The Rietta Blog on Rietta Cybersecurity

Protect Production SQL Databases from AI/LLM Agentic SQL Query Risks

Wed, 04 Feb 2026 08:00:00 +0000

Overview Many are concerned with how to protect production databases from AI query agents, a subset of AI coding agents, designed to assist in writing SQL queries against a database using natural-language prompts. It is helpful to think about this new capability as a pseudo-deterministic compiler that takes a prompt, reads the schema of the database, and produces dynamic queries that are executed against the production database with minimal human intervention.

Beware the Sunset Trap: Why Your Legacy Software is a Ticking Time Bomb (and AI is Lighting the Fuse)

Mon, 26 Jan 2026 10:00:00 +0000

Imagine you have a successful ongoing business or administer a public agency. Your day is spent carrying out your mission critical work. You care for people. Your computer systems are mature and have been running for a decade or more. Your original developers have long since moved on and your updates are sporadic and driven by security scanner reports that focus on CVEs and deprecated OS versions. Organizations often treat this software as a capital expenditure with up front development rather than an ongoing maintenance expense.

Use AI to Describe Images as a Background Job in Ruby on Rails

Fri, 23 Jan 2026 06:00:00 +0000

Recently I wrote about how I run a Local AI Setup with Ollama and Nvidia GPU on Ubuntu Linux, but today I want to touch a bit more about how one can fit Artificial Intelligence (AI) into your Ruby on Rails application. At the risk of oversimplication, let’s start with an example: you allow users to upload an image to your Ruby on Rails application and provide a place for them to enter alternative text (the ALT HTML attribute) for each image that describes the content.

Local AI Setup with Ollama and Nvidia GPU on Ubuntu Linux

Wed, 17 Dec 2025 08:00:00 +0000

Over the last few years, the usefulness of Large Language Models as a type of Artificial Intelligence is impossible to miss. As a computer scientist, I’ve seen many tech hype waves over my career and tend to maintain a naturally skeptical view. I’m well convinced that LLM technology has its uses, has improved greatly, and also has a great many shortcomings. Among the biggest structural short comings are security and privacy concerns, including legally mandated ones such as the reporting that a Court orders OpenAI to preserve all ChatGPT logs, including deleted, temporary chats and API requests.

Securing the Unconnected: Air Gap Windows Application Code Review and Developer Training Success

Mon, 05 May 2025 08:00:00 -0500

Client Background Our partner, New Oceans Enterprises, is led by Donna Gallaher, an experienced cybersecurity leader with extensive executive experience. New Oceans Enterprises was engaged by a client in a regulated industry to act as their vCISO. The task was to develop a comprehensive security program to comply with their customer security requirements and regulatory demands. This client was mandated to undergo a thorough security audit for contract compliance. One stumbling block was that the architecture of their solution was not aligned with the assumptions made by the mandate.

Julia Parsons, USN, Enigma Code Breaker Dead at 104

Fri, 02 May 2025 08:00:00 +0000

The New York Times has published the obituary of Julia Parsons, US Navy, who passed away at 104 years old. She operated the Bombe to break Enigma codes during World War II. The obit includes a photo of her in uniform in 1942. This is an important chapter in computer science history, a tribute to the women who stepped up and performed remarkable work, and those who did this work will be completely gone in just a few years time.

Shorter SSL/TLS Lifetimes: Business Impact of Monthly Certificate Renewals

Tue, 22 Apr 2025 08:00:00 +0000

The CA/Browser forum has reportedly approved a measure to reduce the allowed time for certificate validity from 398 to 47 days by March 15, 2029. This change will require users to renew certificates on a nearly monthly basis. This is a manual process that will now have to be done up to 10 times per year, instead of just once. This change will not be evident to most Internet users and businesses.

The Imminent Funding Lapse of the CVE Database: A Cybersecurity Crisis

Wed, 16 Apr 2025 12:00:00 +0000

News started breaking yesterday of an imminent funding lapse for the United States government-funded Common Vulnerabilities and Exposures database maintained for the last 25 years under contract with MITRE Corporation. The reporting yesterday included Funding Expires for Key Cyber Vulnerability Database (krebsonsecurity.com) and this lapse has been confirmed by multiple sources CVE program faces swift end after DHS fails to renew contract, leaving security flaw tracking in limbo (csoonline.com) and CVE Program Funding Expires—What It Means And What To Do Next (forbes.

Google Search Results are Increasingly Disappointing as AI Results Are Pushed

Thu, 10 Apr 2025 08:00:00 +0000

My professional career and this website (first published in 1999) have grown up through the entire Google adventure. From the upstart clean search page that offered no distractions and good results, compared to the Excite@Home and AltaVista pages of the day, to the modern day corporate silicon valley behemoth. I well remember when my RoboGen shareware hit page rank 9! And inbound results have allowed this company to grow to where it is and have fed my family and paid many others who have worked here for a time.

Understanding Signal Messaging App Security: Is Encryption Enough?

Fri, 04 Apr 2025 08:00:00 +0000

In the last few weeks, it has been widely reported that members of the United States’ National Security Team engaged in certain discussions that reportedly may have contained classified information and included a third party member of the press in the group. This has been publicly disputed by government officials. I have avoided engaging in online discussion on this topic until the full details come out. Also as a cybersecurity professional I did not have anything particular to add to the narrative in real time.

Writing Rock, Paper, Scissors in Plain JavaScript to Expose my Daughter to Development

Sat, 15 Mar 2025 08:00:00 +0000

I recently endeavored on an educational software development experiment with my then 4 year old daughter Evelyn. I started this effort with a few goals in mind: Write a simple game that ran fully in the web browser using JavaScript without any frameworks or dependencies Teach my young daughter Evelyn a bit about software development and empower her with the ability to provide creative input for a real program! Make the game so simple it could be played in a blog post In my company's daily work we run into quite a bit of hard to maintain JavaScript with lots of dependencies.

Case Study: Complex Legacy Google Datastore Conversion to PostgreSQL on AWS

Wed, 24 Jul 2024 08:00:00 -0500

Client Background Our client is a State government agency operating a variety of custom web applications used by staff and elected officials for critical business functions. These applications, developed over the years by various contractors, serve as vital tools for the agency’s operations. Client’s Tech Stack The client’s web application was initially built on Google Cloud technologies, including the Google Datastore NoSQL database, by a previous contractor around 2012. The choice of Google Datastore was likely due to its popularity at the time.

A Journey From QBasic Random Access Files to PostgreSQL

Tue, 11 Jun 2024 08:00:00 +0000

As a practicing developer, I have a good bit of experience working with software that needed to store data. In this article I am going to recount a brief history of the world of databases, the long version would take a book, as I personally experienced working on code for the last 28 years. This should be informative to readers who want to understand more about just how powerful modern database systems are in comparison.

The UniSuper/Google Lesson: Cloud is Not a Backup!

Mon, 03 Jun 2024 06:00:00 +0000

It has been reported that Google Cloud irrecoverably deleted the account of UniSuper, a $135 billion Australian pension fund. This happened when its account was wiped out due to a technical error on Google’s part. At the time, UniSuper indicated it had lost everything it had stored with Google, even its backups, and that caused two weeks of downtime for its 647,000 members. They were able to recover because their multi cloud strategy included data backup off the Google Cloud to another service [1, 2].

UUID as a secure API token for API RESTful endpoints? (Video)

Tue, 14 May 2024 22:36:00 -0500

In this video excert, I discussed the the role of the UUID as an API token and how to improve the security of an application when using them. Specifically, the RFC 4122, Section 6 Security Considerations, cautions developers to “not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example. A predictable random number source will exacerbate the situation.

Restoring Old Software for Child Learning Safety

Wed, 08 May 2024 10:00:00 -0500

We live in a day where web applications and apps have become the mainstream. These bring many conveniences, such as inter-connectivity with multiple devices, and backups of personal data. It also brings many issues like risk of data theft, loss of software access when the publisher ceases operations, and the risks of cyber-bullying for school-aged children. There are more issues to consider, but these will suffice to set the scene.

An Honest Conversation About Cyber Security (Video)

Tue, 28 Nov 2023 10:00:00 -0500

I recently sat down with Jeremy Duvall of 7Factor Software to discuss Cyber Security and application developers. We talk about the ins and outs of modern cyber security practices, weaknesses, how the development environment has changed and stayed the same over twenty years, and what small companies can do to impact improve security!

Prioritizing cybersecurity (Pluralsight)

Wed, 27 Sep 2023 10:00:00 -0500

Vikas Rewani and I collaborated on an article about Prioritizing Cybersecurity for the Pluralsight blog last year. I want to highlight here one of the topics that was discussed in the article, the importance of breaking down silos: The structure and siloing of a large enterprise organization can thwart security efforts. For instance, security often lives under the IT umbrella, while software development is part of R&D. Further, organizations may utilize a combination of technical resources—in-house, outsourced, onshore and offshore—all reporting to different people, who have varying business goals.

How to win the race with hackers when new vulnerabilities are publicly disclosed!

Tue, 04 Apr 2023 10:00:00 -0500

My article written for security executives explaining the critical role of automated testing for long term application security is published! Those who have known and work with me know this topic has been close to my heart for while now. Most organizations are not mature enough to be able to patch within hours. However, we can do a lot better as a industry on proactive security in web app software.

Case Study: Migration of Public Service On-Prem to AWS Cloud

Tue, 04 Oct 2022 08:00:00 -0500

Client Background Client is a State government agency. They operate a variety of custom web applications that are used by staff and elected officials for critical business functions. These applications have been developed over the years by various contractors. Client’s Tech Stack Prior to the engagement with Rietta, client already had a full-stack Ruby on Rails web application that was built by a previous contractor. The application was deployed to an on-prem virtualized Linux server using Capistrano over SSH.

Case Study: Complex Insurance Document Solution with LibreOffice, Docker, and AWS

Mon, 26 Sep 2022 11:00:00 -0500

Client Background Client is an SaaS provider for the insurance industry. They have a small team of full time developers and contractors working to build and maintain a solution for their insurance industry customers. The application has a need to fill in details in Microsoft Word and Microsoft Excel spreadsheet templates that can then be downloaded by users as both editable files and rendered as printable PDF documents. Client’s Tech Stack Prior to the engagement with Rietta, client already had a SaaS solution built in the Ruby on Rails web application framework.

Top 5 Tips and Tricks on Developing with Docker

Wed, 21 Sep 2022 11:00:00 -0500

We are going into the third year of fully Dockerized development for our web application work. This is especially beneficial as a team who maintains many web apps developed over a decade ago in different languages by other developers who have long since left our clients’ companies. We have Ruby on Rails, Python, NodeJS, and many different versions of third party native dependencies. Getting up to speed on all these at once was always painful.

You Can be the Victim of a Cybersecurity Attack: Do Your Part. #BeCyberSmart.

Fri, 01 Oct 2021 11:00:00 -0500

This week is the “Be Cyber Smart” week of Cybersecurity Awareness Month. The first thing you need to realize is that you can be a victim of a cyber security attack. It’s human nature to assume that an incident cannot happen to you, that you are not a big enough target, that the bad guys are going to go after someone else. When you run Internet connected software this thinking is the path to disaster.

The Ripples From SolarWinds

Tue, 31 Aug 2021 08:00:00 -0500

In the final month of one of the most unprecedented years on record, a breach was discovered in the Solar Winds supply chain that rocked the cybersecurity community deeply. The potential access points were in multiple companies and government agencies, most disturbingly the Department of Energy, which handles nuclear power plants. To be clear, there has been no announcement that the breach in any way affected the power grid or the power plants of any sort.

