat model.
    • What is the worst thing that can happen? What is the cost of a failure of security?
    • Compared to what? Is your in-house, PHP solution, more secure? Really?
  • Security faces the weakest link problem. That is, the security of the entire system is only as secure as the weakest of its countermeasures.
  • Password reset mechanisms are a notorious weak link, consider the Mat Honan incident.
  • As a developer, stay up-to-date with the OWASP Top 10 and do not ignore them.

About Frank Rietta

Frank Rietta's photo

Frank Rietta is specialized in working with startups, new Internet businesses, and in developing with the Ruby on Rails platform to build scalable businesses. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He teaches about security topics and is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.