Dockerizing Development Saves Serious Money for Small Agency

Wed, 21 Jul 2021 07:00:00 -0500

We’ve written much about Docker on this website in the last year, but today I wanted to share with you from an agency owner’s perspective. Last year, we made the decision to invest heavily in Dockerizing the web applications that we maintain. We decided to implement Docker not just for ease of deployment but, more importantly, to improve our development team’s efficiency at code base swapping. We made a substantial cash investment in research and development to make this happen and are starting to see the investment pay dividends.

Paying Ransomware is Harmful: Invest in proactive defense instead.

Wed, 07 Jul 2021 11:00:00 -0400

The headline of the day is Ransomware Hackers Demand $70 Million In Bitcoin, Claim Massive U.S. Attack As Biden Investigates Possible Russian Involvement (forbes.com). This is only the latest in a string of increasing attacks both in number of victims and the size of ransom demands. It shows the weakness in the software and services supply chain used for IT management and more. The lessons will come to light as more details emerge.

Top 5 Cyber Security Self-Defense Tips for Businesses with Custom Applications

Wed, 30 Jun 2021 12:00:00 -0500

Working in cybersecurity tends to create a “worst-case-scenario” mindset. Which means I’m really fun at parties. After people find out what I do for a living, a typical reaction would be to discuss some recent security breach in the news followed by a question about how (or why) does this keep happening. This question is often followed by a question of how to respond to ransomware, but that is a topic for another blog post.

Why Rietta Appreciates Diversity

Thu, 10 Jun 2021 18:30:00 -0500

As a company, Rietta likes ideas, products, services, procedures and practices that have been shown to be effective at making us better at security, stronger developers, and more efficient at delivering quality services. We like industry best-practices. We have an appreciation of evidence-based peer-reviewed studies, and like many organizations, we allow quality studies and information inform our policies and procedures. This helps us to serve our clients’ needs with excellence, and to help us to continually improve and evolve.

Cross-site Scripting Injection Attacks Using SVG Images

Tue, 25 May 2021 11:00:00 -0500

Cross-site scripting attacks, like all injection attacks, are a perennial favorite of attackers worldwide. These attacks focus on injecting malicious JavaScript that targets users of the website instead of the server itself. The most common way of performing a cross-site scripting attack is to leverage a user input field that is seen by others, such as a comment on a video that does not properly sanitize input. The simplest way to create a cross-site scripting payload is to embed hostile JavaScript between two script tags.

Lava lamps providing randomness for security!

Tue, 11 May 2021 10:00:00 -0500

Clients and new co-workers often ask me about my lava lamp that I keep in my home office in view of the web cam. Besides being cool, I do this intentionally to celebrate the lava lamp’s role in keeping the Internet secure! According to Wikipedia, “Lavarand was a hardware random number generator designed by Silicon Graphics that worked by taking pictures of the patterns made by the floating material in lava lamps, extracting random data from the pictures, and using the result to seed a pseudorandom number generator” (Lavarand).

Testing: Your Future Self Will Thank You

Tue, 27 Apr 2021 11:00:00 -0500

Testing isn’t always a glamorous endeavor. It’s akin to confirming someone else’s scientific results: needed, and not noteworthy. But I would argue that in fact, testing can be as important as the code we write. Testing serves as a great way to get a good view of the overall health of your application. It is not the magic solution to any issue, but is instead a tool used to find and fix weak code.

Streamlining Workflows With Docker

Tue, 09 Feb 2021 11:00:00 -0500

Every week, our team puts most of our hours towards helping our long term, stable client applications stay up to date. From dependency upgrades to changes in the code base, we make sure these older rails apps are kept secure and functioning. Some of our clients choose to hire us because the amount of time spent securely maintaining their app does not justify the cost of hiring a full-time developer, while others are looking for a trustworthy assistance after losing a key developer.

Practical APPSEC starts with people first, processes second, and technology last

Thu, 04 Feb 2021 11:00:00 -0500

Application Security (APPSEC) is the subset of Information Security that is focused on hardening software to protect humans, be it customers, partners, and the public at large. The software itself must be designed to be more secure because security cannot effectively be bolted on at the end of the development process. It’s an old time idea, but security is about people, processes, and technology in that order. Let’s look at how a web application goes astray by people’s knowledge, incentives, and the working of the development process.

Brad Cox has died

Thu, 28 Jan 2021 10:50:00 -0500

Dr. Brad J. Cox Ph.D., influential computer scientist has died. Among his many accomplishments was the co-invention of the Objective C programming language with Tom Love. This was one of the early object oriented programming languages. Objective-C was a groundbreaking mainstream object oriented programming language that was influenced by Smalltalk. His work paved the way for concepts and languages that have become mainstream, including in programming languages Ruby, Java, and Swift.

Disable Low Quality Webcam Microphone in Ubuntu Linux 20.04

Thu, 14 Jan 2021 11:00:00 -0500

As a developer and consultant, I attend a lot of Google Meet, Zoom, Microsoft Teams, and other video conference meetings. To this end, I have a really high quality professional Sennheiser e835 microphone and outboard preamp. I actually run this preamp directly into the line in audio port on my desktop’s sound card. The sound quality is top notch and exactly what I want for my video calls. But for some unknown reason my computer will randomly decide that it should switch to the low quality, undesirable sound from the Logitech Webcam.

How to Set Up and Encrypt an External SSD and Run Docker Images Externally

Tue, 12 Jan 2021 11:00:00 -0500

Docker is a powerful tool for developing, shipping, and running applications. It allows us to encapsulate our applications into containers, which then gives us the ability to run entire applications without the hassle of setting up our local machines with custom libraries and dependencies for each application. We use Docker ‘images’ to define the code, config files, environment variables, libraries, and run time that will execute in each container. This gives us the confidence that all of our development environments (as well as production, staging, etc.

Leading a Distributed Team with Productive

Sat, 09 Jan 2021 11:00:00 -0500

As a distributed agency, we’ve had to innovate ways to make sure everyone is working on the highest priority tasks, and budgeted each client’s priorities separately across more applications than we have people. This is not easy to do with traditional time tracking/invoicing and Agile project board tooling. The best tool we’ve found so far is productive.io. We’ve been using them for three years and watched first hand as the platform has matured.

Financial Plan for a New Computer Under Warranty

Thu, 31 Dec 2020 11:30:00 -0500

In my recent article on why software defined RAID 1 on a PC workstation that I built myself, I explained why recovery time is so critical when the computer that you program on for a living goes down. Let’s take this a step further and talk about how I have financially planned to always have a working computer on hand. I will not only show you how to calculate how much it costs each month to constantly have a high performance computer at the ready, but also when things go well how you can have a fund for guilt free technology purchases.

Development time is money, therefore I RAID

Thu, 24 Dec 2020 11:00:00 -0500

In the line of work I am in, development time is money! This week marks the third year after I retired my Apple MacBook Pro as my primary system for a workstation that I built from parts from MicroCenter, a retailer that focuses on serving the gaming community. I also use a RAID 1 mirrored disk as well as backups for my data. You may ask how it is that in 2020 I am doing my work on a PC tower when those went out of style for all but supercomputing and gaming around 1999?

Learning Object-Oriented Programming in Ruby vs C/C++

Tue, 15 Dec 2020 10:00:00 -0500

As a newcomer to Ruby, the ease of using the language was a welcomed surprise. In the comp sci program at UC Davis, many of the core lower division courses, including those that introduce students to object-oriented programming (OOP), are taught in C/C++. Simultaneously learning the fundamentals for memory management and OOP, along with the unique C/C++ syntax, can quickly become a headache for those of us just starting out in computer science.

Remote Team Culture - Code Review and Style Guides

Sat, 12 Dec 2020 02:30:00 -0600

Code Review at Rietta When joining a new team, a developer can be nervous when making their first pull request or contribution to a codebase. The thought of your team going through your code and ripping it to shreds is both reasonable and scary. So how does a team eliminate this fear and instead, encourage newer developers to greet code reviews as a opportunity to not only improve their code, but to encourage a healthier environment to actually collaborate?

The convergence of Ruby on Rails and #AppSec Podcast Appearance

Wed, 07 Oct 2020 08:00:00 -0500

I recently appeared as a guest on the Application Security Podcast with Chris Romeo to talk about the convergence of Ruby on Rails and #AppSec. The discussion covered a range of topics including secure coding with Ruby on Rails, RoR vs other languages and culture, the importance of CI/CD, and more. Check it out!

Rietta Makes it Betta Thank You Art!

Mon, 13 Jul 2020 08:00:00 -0500

Joe Winter and C4 Atlanta commissioned Artist Gina Kirlew to paint this beautiful computer on canvas as a thank you for our volunteer consulting service for C4 Atlanta, a non-profit organization. I’m very grateful for all of Rietta’s clients. But must I must say that this is one of the most unique thank you notes that I’ve ever received and is something that will be cherished for many years to come.

Swap Files and AWS - Extending Your EC2 Free Tier Instance Memory

Thu, 04 Jun 2020 06:00:00 -0600

Amazon Web Services, or AWS, is the biggest provider of cloud computing services in the world. Even services like Heroku are a wrapper for AWS instances that applications sent to Heroku are deployed on. For developers first starting out with AWS, or for experimental applications that are intended for proof of concept or tech demos, the most cost-efficent way to deploy an application on AWS is to use the free tier of services.

Implementing Proper Application Maintenance Practices

Mon, 04 May 2020 11:00:00 -0500

In the software landscape, creating a high quality application for your business is only the beginning of the journey. As technology changes and improves, the functionality of your application will often become obsolete and vulnerable to security threats. This is why consistent and proper maintenance is essential. Managing dependencies, ensuring uptime, patching security vulnerabilities, and fixing business critical bugs are all key elements of a well implemented application maintenance schedule.

When Georgia was on the Brink of Outlawing Critical Computer Security Research, the Governor's Office Met with Me, and Vetoed it!

Sat, 25 Apr 2020 17:00:00 -0500

Two years ago today, on April 25, 2018, I shared on Facebook that at my request, the [Georgia] Governor’s office met with me and 8 others from the information security industry that included security professionals, executives, board members and a venture capitalist. We were joined by an elected Republican and Democrat member of the General Assembly. They didn’t have to take the meeting and I was very grateful for the opportunity to speak through the issues with SB 315 with them.

Dependency Security and Hacking Rails with Jason Swett (Podcast)

Tue, 21 Apr 2020 10:00:00 -0500

I recently appeared in Episode 41 of The Rails with Jason Podcast for a wide-ranging discussion about Ruby on Rails security, the security value of keeping gems updated, the security risk of infrequent deployment, state-sponsored hacking, and practical tips on how to protect your organization. Give it a listen to better understand some common ways that production projects go south in their security practices and why solid test coverage, regular reviews of your dependencies, and frequent deploys help make you much more secure.

Snowfroc 2020 - Application Security and Development

Wed, 01 Apr 2020 06:00:00 -0600

I recently attended the Snowfroc conference that took place in Denver early this month. There were a number of talks about creating secure software in the context of a security team working with a development team from the outside, including one by our founder, Frank Rietta. I’ll be doing my best to condense the ideas from many of these talks into a single source. My sources are the following talks: Patch Production Now by Frank Rietta, Why Appsec is Hard for Devs by Scott Gerlach, and Climbing AppSec Mountains by Adam Schaal.

Dependency Management and Security

Thu, 06 Feb 2020 10:00:00 -0500

Security in web development touches all avenues of the field from requests, session hijacking, SQL injections and many more mentioned on the Open Web Application Security Project (OWASP). Many buffers now exist between developers and situations where malicious users can capitalize on dependency management oversights. Hackers are resourceful in their exploits of known (and sometimes unknown) vulnerabilities. As one of our developers Rob mentions on his blog post, “A Newer Dev’s Perspective on Learning OWASP”,

A Newer Dev's Perspective on Learning OWASP

Tue, 21 Jan 2020 11:00:00 -0500

After developing a firm understanding of OOP, TDD, and Rails, I found myself conflicted about all the directions I could go with my learning. I’ve always understood security was important, but didn’t venture very far beyond general best practices. As a developer, especially one who works with databases and servers, this is a naive and potentially dangerous perspective. The commercial (and sometimes hobby) code we write often affects real human lives and livelihoods, so considering potential exploitation of our work is essential.

AppSec as a Requirement in the Development Process

Mon, 13 Jan 2020 09:30:00 -0500

We’re now well underway for the year 2020. People from time-to-time will make predictions about what is to come and when we look back, one has to laugh at how wrong they were. If you had asked me in 2005 if I thought we would be dealing with SQL injection 15 years later in 2020, I would have told you no, it will surely be solved by then. At the time I was still a student at Georgia Tech and wrote on this blog about SQL injection and presented a paper on application layer detection at the ACM South Eastern Conference.

Xfinity is Man-in-the-Middle (MITM) Attacking my Internet

Tue, 29 Oct 2019 00:00:00 +0000

I recently moved to Fort Collins, CO. With this move also meant new internet… Unfortunately, Xfinity (Comcast) is the only ISP available in the area until early next year, so I purchased service through Xfinity. I had heard horror stories from co-workers about Comcast, but after working at a company that makes billing and networking software and hardware for Wireless Internet Service Providers, I was skeptical; everyone seems to hate their ISP.

Patch Production Faster with Security-oriented Agile Development Practices

Mon, 28 Oct 2019 11:00:00 -0400

Overview All computer security depends on software application security. Some believe that Agile-inspired development methodologies should not be used to implement a Secure Software Development Lifecycle (SSDLC). There are many reasons for this, including experience with poor Agile method implementations which resulted in: software teams who ship very insecure code, teams composed of members with limited security knowledge writing only happy path user stories and tests, and a preference for a top-down approach to security requirements.

MySQL Decimal Data Type

Thu, 24 Oct 2019 08:00:00 -0400

In MySQL, the DECIMAL and NUMERIC data types store exact, fixed-point values. In MySQL, NUMERIC is implemented as a DECIMAL, so a NUMERIC and DECIMAL are the same data type. This data type is used when it is important to preserve the exact precision, such as storing money data. Declaration In a DECIMAL column declaration, the precision and scale can be specified. DECIMAL(13,2) This declaration declares a precision of 13 and a scale of 2.

What is Web Accessibility?

Tue, 22 Oct 2019 13:00:00 -0400

You may have heard on the news that the Supreme Court has recently denied Dominos Pizza’s petition to be appealed by the Court of Appeals on October 7, 2019. This opens the door to the plaintiff, Guillermo Robles to sue Domino’s for not meeting the necessary accessability requirements to provide service to those with functional disabilities. In this case, Mr. Robles has vision impairment which would require the assistance of a screen reader application to operate the Domino’s Pizza website.

Acknowledge Open-Source Contributors with Git Authorship

Mon, 07 Oct 2019 10:00:00 -0600

Even though Git has been around since 2005 and has definitely taken over as the primary VCS, some developers do not utilize git to the fullest of its ability. Some developers even intentionally execute commands to remove functionality, such as replacing commit authors with their own. Additionally, it’s shocking that some of these mishaps occur in popular repositories, such as vim, but often maintainers express no intention of changing. In modern times, Github has fortunately made the process of keeping git authors intact trivial.

The Clean-up Refactor Deleting ".arel_tables"

Wed, 02 Oct 2019 11:00:00 -0400

Sometimes, when composing queries that utilize arel, the queries can start to include a multitude of columns across a couple of tables. This can lead to longer lines due to the repetitive use of .arel_tables[] Product .joins(:sales) .where(Sale.arel_table[:ends_on].gt(Time.current).or(Sale.arel_table[:ends_on].eq(nil))) .order(Sale.arel_table[:discount_percent]) We can create something that is a little more elegant and makes .arel_table[] feel as if it were a part of the ActiveRecord interface a little more directly. This can be done by creating a class method, #[], on our ApplicationRecord class like so:

Why do Rietta Developers Git Fork?

Wed, 25 Sep 2019 13:00:00 -0400

Why Fork a repository? Forking a open source project is the standard way for collaborators such as ourselves to fix bugs, experiment, and add features to existing open source projects without affecting the main repository. We can use the Fork feature on Github to create a repo on Github in which is a clone of the original repo we forked. Github has a great article https://help.github.com/en/articles/fork-a-repo that explains how we can fork off from a repository on Github.

Ruby Gems Supply Chain Vulnerability

Fri, 06 Sep 2019 11:00:00 -0400

Every Ruby on Rails application depends on Ruby Gems, the third party open source libraries that make development possible. A brand new Ruby on Rails 6 application, with default options, depends upon 75 Gems before the developer makes any customizations to the app! These Gems are produced by volunteer open source maintainers, many of whom are not paid anything to work on open source, and distributed for free via rubygems.org. This is a fantastic resource that makes it possible to create so many good Ruby-based applications with minimum effort re-inventing the wheel. However, how is a developer to know the Gems he or she has in a project are in fact safe.

There have been malicious backdoors distributed in multiple Gems this year. These supply chain attacks have been detected and remediated by the RubyGems community, but it will happen again. Let’s look at the patterns common among the malicious Gems and the how you can go about protecting your own application.

The Case for 2FA, Post Rest-client Gem CVE

Thu, 22 Aug 2019 10:00:00 -0400

Most CVEs occur as a result of a oversight in the architecture or mishandling of how libraries may interact with your application. In some cases like what had occurred with the Rest-client gem version 1.6.13, a package maintainer account on https://rubygems.org was hijacked and used to push malicious code that would compromise sensitive credentials for payment manager accounts, database access, repository access, and others that can cause irreparable damages. The hijacker conducted a series of releases - 1.

What's the Difference Between the 3 Github Merge Methods?

Fri, 07 Jun 2019 13:00:00 -0400

Keeping a clean git history can save a lot of time when trying to track down commits related to a bug or issue that is disrupting dev efforts. GitHub provides three options when merging in commits, these three options being: Create a Merge Commit Squash and Merge Rebase and Merge Merging with a merge commit, squash merging, and “Rebase & Merge” should be pretty familiar as these are commands that are already commonly used when working on dev branches to keep commits on PRs tidy.

Best Data Type to store Money in MySQL?

Tue, 04 Jun 2019 13:30:00 -0400

The Short Answer (TL;DR)

If GAAP Compliance is required or you need 4 decimal places:

DECIMAL(13, 4)

Which supports a max value of:

$999,999,999.9999

Otherwise, if 2 decimal places is enough:

DECIMAL(13,2)

Which supports a max value of:

$99,999,999,999.99

Account Protection Policies to Cover Business Assets

Thu, 30 May 2019 10:15:00 -0400

The compromise of a staff user account credentials is a critical step in the kill chain of many data breaches. This compromise may be accomplished in many ways, including a staff user falling victim to a:

credential stuffing attack when email and passwords in outside breaches are used to authenticate with work systems (because people reuse the same passwords frequently)
targeted spear-phishing campaign to intercept valid credentials via a spoofed login form
business e-mail compromise via a convincingly forged e-mail supposedly from a supervisor or the CEO

There are a few levels of staff credentials to address, those with access to:

legitimate business e-mail
the administrative portal/customer service via a web interface
development resources and testing environments
production resources like cloud providers and the domain name configuration

Traditional information security practice calls for the separation of duties between developers and those with production access. However, often only the most sophisticated, established organizations have the dedicated resources to do that. For everyone else, the developers usually have access to all these resources.

Writing Abuser Stories

Tue, 28 May 2019 10:35:00 -0500

Abuser stories have been around for a while, and while not a revolutionary idea, it is somewhat of an untapped one, an underappreciated one, one that I personally hadn’t been exposed to in my nearly 30 years working as a business analyst. That’s a huge problem, if you ask me.

Manually Editing Git Hunks: The Easy Way

Thu, 23 May 2019 12:10:00 -0400

If you’ve been following our Git related posts, you probably notice we use git add --p with many of the examples used. This a great way for developers to split up code changes on one file to their own commit message. Not only will this make your pull requests cleaner, but will allow the code reviewer to get valuable context when diving into code changes on said file. Git add patch gives us many options: Stage this hunk [y,n,q,a,d,e,?

How to hide .gitignored Files from fzf.vim

Tue, 21 May 2019 10:30:00 -0400

Fuzzy finders find files that almost no developer would intentionally find via a fuzzy finder from paths such as node_modules/, deps/, and dist/. These tend to get in the way of the true power of fuzzy file searching and ignoring these individually can be a pain. There are also files like .circleci/config.yml, .gitignore, and .rubocop.yml that are opened often enough to be included in the result set.

Luckily when working in a git repository, developers typically only care about the files they commit. When using fzf.vim, this technique returns files based on the git tree leaving out irrelevant files, including the hidden files that were shown before.

Herding Cats: The Todo List

Wed, 15 May 2019 10:45:00 -0400

Managing many Clients with several projects where multiple team members are working them, across an Agency that has a different product offerings can be a challenge. Finding tools and processes to sort it out and ensure everything gets done, is on time, and on budget can be really hard, especially for a small Agency whose trying to keep costs down. The productivity tool market is flooded with options, and finding a good one is tough - but when you do, you want to share. Here’s a quick story on what we’re currently trying to tame the todo list. I hope you find it useful!

How To Use Slack To Maintain A Team Reading List

Tue, 14 May 2019 11:30:00 -0400

At Rietta, we understand the importance of continuing our education outside of the classroom. We use a reading channel in our company Slack to keep a pulse on industry and keep each other informed on the latest vulnerabilities. It’s been working great. Here’s how we do it. The reading channel has a few strict rules to ensure there is no clutter. Here is an excerpt from our internal company handbook (that we call the vault):

Restrict Who Can Push to Matching Branches on Github

Thu, 09 May 2019 11:00:00 -0500

An anonymous attacker has been compromising Git repositories and demanding ransom. This attacker stole the contents and used a force push to wipe the remote repository causing many to lose access to their critical source code assets. Use critical security tools available within the Git ecosystem to protect your company from this threat with:

Deploy Keys
Mandatory Two Factor Authentication
Protected Branches and Pull Requests
Backups of your Git Repositories

Fixup your Code Reviews with git rebase --autosquash

Tue, 07 May 2019 11:00:00 -0400

Here at Rietta, we like to do in-depth code reviews that are sometimes accompanied with feedback that may require changes to be made to the pull request. When making additional commits with changes based on the feedback, we can get into a messy workflow that can lead to complex branch wrangling. In this article, I will go over a few Git commands to help ease our post code-review revisions: git commit --fixup commit-SHA git rebase -i --autosquash source-branch Our team utilizes Github’s Squash and merge when merging into master, with semantic git commits that are specific to their respective code changes.

Why do teams use points to Estimate? - Interview with Lore Hamilton

Thu, 02 May 2019 11:20:00 -0400

Your browser does not support the audio element. Download MP3 Audio

During an interview with Lore Hamilton from Rietta, Lore and I get to the bottom of how Fibonacci Point Based Systems are used by teams to more accurate estimates and more accurately measure developer velocity.

Are you accidentally storing private data in plain text?

Mon, 29 Apr 2019 16:15:00 -0400

Debug logs that chronicle data about errors and other exceptions on a web application are a vital tool for any web company. It enables engineering teams to troubleshoot problems - sometimes even before a customer reports an issue to support - and thus provide excellent service to customers. But the danger of over-logging is real. When sensitive data is logged, it becomes vulnerable to misuse and abuse. In this article, I’ll show you how to prudently minimize the data collected in logs.

How to Get Fast, Accurate Code Reviews on your Pull Request

Thu, 25 Apr 2019 16:21:00 -0400

Teams sometimes experience issues with bugs in code or pull requests not being merged in a timely manner. Even after they establish a very clear policy on code review and reviews feel like a chore. At Rietta, we resolve code reviews quickly by making the reviews as painless as possible. We do so by making our pull requests small, single purpose, and informative. A good pull request should be clear in scope, describe what has changed, and explain why it exists.

How to Use git reset

Mon, 22 Apr 2019 16:00:00 -0400

The command git reset is a powerful tool that Rietta staff use on a daily basis. However powerful, git reset has 2 distinct features: Hard resets, in which will modify the working tree Soft resets, in which will modify the index Often you’ll hear that the reset command is basically the opposite of the add command. While this is true for the default reset, there are other options to reset the index without unstaging the files as well.

New Interview on Drifting Ruby

Thu, 18 Apr 2019 03:15:00 -0400

Recently, our very own Frank Rietta (yes that Rietta) had a chance to sit down (virtually of course) with Dave Kimura (@kobaltz on Twitter) of the Drifting Ruby screencast. For those who don’t know, Drifting Ruby is an educational site, blog, and screencast with all things Ruby. Drifting Ruby offers premium training with example-based content to up your dev game to the next level.

How to calculate age in MySQL

Mon, 15 Apr 2019 12:00:00 -0400

While PostgreSQL has a built in age() command, MySQL does not. Imagine we have a users table with a birthdate field and we need to figure out how old they are. We could accomplish this by subtracting the current date with the date the user was born on.

Applying Agile and Security in Software Development Public Appearance at KSU

Fri, 08 Feb 2019 13:49:59 -0500

Update 3/21/2019, the video of this presentation is now available on the Rietta Inc. YouTube Channel, Applying Agile and Security in Software Development. I am going to be speaking on Applying Agile and Security in Software Development at the IS General Speaker Series #3 at Kennesaw State University on Wednesday, February 27th, from 7:00pm-9:00pm at the Burruss Building Room BB109. There will also be a talk by Philip Andreae on Payment Card Security.

Storing currency in PostgreSQL

Mon, 28 Jan 2019 21:00:00 -0500

There are different ways we can store currency in PostgreSQL, this blog post will cover the money and numeric types.

Happy New Year 2019!

Tue, 01 Jan 2019 00:00:01 -0500

As I sit here at home with my wife Danielle celebrating the beginning of 2019, I am remembering how grateful I am for my customers and co-workers. In the last year, we’ve accomplished tremendous things. Launching new products, solving critical security issues before they were a problem, and so much more. I look forward to the new opportunities in 2019!

Prevent an Outdated and Broken bin/setup with This Simple Trick

Tue, 27 Nov 2018 18:00:00 -0500

Having a good bin/setup is very essential to having a quick onboarding time as well as getting your environment back up and going in case of emergency.

But how often do you run this bin/setup if it’s only ran when you setup your repo? Most developers setup their environment only every once in awhile. What happens when changes to the codebase happen and the bin/setup isn’t modified as well?

Writing a good bin/setup

Thu, 06 Sep 2018 13:00:00 -0400

Nothing is better than cloning a code repository, running the bin/setup, and everything about the project just works. It’s the developer equivalent of waking up before your alarm goes off and realizing you can sleep for another two hours.

A good bin/setup can mean the difference between a frustrating on-boarding process and a fantastic one.

When you have a completed bin/setup, you have an easy way to get new and existing developers up and running quickly, stress-free. It can also streamline continuous integration setup and maintenance. A good bin/setup gives you peace of mind when setting up a new machine and offloads the mental work of project setup to a verifiable tool.

Automatically Migrate from Factory Girl to Factory Bot

Tue, 21 Aug 2018 18:30:00 -0500

Gem updates are tedious. Gem name changes are even more tedious. This quick script converts Factory Girl references to Factory Bot references.

Deep Work and Remote Work

Tue, 07 Aug 2018 18:00:00 -0500

The ability to deeply concentrate and sink your teeth into a task is more valuable than ever, and yet, our attention has never been more scattered at work. Slack, email, and social media beg for our attention, and a lot of the time, it’s the path of least resistance to give in to the urge to check Reddit. There is a better way to work. The antidote to the scattering of our attention and lack of using our mind’s full potential is deep work.

Security Quick-Wins: Use DNS CAA records to avoid fraudulent certificates

Tue, 24 Jul 2018 11:30:00 -0500

It’s ordinarily possible for a CA to sign a certificate for your domain without properly validating it. We essentially have to trust them to take security seriously and to not make mistakes in their process.

Automate Scheduled Security Scans With CircleCI

Wed, 18 Jul 2018 14:00:00 -0600

Continuous integration is a now common way of having constant feedback for teams. Being able to verify new code on whether it is working is important, but what about CVEs? CVEs are reported and patched constantly by open source communities and unless your team is scouring the web for dependency vulnerabilities daily, it can quickly become difficult to keep up. Not only time consuming, but if they are not dealt with swiftly, they will pose as a risk to the well-being of your business and user base.

How to Ask Great Questions Online

Tue, 10 Jul 2018 10:00:00 -0500

The majority of software development includes asking a lot of questions. Administrating the Ruby On Rails Link Slack, I’ve seen some of the best and worst questions asked.

Good questions save time and effort for both the asker and answerer, follow these tips to become a superstar question asker and super power your development cycle with and without community assistance.

Migrate Away from SSL/Early TLS for PCI Compliance

Sat, 30 Jun 2018 19:00:00 -0500

Systems that handle payment information, particularly e-commerce systems, are regulated by PCI DSS. Changes to the PCI compliance requirements have reclassified the use of outdated and insecure versions of TLS (and its predecessor, SSL) as non-compliant. This has some significant impact across the software industry as the changes went into enforcement today, June 30, 2018. The key takeaways for us as web application developers are that we must ensure that our deployed systems are using modern and secure TLS configurations, and that we should now do so at the expense of supporting legacy web browsers that are non-compliant, namely old versions of Internet Explorer and Windows.

3 Developer Onboarding Tips From My Recent Experiences

Mon, 25 Jun 2018 10:00:00 -0500

Starting out in a new job can bring about feelings of excitement and eagerness. Those emotions can also be accompanied with doubts about being useful, anxiety, and imposter-syndrome. Having experienced everything listed above, I’ve learned some strategies to help overcome the negatives and be proactive.

Working with the Rietta team has been an amazing experience with comradery and mentorship. This article briefly explores my experiences at Rietta to help equip new developers with a plan to synergize and grow with a new team.

Harvest vs. Productive.io

Fri, 15 Jun 2018 22:00:00 -0500

Choosing a time tracking and invoicing solution can be tricky. There are a lot of different options and the best solution for your company might differ from other companies. This article compares and contrasts Harvest and Productive as of June 2018.

Stop Thinking about GA SB 315 in Terms of "Digital Homes"

Wed, 25 Apr 2018 21:55:46 -0400

Throughout the public debate over Georgia SB 315, a bad analogy has been repeated by others that a public business or institution’s website server is like an online home. And, because nobody lets strangers just walk into their own home, Georgia should set the expectation that no one, criminal or ethical, should be allowed to come into an organization’s digital “home” without permission. But this analogy does not match reality!

Governor Deal, veto SB 315 because white hat security researchers should be thanked not jailed!

Thu, 19 Apr 2018 07:00:00 -0400

Friday, April 13, 2018

Governor Nathan Deal
Office of the Governor
206 Washington Street
111 State Capitol
Atlanta, Georgia 30334

Dear Governor Deal:

I am writing you today on behalf of my Georgia-based security firm, asking that you veto SB 315. I am a long term Georgia resident, raised in the Atlanta area, and earned a B.S. in Computer Science and an M.S. in Information Security at Georgia Tech. My wife Danielle is a Mercer University alumna, and we are both conservative Christians who voted for you. My interests in computer security started early after I founded AtlantaWebHost.com eighteen years ago and started to see first hand how websites and servers were under continuous attack by malicious hackers. This first hand experience was the catalyst for pursuing a career dedicated to protecting websites and web applications from attackers.

Panera Bread Story Is An Example of Why Governor Deal Should Veto SB 315

Tue, 03 Apr 2018 10:10:08 -0400

An independent security researcher just uncovered Panera Bread’s negligent exposure of millions of customer records. He notified Panera in a responsible manner and even after 8 months had not fixed the flaw. The underlying problem was specifically serving private data on a public endpoint without strict authentication and access control. This is so basic that beginner API developers should know to avoid it. Moreover, it’s among the OWASP Top 10 (owasp.org), well known ways that databases become compromised through insecure web applications.

Georgia SB 315, set to criminalize most independent security threat research, heads to Georgia Governor Nathan Deal for signature or veto

Tue, 27 Mar 2018 13:55:53 -0400

This article has been updated since originally published to reflect the current status of SB 315, which is now heading to the Governor's desk.) The Georgia House of Representatives voted 107 to 63 to approve GA SB 315 (LC 29 8107S) (PDF / legis.ga.gov) on Tuesday, March 27, 2018, on the Senate voted 42 to 7 to accept the House changes in the last hours of the session on Thursday, March 29, 2018.

Georgia SB 315 anti-hacking law dangerously misses the mark of protecting people, making us all less safe

Mon, 26 Mar 2018 12:00:00 -0400

GA SB 315 (LC 29 8107S) (PDF / legis.ga.gov) just passed the House Judiciary Non-Civil Committee and will be voted on this week. While significantly improved through the committee process, it still creates a dangerously broad definition of Criminal Unauthorized Computer Access that is so sweeping, people will need permission before visiting any website.

This bill was drafted because Georgia law enforcement and the U.S. FBI could not find any law broken by a professional security researcher. This researcher tried to alert Georgia election officials of voter data inappropriately published publicly on the Internet by Kennesaw State University, a contractor for the Georgia Secretary of State’s Office. What he discovered through ordinary Google searching was that voters’ names, addresses, and other private information was indexed by Google and accessible by anyone. After months, he and another researcher discovered that the data was still available on the public Internet and brought it to the attention of the media. Only under the daylight of public attention was the data removed from the Internet in an embarrassing scandal.

Lay off the marketing plugins. Equifax hit with fake Flash update.

Thu, 12 Oct 2017 17:03:25 -0400

The Equifax website borked again, this time to redirect to fake Flash update (arstechnica.com). This is the latest episode in the sad saga of insecurity at the embattled Atlanta-based credit reporting giant. Atlanta is known for a healthy information security ecosystem and the Georgia Institute of Technology and Kennesaw State University both have cybersecurity programs at the undergraduate and graduate level. If Equifax cared to hire security minded people to work in key areas they could.

Automated Patching Will be New Reality

Wed, 11 Oct 2017 10:20:41 -0400

Patch management is hard when the software being patched is supported by a major corporation with a long support window. It’s even harder when integrating numerous open source projects of various maturity. One lesson from the Equifax data breach is that failure to update your deployed application for months after the upstream project is updated can lead to dire consequences.

Southeast Ruby Conference Recap

Sat, 07 Oct 2017 14:00:00 -0500

On the behalf of the entire Rietta team, I would like to give a huge shout out to Jason Charnes (@jmcharnes) for hosting the South East Ruby Conf in Nashville, TN this week. I was pleased to meet many members of the Ruby On Rails Link Slack Group.

Each and every talk was fantastic, I’d like to go into depth with a few highlights for anybody that was unable to participate in this conference.

Automate Security Scans with Continuous Integration

Tue, 03 Oct 2017 00:00:00 -0500

There are many tools out there that help you get a quick idea of possible security issues in your code and dependencies, but how often do you run them? If you’re running a Rails app and have never run brakeman or bundler-audit, I strongly urge you to run these tools immediately. Brakeman finds common insecure coding patterns that might be exploitable in the correct context and bundler-audit checks for known vulnerabilities within your installed gem dependencies.

The premise of this blog post isn’t to teach you to run these tools, but rather to teach you how to implement these tools into your Continuous Integration service. If you’re curious of how to run these tools outside of the test suite, both tool’s READMEs are informative.

Equifax Missed Defense in Depth, Allowing a Massive Data Breach

Mon, 18 Sep 2017 00:00:00 -0400

Equifax has confirmed that the main vector that lead to the data breach was a remote code execution vulnerability in Apache Struts that had been known for months [1]. Equifax had not yet patched it within the production environment. This is not just a lesson in the importance of patch management but one of defense in depth. The weakness in Equifax’s design was set in motion years before when they failed to design with the assumption that the front-end web server would be compromised.

The attacker was able to obtain the massive trove of private data because the web application was the only gatekeeper. Once the remote code execution vulnerability was exploited, the attacker was able to access data unfettered by additional access controls. Equifax chose to use a typical web application architecture without defense in depth.

Defense in depth has to start as part of the development process. All developers should be aware of the OWASP Top 10 (#3) and their work should be audited against the OWASP Advanced Security Verification Standard (ASVS) [#3] for the level appropriate for the risk faced by an organization in the event of a security breach.

Engine Yard's 17 Rails Security Tips

Tue, 05 Sep 2017 00:01:03 -0400

Christoper Rigor has posted a good set of Ruby on Rails Security 17-Item Checklist on Engine Yard’s blog. Check it out. He did a good job hitting the important ones without being overly verbose. If you’re looking for a standard to follow, check out the OWASP ASVS.

Troubling ISP Privacy Repeal: The Data Will be Breached

Thu, 18 May 2017 11:59:59 -0400

Your Internet Service Provider has direct access to the type of information on you and your family that the National Security Agency uses for spying.

Your ISP knows when you are at home and when you are not, when your kids are doing their homework. They know or can know what you’re watching on Netflix (even when its encrypted) and YouTube. If any member of your household ever views pornographic content, your ISP knows how much and at what times such content is accessed. They can infer through traffic analysis how many people are living at your home and even know how many iPhone and Android devices that you have. And even though they cannot see into your encrypted search queries on Google, your ISP knows every medical website that you visited to research a condition that you think you have or are looking into a drug that your doctor has prescribed to you.

Americans' Access to Strong Encryption is at Risk, an Open Letter to Congress

Wed, 03 May 2017 19:34:59 -0400

Dear Honorable Members of the United States Congress:

I work in application security in the cybersecurity field to make software more secure from attack. The cybersecurity threats that face our nation are very important to my wife and me. As Americans, our private data is in great jeopardy because of increased cybersecurity threats. Our infrastructure is prone to being hacked, and major data breaches of both private and government networks are routinely in the news. The best way to prevent these breaches is to increase the use of strong encryption with no backdoors.

The track record of data breaches demonstrates an uncomfortable truth: when sophisticated adversaries want to hack a network, they will ultimately win. Among the few tools known to computer science that can prevent a data breach is strong encryption. This means that there is no backdoor and no backup key. Either the original user needs to enter the password, or the data is un-retrievable.

Breach Prevention for Developers Talk at Kennesaw State University

Tue, 28 Feb 2017 07:56:03 -0500

Earlier this month I had the honor of speaking with information security students at Kennesaw State University in Georgia thanks to Dr. Herbert Mattord. It is a very diverse class with both traditional students and more mature students who are switching careers. Most of the students had little or no professional software development experience so I view these talks as extra critical because infosec professionals play an important role in this by working with developers and thus need to know something about how software is made.

Intro to App Sec Podcast Interview

Wed, 22 Feb 2017 19:17:08 -0500

It’s been a few months and I wish I had shared the link with you sooner. Back on August 29, 2016, I was the guest of Joe Gray’s Advanced Persistent Security Podcast’s Intro To App Sec Episode.

We talked about application security and the news. Give it a listen!

The MongoDB hack and the importance of secure defaults

Thu, 12 Jan 2017 14:24:11 -0500

Tim Kadlec has written a fantastic blog post that you should read right away at https://snyk.io/blog/mongodb-hack-and-secure-defaults. It starts with: “If you have a MongoDB installation, now would be the time to verify that it is secure. Since just before Christmas, over 28,000 public MongoDB installs have been hacked. The attackers are holding the hacked data ransom, demanding companies pay using Bitcoins to get their data back. From the looks of it, at least 20 companies have given in and paid the ransom so far.

CPU Benchmark - Raspberry Pi vs AMD Athlon vs Mac Mini

Thu, 01 Dec 2016 11:09:28 -0500

As a fun little experiment, I ran the same CPU benchmark on a few processors that I have around my home office that come from various generations. The Raspberry Pi was predictably beaten by even the nine year old AMD Athlon processor, but considering its from factor and power usage it is a remarkably versatile little system on a chip.

28th Anniversary of the Morris Internet Worm

Wed, 02 Nov 2016 12:00:00 -0400

Today marks the 28th anniversary of the Morris Worm, which devastated large portions of the nascent Internet on November 2, 1988. Even though it was unleashed nearly three decades ago, it was more advanced than the Mirai worm that compromised hundreds of thousands of IoT devices in recent weeks. The Morris Worm source code on a floppy disk was on display at the Computer History Museum in Mountain View, Calif. Photo licensed under Creative Commons from Intel Free Press, © 2013.

Rails: Set Max Length on Fields

Sat, 22 Oct 2016 00:00:00 +0000

I originally started drafting this post on January 14, 2012, but it sat unpublished since then. Its fun to look back at ones journey, 1743 days ago. In 2012, I was relatively new to the Ruby on Rails platform after having worked in PHP and SQL for years, as well as a little .NET. The platform has been a good choice that I enjoy working with still to this day. I was working in Rails 3 at the time and had completed at least three client websites in Rails in 2011.

Bad Password Practices are Responsible For Most Data Breaches. You Can do Better.

Tue, 10 May 2016 11:07:58 -0400

The 2016 Verizon DBIR report is out and is available for download. Among the findings is the prevalence of data breaches that are attributable to stolen authorization credentials.

According to the report “63% of confirmed data breaches involved weak, default or stolen passwords” (page 20). This is an increase from 2015, when the stat was that 51% of web application breaches were attributable to stolen credentials. If anything is clear, it’s that the lowly credential theft is a clear and present danger in information security. It is responsible for more incidents than all the other exotic, technically interesting attacks combined.

Calls to Ban Effective Encryption Continue Despite Data Breach Crisis

Fri, 22 Apr 2016 09:00:00 -0400

The continued calls for the U.S. Congress to ban effective encryption despite the current computer security crisis in which data breaches are regular news is dangerous, shortsighted, and destined to harm all Americans. The two most effective tools that we have capable of helping prevent data breaches are encryption and reducing the attack surface of computer systems that handle sensitive or private data. Under the proposed legal framework, both will be sacrificed for a false sense of safety.

The latest installment of Congressional hearings was held by the Energy and Commerce Committee on April 19, 2016, and was titled Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives. The calls for Congress to ban effective encryption are repeated with little variance from the past. Some Members of Congress are expressing frustration that the debate is repeating itself without law enforcement suggesting any particular middle ground that would be workable for the tech community. But what is most chilling is that those in law enforcement continue to demand exceptional access despite years of back and forth and the parade of high profile data breaches both within government and the private sector. We’re losing the cybersecurity battle and the government is calling for a ban on one of the most effective tools that computer science has at its disposal.

U.S. Senate Bill Seeks to Ban Effective Encryption, Making Security Illegal

Fri, 08 Apr 2016 10:11:33 -0400

The anticipated Feinstein-Burr Compliance with Court Orders Act, an anti-security bill, would require the provision of data in an intelligible format to a government pursuant to a court order (scribd.com). A draft copy was uploaded by The Hill reporter Cory Bennett, though whether it has been submitted officially within the Senate is not yet clear (vice.com).

This bill essentially says you can not have any conversation or data exchange that the government can not access if it wants to. It is the legal culmination of what the FBI has been lobbying Congress for years. If Feinstein-Burr becomes law, it will be illegal to deploy strong encryption without key escrow maintained by each company. Cryptographers and computer scientists near-unanimously assert key backup systems are insecure at scale.

It is not just one iPhone, the FBI wants a future where it is impractical to deploy strong encryption without key escrow

Wed, 16 Mar 2016 09:01:11 -0400

Crypto War II, the first crypto war having taken place in the 90s with the clipper chip, is in full swing with hostilities started back up a few years ago when FBI Director James Comey and others started lobbying congress and giving public speeches about how being unable to unlock some devices and communications makes it hard to do their job. It has been an unrelenting full public relations assault on practical strong encryption.

Ultimately FBI Director James Comey wants a future where it is illegal or impractical to deploy strong encryption without key escrow, which is a key backup system that the great consensus of cryptographers and computer scientists assert is insecure at scale. As a statesman he never comes out and says this directly, but it is the only conceivable outcome to what he is demanding of tech companies before congress and the actions that the FBI has taken in court.

What is the difference between bcrypt and SHA256?

Fri, 05 Feb 2016 10:23:27 -0500

TL;DR; SHA1, SHA256, and SHA512 are all fast hashes and are bad for passwords. SCRYPT and BCRYPT are both a slow hash and are good for passwords. Always use slow hashes, never fast hashes.

SANS’ Securing Web Application Technologies [SWAT] Checklist is offering a bit of bad security advice for the everyday web application developer, under the heading “Store User Passwords Using A Strong, Iterative, Salted Hash”:

User passwords must be stored using secure hashing techniques with a strong algorithm like SHA-256. Simply hashing the password a single time does not sufficiently protect the password. Use iterative hashing with a random salt to make the hash strong.

Ruby Application Security Talk Featured in Ruby Weekly Issue # 268

Thu, 15 Oct 2015 12:40:53 -0400

A link to my talk on “Defending Against Data Breaches, as a Practicing Ruby Developer” at Rocky Mountain Ruby 2015 was featured in Issue # 268 of Ruby Weekly! Thanks Peter Cooper! I’m super glad to see the word getting out that security has to be part of the development process. Oh by the way, I learned at the ISSA International conference this week that Microsoft has a version of their Secure Development Lifecycle tailored for Agile development.

What is an Abuser Story (Software)

Sun, 11 Oct 2015 22:35:36 -0400

I publicly speaking about how development teams and those who employ them should go about using user stories with security constraints and abuser stories as a security documentation tool. At this time there is not an entry on Wikipedia about it, so I am going to take a stab at writing it up for you here.

What is an Abuser Story in Software Development?

In software development and product management, an abuser story is a user story from the point of view of a malicious adversary. Abuser stories are used with agile software development methodologies as the basis for defining the activities that should be actively blocked or mitigated by the software and proven by automated regression testing.

What is Application Security?

Mon, 28 Sep 2015 19:25:45 -0400

I’m back from Boulder, Colorado, having presented on application security to the Ruby developers at the Rocky Mountain Ruby Conference! It was a fantastic group and security is one of those topics that are just not talked about enough within the developer community.

I started off with a definition of application security:

Application Security is the subset of Information Security focused on protecting data and privacy from abuse by adversaries who have access to the software system as a whole. Its purpose is to make software resilient to attack, especially when network defenses alone are insufficient.

Then proceeded to talk about the importance of writing User Stories with security constraints and Abuser Stories, which are user stories from the point of view of a malicious adversary. It’s all about clearly communicating among developers and the non-technical stakeholders about the threats so that these considerations can inform development decisions.

The Q&A was robust with more questions than there was time to get to them all. I was able to give out two blue Yubikey Fido U2F keys thanks to Yubico.

The first real investor meeting post investment

Wed, 17 Jun 2015 09:44:43 -0400

A client recently shared Gordon Daugherty’s article on Your First Board Meeting. The gist is that when you first start your C Corporation with the intention of raising investment, the first board meetings are not really meetings at all. Just the co-founders signing some paperwork. But once investment is brought on, the lead investor is going to have a board seat and things become formal. It is sound advice to keep in mind if you see yourself raising capital for your startup company.

Uniqueness Validation Race Condition in Ruby on Rails applications

Mon, 04 May 2015 12:00:00 -0400

Are you a practicing Ruby on Rails developer? It doesn’t matter if you are called a junior developer, senior developer, or the janitor. It is surprisingly easy for race conditions to slip into your code and out into production. Some of these can lead to annoying duplicate e-mails in your database or they could lead to serious security issues that impact your company’s bottom line.

As you read on, I’m going to teach you a bit about race conditions, also called hazards in some engineering circles, and give you a practical example of how one can slip into a Rails application if you were to choose to enforce validation constraints only within an application’s models with a validates :field_name, uniqueness: true rather than through database constraints.

Before we begin, I do want to remind you about one thing. Preventing race conditions is not just something that can be added to Ruby on Rails because the methods for automatically detecting race conditions is an NP-hard problem in computer science. That’s why it’s so important that you understand something about spotting situations where they may occur so that you stand a better chance at leaving them out of your next deploy.

10th Anniversary Blog

Wed, 08 Apr 2015 11:59:00 -0400

Today, Wednesday, April 8, 2015, is the tenth anniversary of this blog. I was a Georgia Tech student at the time of the first post. I was a student at Georgia Tech, about to present my research on SQL Injection at the UROC symposium the next week. That research project lead to my first published paper on Application Layer Intrusion Detection for SQL Injection that was accepted as a single author paper by the ACM while I was still an undergraduate student and was instrumental in my decision to pursue Information Security at the graduate level.

The blog itself has had its starts and stops with some challenges settling into a sustainable post schedule. I started this as a CS student, not an author, so some writing disciplines can only be developed over time.

It has had some posts that have been crazy popular, with thousands of readers a month for years, and some that I do not think anyone has ever looked at other than myself. But post after post, readership has increased to the point that we now consistently have more than 9,000 visitors and I hope to cross the 10,000 mark within the year.

Adding a Rake Task for SQL Views to a Rails Project

Mon, 30 Mar 2015 12:00:00 -0400

I have previously written about Using Rails and SQL Views for a Report. A practical consideration when employing SQL views, which create wonderfully fast read-only tables that can be used by ActiveRecord models seamlessly, in a Ruby on Rails project is where to maintain them in a project.

One approach is to use migrations, since that’s where database stuff normally goes. But a big downside is that this approach is not DRY because changing the SQL view requires a new migration that drops the old view and replaces it with the updated version. Simply changing a field in the SQL view requires copying and pasting the entire definition over again. That’s just annoying!

The second, and in my opinion better approach, is to treat SQL views more like models.

How to use Story Points to Estimate a Web Application Minimum Viable Product

Tue, 17 Mar 2015 14:12:49 -0400

A user story is a concise written description that describes an item of functionality that is valuable to a user or a purchaser of a web application, preferably from the point of view of that person’s individual desires. They typically consist of three components: a written description of the story used for planning conversations about the story that serve to flesh out the details of the story tests that convey and document the desired outcome and can be used to determine when a story is complete The best user stories are sufficiently small to be accurately estimable by developers and arranged in a prioritized list where a member of the development team can always confidently pick the next most important task to work on at all times during his or her work week.

Project Roadmaps can Manage Uncertainty in Startups' Web Applications

Tue, 17 Mar 2015 12:00:00 -0400

Project communication breaks down quickly due to miscommunication about

Estimates
Targets
Commitments

These concepts are not clearly understood by everyone involved in a typical project.

Get the Current Year in the Ruby programming language

Fri, 13 Mar 2015 10:09:55 -0400

When learning Ruby on Rails, sometimes you just need to get the current year as a number. I posted one example on why this is a useful way on a real-life website in the 2011 post on how to automatically update copyright notices.

In this article, I will show you some methods for getting the current year, such as the number 2015. I will then show you how to benchmark the methods to determine which is the fastest method for you, given your machine and Ruby version.

Okay, just how do I get the Current Year in Ruby?

It’s easy. Just use any of the Date/Time objects and call the year method, like this:

   # Using the Time class
   current_year = Time.new.year  # or Time.now.year

   # Using the Date class
   current_year = Date.today.year

   # Using the DateTime class
   current_year = DateTime.now.year

New Video! Understanding & Defending Against Data Breaches

Thu, 19 Feb 2015 23:22:58 -0500

A few weeks ago, I spoke with the Ruby users’ group in Nashville, TN, about the importance of understanding the root cause of data breach security incidents and countermeasures that developers can put in place to help prevent them. It’s up on YouTube for your enjoyment at Understanding & Defending Against Data Breaches, as a Practicing Software Developer - Nash.rb.

Two new videos! How a Ruby on Rails developer can help prevent a Data Breach

Fri, 09 Jan 2015 11:12:44 -0500

Two new videos of the data breach talk and class that I lead in August and December are now up on YouTube! I hope that it helps you level up on your security knowledge because good software security needs to be a moral stance.

Next public talk

I am scheduled to give a presentation to this topic for the Nash.rb Users’ Group on Thursday, February 5, 2015 at the Emma office in Nashville, TN. If you are in town and can make it out, I would love to meet you.

How To Protect Against the POODLE SSLv3 Vulnerability

Thu, 16 Oct 2014 09:21:22 -0400

The POODLE SSL vulnerability marks the third major security flaw discovered this year that impacts the security of millions of websites.

The attack works by forcing the connection to downgrade from the newer TLS protocol to the 18 year old SSL 3 protocol, which is obsolete and insecure, and then utilizing a weakness to calculate small strings of data from the encrypted communication, such as session cookies.

Commercial Information Security Classification System

Mon, 13 Oct 2014 18:09:13 -0600

When you read books on security, at some point the importance of classified information systems is covered. These typically look at Mandatory Access Control in the context of military classifications, such as top secret, secret, for official use only, and sensitive but unclassified. While the existence of commercial classification systems in use outside of a government context may be mentioned, it’s not as common to see a commercial information classification system presented.

In this article, I shall present to you a commercial information classification system that you can use to help plan your web application’s security standards based upon information sensitivity considerations. It is the system that I have developed for use with my own clients and have presented on publicly as part of my series on how a Ruby developer can help prevent a data breach.

Government vs Security - Schneier explains

Tue, 07 Oct 2014 14:33:58 -0500

We’ve been hearing a lot recently about law enforcement officials upset over the so-called “going dark” problem, with Apple and Google implementing stronger encryption solutions for their mobile platforms. These government organizations are arguing that by making encryption easy to use and unbreakable, Apple and Google will help criminals escape from justice by impeding investigative work. “You can’t build a backdoor that only the good guys can walk through.” As security-focused developers, we discuss these issues quite often at Rietta.

Raspberry Pi crypto key management project!

Thu, 02 Oct 2014 21:20:16 -0400

A few months ago I bought a Raspberry Pi B to experiment with, but sadly my day job as a Ruby developer keep me busy enough that it just sat on the shelf unused until this last weekend. For those not yet in the know, the Raspberry Pi is an excellent little complete computer system on a small circuit board that uses very low power and looks like this:

Free, Universal SSL with Cloudflare

Mon, 29 Sep 2014 09:11:52 -0400

Cloudflare, the web application security forward proxy and transparent CDN service, has announced on their blog universal SSL even on their free accounts.

This is a very welcome development for the public interest on the internet.

Software security is a moral duty

Sun, 21 Sep 2014 08:57:57 -0400

All too often robust security is put off because the cost of prevention is felt upfront and the cost of breach is to realized at an uncertain future time and mostly by third parties. In the name of saving money, organizations continue to run out of date operating systems, reject appropriate strong encryption systems, fail to deploy sufficient network security, and refuse to employ and empower appropriate security staffs. In the end, security is seen as an expense to be minimized as part of a risk management program. But there is another way.

Learn how Upworthy scaled a Ruby on Rails application to serve massive traffic

Fri, 19 Sep 2014 12:23:12 -0400

Luigi Montanez is the founding engineer of the viral content website http://upworthy.com and in this ATLRUG talk from July 9, 2014, he gives a fascinating insight into one approach to managing the growth of a startup’s web app in the face of very high traffic. Their backend is built upon Ruby on Rails with an effective use of the Fastly CDN to deliver very high performance at scale.

New OpenPGP Key, 0xC004BAE3 (2014)

Sun, 27 Jul 2014 17:51:23 -0400

After 11 years, I have chosen to transition my OpenPGP/GnuPG cryptographic key pair from a 1024-bit DSA to a 4096-bit RSA key. The new key is ID 0xC004BAE3. Please review the fingerprints and update your OpenPGP keychain accordingly.

The following is my digitally signed transition statement, notice that it is signed with both my new and old key pairs. My old key is un-compromised and will remain valid for a period of time.

Introduction to OpenPGP: Decrypt this Message

Mon, 07 Jul 2014 00:00:00 +0000

If you have been following the news in light of the revelations of the NSA domestic surveillance program, which is probably unconstitutional in the United States but in practice is being permitted by the courts, then you should know something about the encrypt everything movement and Google’s End-to-End project, which is to add OpenPGP to the Chrome web browser. If this is new to you, this fun challenge will help you get started with what you need to decrypt a message with GnuPG!

Retake the Net for Privacy!

Thu, 05 Jun 2014 15:18:56 -0400

Rietta (@riettainc on Twitter) will educate customers on the use of strong headers, TLS w/ PFS, and other countermeasures as part of our continuing security initiatives program. Will you also help join us in the world-wide cause to retake the net? Check out the petition yourself at Reset the Net and choose for yourself today what you can personally do to make the web secure from illegitimate prying eyes.

What a Ruby developer can do to help prevent a Data Breach - 2014

Thu, 05 Jun 2014 10:18:14 -0400

I was invited by Tech Talent South to give a guest lecture to their Spring 2014 class of students learning to become Ruby on Rails developers. These students are all adults looking to make a change in their career and are really bright and motivated individuals looking to better themselves with learning to code. In my view this is perfect because being a developer is the most trusted job position one can possibly hold in most organizations.

Humana data breach in Atlanta for an unencrypted USB disk

Fri, 30 May 2014 08:24:10 -0400

Just this week, Security Professionals Magazine is reporting a data breach of three thousand unencrypted medical records, names, and social security numbers. For want of choosing “Encrypt this Drive”, Humana and one of it’s associates have put thousands of customers at risk of economic harm. According to the report an encrypted laptop and an unencrypted USB drive containing the data were stolen from a Humana associate’s vehicle. This is classic laptop theft and why anyone with sensitive information in their care should treat their laptop bag like it is handcuffed to their body.

Avoid thrashing to release your project on time and budget

Thu, 29 May 2014 11:21:09 -0400

As my team and I work towards a major deadline this week, I am reminded at how easily last minute thrashing sneaks into a project that has many stakeholders involved. This is a challenge that a properly run Agile project should be able to minimize, but it seems to always be there. Chris Getman (@chrisgetman) published a great post on his blog, referencing the same Seth Godin video that I recently watched, entitled Thrashing: Why Your Project Slipped.

ModSecurity and Fail2Ban as an Intrusion Prevention System

Tue, 27 May 2014 12:24:07 -0400

ModSecurity and fail2ban can be used as an open source intrusion prevention system. The setup is pretty straight forward: Configure ModSecurity to detect some attacks against your system Configure fail2ban to read the ModSecurity audit log file Configure ModSecurity Install a commercial ruleset or open source ruleset, such as the OWASP ModSecurity Core Rule Set, for your ModSecurity web application firewall. One of the neat tricks in the OWASP ruleset is that if your application raises an exception or certain content appears to leak out then it triggers a 403 Unauthorized HTTP response rather than returning the content to a potential attacker.

Defense in Depth

Thu, 22 May 2014 12:19:02 -0400

I had no fewer than three separate conversations yesterday about the importance of Defense in Depth in the context of building out a comprehensive plan to secure a web application and its environment. In light of that, I wanted to share with you the basic concept and point out some places to read about this big idea in security. Photo: A combination door lock is one possible countermeasure in a layered security approach, but there is so much more to defense in depth.

Joe Moore has Pair Programmed for 27,000 Hours

Tue, 20 May 2014 19:57:11 -0400

In Outliers, Malcolm Gladwell posited that 10,000 hours of practice are what it takes to achieve mastery in a field. Well, Joe Moore (@joem on Twitter), the owner of remotepairprogramming.com, has blown past that mark on the subject of pair programming practices and the impact those practices have on real software projects. He has pair programmed for 27,000 hours and the audience at RailsConf 2014 asked him anything! At Rietta, we do pair programming as a fundamental part of our development process.

My new tenkeyless Code Keyboard!

Fri, 16 May 2014 22:06:02 -0400

My new Code Keyboard Tenkeyless (87-key without a Number Pad) arrived this week from WASD Keyboards! It should make a good keyboard for professional programmer who is typing 40 or more hours per week, 50 weeks per year. The Cherry Green keys have a 80 gram actuation force, that makes for clean, crisp keystrokes at full typing pace. The heavier resistance helps avoid bottoming out the keys, which is one source of typing injury.

YubiKey Authentication Devices

Thu, 15 May 2014 11:42:57 -0400

Brandon Dees (@brandondees) and I are both really big security geeks when it comes to technology. We are both really into bringing multi-factor authentication as standard equipment to the applications that we build. With something you have, and something you know, instances like the Buffer app breach can be mitigated in many circumstances.

John Saddington and Obie Fernandez at the Atlanta Ruby Users' Group

Wed, 14 May 2014 22:59:14 -0400

Tonight, at the Atlanta Ruby Users’ Group (@atlrug) meeting, John Saddington (@saddington) gave the main presentation on how to Win The Internet. The talk focused on the importance of building and cultivating a personal brand.

OpenSSL Vulnerability, Patch 1.0.1 Immediately

Mon, 07 Apr 2014 23:50:50 -0400

Major Vulnerability, Action Required. A major vulnerability for OpenSSL 1.0.1 was announced today, April 7, 2014. The Heartbleed Bug, CVE-2014-0160, is a major vulnerability that may lead to secret key disclosure. A discussion of this vulnerability can be found on the Hacker News thread on the Heartbleed vulnerability.

Research and Development Tax Credit

Tue, 04 Mar 2014 14:45:25 -0500

As tax season rolls around, it is important to keep an eye on the tax credits that are available to startups. These credits are easy to forget because it is not something that just anyone can claim on their business tax returns. But as startup company or an existing business building software that has a risk of failure, the government wants to provide financial incentives you to build it within the United States.

Each year, one of the better credits that are available to companies commissioning a custom software development project is the Federal Research & Development Tax Credit. The IRS publishes its Audit Guidelines on the Application of the Process of Experimentation for all Software.

Find Top Referral Sources with Raw Apache Access Log

Sat, 22 Feb 2014 14:20:50 -0500

In today’s issue of the Mastering the Terminal series, I present to you the easy way to find your top website referral sources using only tools available on the Linux (or Unix) command line and your raw Apache access file.

Issue #6: February, 2014, Web Application Topics Newsletter

Tue, 18 Feb 2014 07:31:00 -0500

In this issue

Get and compare the current Git branch in BASH
New book of the month
- Don’t Make Me Think, 3rd Edition
In the news
- PaperClip (Ruby on Rails) Insecure Defaults
- Yahoo user accounts compromised through third party database breach
- Buffer database compromised through compromise of MongoHQ support credentials

Get and compare the current Git branch in BASH

Sun, 16 Feb 2014 18:33:06 -0500

My favorite revision control system is Git. I use it to maintain all of my Ruby on Rails projects, my Linux system configuration, and even this blog!

In my web development work, I like to automate as much as possible with BASH shell and Ruby scripts. This makes my work easier by replacing repetitive tasks with simple commands and reduces the instances of certain classes of mistakes in my daily workflow. One of those mistakes that I would like to avoid is accidentally publishing a draft post to the live website.

**Here is how I use the value of the current Git branch to keep from accidentally publishing a post to the real website before it is ready! **

My Touch Typing Journey Continues

Fri, 14 Feb 2014 12:25:00 -0500

For years, I lived with a secret that I did not want to share. I never learned how to type properly! As a professional software developer with a couple of computer science degrees from Georgia Tech, that’s difficult to admit.

Reset MySQL Root Password with One Command

Tue, 11 Feb 2014 11:47:45 -0500

I have locked myself out of important accounts more than a few times. Just this morning, I found myself again locked out of a MySQL database server on an Ubuntu Linux machine. Though this should work with any Debian-based Linux that uses the apt-get package management system.

Fortunately, I had administrative access to the server through SSH and thus was able to reset the MySQL root password with the package management script. It only took one, simple command.

Anti-virus for Mac for PCI Compliance

Thu, 23 Jan 2014 10:12:00 +0000

When a contract requires anti-virus on all computers, even the Mac OS X systems, which do you choose? Macs are not Commonly Affected, in the traditional sense One nice thing about working in a heavily Mac OS X environment, which most Ruby on Rails development companies are is that there just are not the number and variety of viruses on the platform as there are in the Windows environment. This is not to say that a Mac user does not face many security threats - they do face threats, nor that they cannot be hacked - they most certainly can be hacked.

Gradually and then suddenly

Sun, 19 Jan 2014 19:07:00 +0000

This month is the 15th anniversary of when I started Rietta Solutions, that has since become Rietta, Incorporated, and has expanded into the company that it is today.

Why & How We Remote Pair Program (2013)

Tue, 07 Jan 2014 16:38:00 +0000

Brandon Dees and I gave a this talk about how and why we do remote pair programming when he lives in Nashville, TN, and I live in Johns Creek, GA (a 416 mile round trip) on Wednesday, October 9, 2013 at the Atlanta Ruby Users’ Group (ATLRUG). The Video The excellent Q&A starts at 31 minutes into the talk! The Slides The slides are available directly Why & How We Remote Pair Program at Speakerdeck and here is the link to video directly on YouTube.

Joppar's 'Tips on Securing Your Mobile App' Infographic Quoted Me!

Mon, 06 Jan 2014 11:26:00 +0000

Good morning! I write this on the very cold Monday morning that is January 6, 2014. Today, our friends over at Joppar, a mobile apps startup in Silicon Valley, have released a very good cheat sheet for app developers who want to care about the security of their application. In other words, anyone who does not want their own ‘Snapchat Breach Exposes Weak Security’ article from the New York Times.

Voice-driven Applications on the Brain

Fri, 06 Dec 2013 09:51:00 +0000

I took the last two days off to attend the AdhersionConf 2013], that was hosted by Ben Klang and the crew at MojoLingo. Adhersion is a Ruby framework for building telephony applications. With it, you can write a server application in Ruby that is accessed my customers over a phone call for instance and more. My purpose for attending is that voice-based use cases that involve Automatic Speech Recognition and good Speech Synthesis are becoming increasingly exciting as the technology has reached a point where it is available on most mobile devices and services are now available for web developers working with very modest budgets!

How to use SQL views to Build Reports with Ruby on Rails

Thu, 28 Nov 2013 10:54:00 +0000

SQL views are a powerful capability of a relational database server. This functionality can be easily used to implement important reporting, data mining, and other functionality to a web application built with Ruby on Rails in a manner that may be faster and more concise than an implementation that uses only typical ActiveRecord patterns. The complexity of dealing with the relational data is abstracted away from the Rails application that is a consumer of the data, keeping the model, controllers, and Rails view concisely focused on their appropriate roles.

Secure Passwords & Passphrases

Mon, 25 Nov 2013 17:40:00 +0000

{% render_partial _includes/series/encryption.md %} Sometimes when someone sees me type my long password to log into my laptop, I get asked about why I use such a long password. I always sigh a little. Deep down inside, I reflect on how there is not a concise, easy, actionable answer that will help that person practice better password security. My laptop password is better than most, but even it would be potentially susceptible to long, sustained offline attacks.

We Won a Hackathon with Scriptive! The Programmers' Perspective.

Thu, 14 Nov 2013 19:38:00 -0400

Brandon Dees and I travelled to Austin, Texas, to compete in the Code for the Kingdom Hackathon, a Christian-ministry related event that was held at the Acton School of Business. We joined the super talented Charles Roach, the founder of Scriptive, a non-profit organization, to compete in the 48 hour startup/programming competition. Our mission was to code something that will impact the Kingdom for Christ through new technology. Brandon has agreed to help co-author this post so that you can read both his and my perspective on what it was like to be a developer at the hackathon.

Grep to Extract E-Mail Addresses from a Text File

Fri, 11 Oct 2013 00:00:00 +0000

Sometimes you just need a list of e-mail addresses from text files on your computer. I have personally needed this while managing an e-mail server. Here is the scenario, given a text file that has e-mail addresses intermixed with other text, extract a sorted list of e-mail addresses. While there are commercial applications to do this, if you have a Unix-based system then you have all of the tools that you need available at the command line.

Upcoming Remote Pair Programming Talk at the Atlanta Ruby Users' Group

Sat, 05 Oct 2013 14:57:00 +0000

Update: This presentation to the Atlanta Ruby Users' Group turned out great with excellent audience participation. For the slides and the 48 minute video, including 17 minutes of Q&A, see Why & How We Remote Pair Program (2013). --- Brandon and I are giving a talk about how and why we do remote pair programming when he lives in Nashville, TN, and I live in Johns Creek, GA (a 416 mile round trip) on Wednesday, October 9, 2013 at the Atlanta Ruby Users’ Group (ATLRUG).

Want to Learn Ruby on Rails in Atlanta?

Sat, 28 Sep 2013 11:33:00 +0000

The Emerald City Programming Group has started back up for the fall, starting today, Saturday, September 28, 2013. The first class had an excellent turnout with twenty two local budding Rubyists in attendance. The environment is extremely friendly. The volunteer instructors this year are Anjan Das and Carlos Gonzalez. This free class is open to the public and will cover everything you need to go from zero to deploy, including:

What is a Maintained Post?

Fri, 27 Sep 2013 13:49:00 +0000

Last Updated on October 6, 2013, to add that for a listing of all currently maintained posts, please see the list of maintained posts. I just updated the Best Data Types for Currency/Money in MySQL post, which first appeared on this blog on March 3, 2013. You may wonder why I would update a blog post that has already been published. It’s because every single blog post is a landing page.

The Dvorak Keyboard with the Mouse on the Left-hand side

Thu, 26 Sep 2013 18:41:00 +0000

I’m nearly a month into my transition to the Dvorak keyboard layout. I am typing at a very sustainable speed so this has not slowed down my work. For me, it is significantly more comfortable than typing QWERTY for 8-12 hours per day. One of the interesting aspects of this keyboard layout is that the Z, C, and V have moved from the left to the right-hand side of the keyboard.

Seth Godin shared that the way to success is trust on Dave Ramsey's podcast

Wed, 25 Sep 2013 22:32:00 +0000

While driving to a friend’s birthday party and back tonight, I discovered that Seth Godin had recently appeared on Dave Ramsey’s EntreLeadership podcast (XML Podcast Feed). The EntreLeadership podcast is an excellent show that is on small list of shows that I follow on a regular basis. The interview was a lot of fun. If you are a software startup owner, or thinking about being one someday, go listen to it now to the September 10th, 2013, Interview with Seth Godin by Dave Ramsey.

Is the Colemak or Dvorak keyboard layout best for you?

Fri, 20 Sep 2013 10:16:00 +0000

Are you holding yourself back or possibly harming your health by typing on the QWERTY keyboard? In many ways, it is a standard just because it was used by our parents and their parents before them. In fact, QWERTY has not changed in the 140 years since 1873! If you want to know where you personally stand, head over to the Keyboard Layout Analyzer and paste a sample of the content that you write on a regular basis.

What is Object-Oriented Programming (OOP) really talk by Bob Martin

Thu, 25 Jul 2013 00:00:00 +0000

Early this morning, Brandon Dees sent an e-mail to the team’s internal mailing list to a video of a talk by ‘Uncle Bob’ Martin of 8th Light (link to their Twitter). I watched it first thing and must agree, this is an inspiring talk. It’s a great presentation on the history of object-oriented programming (OOP) and what it really means from a values point of view. {% vimeo 64086087 %} Robert 'Uncle Bob' Martin - What is OO really?

Happy Father's Day

Sun, 16 Jun 2013 00:00:00 +0000

I want to wish a happy fathers day to all of you dads out there! And for those of you doing startups, I just want to share a video by Steve Blank, the father of the Lean Startup Movement, on how to make startups fail less. {% youtube H2OkLcOCjEs %}

OpenSSL: Encrypt Data with an RSA Key with PHP

Thu, 13 Jun 2013 00:00:00 +0000

{% render_partial _includes/series/encryption.md %} Web application security is built upon a series of interconnected building blocks. Last year, I wrote about how Generating an RSA Key from the Command Line in OpenSSL could support encrypting or validating data in an unattended manner (where the password is not required to encrypt). A few weeks before that, I posted about how to Encrypt a File with a Password from the Command Line using OpenSSL.

Enhance Early Adoption with Mobile Friendly Themes

Thu, 06 Jun 2013 00:00:00 +0000

At Rietta, we’ve worked on many web application projects. We’re backend programmers and work with different design teams chosen by our clients. These projects tend to be rolled out in phases. Often the first phase is the desktop website with the intention to do a mobile application of some sort later. But, when the new business’ website is announced on Facebook and via an e-mail to the pre-launch mailing list, the majority of the first clicks are from iPhone and Android device users!

Default HTML Values with a Rails View Helper

Tue, 15 Jan 2013 00:00:00 +0000

Suppose you have the same image tag included frequently in a Rails application. One way to clean up the code a bit and to set defaults is to create a super simple view helper method that can receive a hash parameter and merge it with the defaults. Code Example In app/helpers/pages_helper.rb: def gui_tiny_icon(name, opts = {}) image_tag "gui/theme/icons/#{name}", {:class => "vm", width: 15, height: 15}.merge(opts) end Then in the usual place of the HTML.

SQL Converter 3.4 Beta for Windows

Sat, 01 Dec 2012 00:00:00 +0000

SQL Converter 3.4 Beta for Windows is now available through the SQL Converter, version 3.4.0, beta read me. The Mac OS X edition has been available since last week. The build should work with: Microsoft Windows 8 ProMicrosoft Windows 7Microsoft Windows XPIt supports converting data from Microsoft Excel documents (XLS and XLSX) and Comma Separated Values (CSV) and Tab Separated Values (TSV) files. It is self-contained and thus does not require Excel to be installed in order to run.

Setting up Ubuntu for Rails Development - part 2

Wed, 24 Oct 2012 00:00:00 +0000

And here is the second video in the series on setting up Ubuntu Linux for Ruby on Rails development: http://www.youtube.com/watch?v=C_0dTp0Fzoo&feature=plcp

Setting up Ubuntu for Rails Development

Sun, 21 Oct 2012 00:00:00 +0000

Ruby on Rails is a really great platform for developing and releasing web applications. At my company, our developers are pretty evenly split between using Mac OS X and Ubuntu Linux desktops as their primary development systems. Setting up Ubuntu to develop in Ruby on Rails is pretty simple, but there are a few gotchas. To help you learn how to set this up, I have recorded a couple of real-time videos of me configuring from scratch Ubuntu Linux in a virtual machine.

Using IPTABLES to Require CloudFlare for All HTTP/HTTPS Traffic

Mon, 10 Sep 2012 00:00:00 +0000

For some of our clients, Rietta uses CloudFlare.com for its web application firewall and content distribution network (CDN) services. CloudFlare is installed on a domain by changing the domain’s DNS servers to resolve to CloudFlare, which then proceeds to serve as a proxy between the web and the web server running the protected application. Once this is setup it is expected that all general web traffic will originate from the CloudFlare network, which is the proxy server.

WGET to Keep New Rails Site in Memory

Tue, 10 Jul 2012 00:00:00 +0000

A Ruby on Rails web application can be really fast in production. However, for a site that receives less traffic the application can be very, very slow on the first request after it has gone dormant. One way to make sure that your site is always fast and never goes dormant is to setup an automatic process to periodically fetches the home page. On an Linux, FreeBSD, or Mac OS X system it is easy to setup an automatic fetch using cron and wget.

Atlanta Code Retreat on July 28th

Fri, 29 Jun 2012 00:00:00 +0000

Jonathan Wallace with Highgroove Studios just announced the Atlanta Code Retreat on July 28th from 8:30 AM to 5:00 PM (that's a Saturday). Learn more here: http://coderetreat.org/aboutSign up here: http://atlantacoderetreat-20120728.eventbrite.com/ Spaces are limited so sign up sooner than later. Registration is $10, but you are refunded after you actually show up for the retreat. It will be held at the wonderful new office space for Highgroove Studios at: 112 Krog St NE

Really Bad Passwords (with Unsalted Hashes)

Fri, 08 Jun 2012 18:30:00 +0000

The June, 2012, LinkedIn password breach reminds us all the need to protect our user’s passwords. The following table includes a series of really, really bad passwords. These are passwords that are trivially cracked using an automated tool, such as John the Ripper, or have been found through public password hacks as being in use by real people. This is a simple rainbow table because it lists the precomputed unsalted SHA1 and MD5 hashes.

Building Secure Web Applications (Info Graphic)

Tue, 05 Jun 2012 00:00:00 +0000

VeraCode just released this great info graphic on what it takes to build a secure web application. However, you can simplify this process to two steps: Use Ruby on Rails Hire Rietta I personally earned an M.S. in Information Security from Georgia Tech and started Rietta Inc. to build secure web applications for clients. This is our passion. It’s what we do. We even will audit the work done by your current / previous Rails development team.

New GIT Time Extractor Gem

Sun, 06 May 2012 00:00:00 +0000

I am happy to announce that the git_time_extractor project, released publicly on github.com in February, is now officially available as a RubyGem! git_time_extractor is a small command-line tool that produces a CSV time log for each developer/contributor to a project tracked in GIT. It uses the commit timestamps and three basic reasonable assumptions, approved by the developer’s accountant. It other words, computes the estimated time spent by developers working on code within a GIT repository.

mod_deflate: Dramatic website speed increase with Apache compression on Ubuntu Linux

Wed, 18 Apr 2012 00:00:00 +0000

Last Updated on October 6, 2013. {% render_partial _includes/maintained_post.md %} It’s easy to dramatically improve the loading speed of your website by enabling compression support in your Apache web server. This works without needing to make any changes to your backend or database code no matter what programming platform your development team uses. I recently added this change to a Ruby on Rails-based web application running on a Ubuntu Linux dedicated virtual server.

Big data a big deal for SQL Server 2012, users say

Tue, 17 Apr 2012 00:00:00 +0000

TechTarget just published an article by Alan Earls in which both Sanjay Bhatia (of Izenda), a fellow founder of Atlanta-based database company (and ATDC graduate), and myself were quoted. Big data a big deal for SQL Server 2012, users say: For Frank Rietta, the fact that Microsoft has been willing to work with an established open source project is the best part of SQL Server 2012. Rietta is talking about the Apache Hadoop integration with SQL Server 2012.

What is Protected Personally Identifiable Information? Do I really have to hash users' passwords?

Thu, 05 Apr 2012 00:00:00 +0000

{% render_partial _includes/series/encryption.md %} The Short Answer The legal answer depends on which Federal, State, and local laws apply to your company. And I am not a lawyer. However, for companies whose nexus is in Georgia, where my company is located, the Georgia General Assembly has given some guidance in the data breach law. And yes, you really do have to hash your users’ passwords or you risk having to do a full blown Data Breach Notification if the user’s table is ever compromised!

Startup Riot 2012 is done; congratulations to the winners

Wed, 22 Feb 2012 00:00:00 +0000

Startup Riot 2012 at the Tabernacle in Atlanta was enjoyable and informative. Anytime you get that many entrepreneurs and investors together in one place, good things will happen. The conversations alone are well worth the price of admission. Congratulations to the winners: ViaCycleSalesLoftDriver.lyThree minute pitches in front of a live audience and a panel of celebrity judges are tough. You all stuck your necks out in a big way and came home with the prize.

[Rails] Good Random Positive Integer

Fri, 03 Feb 2012 00:00:00 +0000

Tonight I needed a quick way to generate a good pseudo random number. The following statement in Ruby will generate a positive integer between 0 and the maximum integer supported on the system. SecureRandom.random_number((2**(0.size * 8-2)-1)) Running that 10 times as a test on my system returned: 479960941838047707 4598189742420362323 4319555246297899788 79907720343840910 1019099276589074756 1753578159791031009 51485412595337811 3333462064391733874 2622897372121370782 4287564549349999056 That’s all for tonight. Sources Secure random number generator interface Ruby max integer

Generate OpenSSL RSA Key Pair from the Command Line

Fri, 27 Jan 2012 00:00:00 +0000

While Encrypting a File with a Password from the Command Line using OpenSSL is very useful in its own right, the real power of the OpenSSL library is its ability to support the use of public key cryptograph for encrypting or validating data in an unattended manner (where the password is not required to encrypt) is done with public keys.

Rails: Point DNS to 127.0.0.1 to Test Wildcard Subdomains on WEBrick

Tue, 24 Jan 2012 00:00:00 +0000

Want quick method for testing domain/subdomain-based routing logic in your Rails applications? Point a subdomain and wildcard subdomain of your company’s DNS to 127.0.0.1, your localhost IP address. Then you can use that domain to access your local test web server on your local machine. For example, I added DNS “A” records for: test.rietta.com → 127.0.0.1 *.test.rietta.com → 127.0.0.1 Now Rietta’s developers can each access his local WEBrick server with:

Rails: Gmail Reply-To on Contact Form Email

Wed, 18 Jan 2012 00:00:00 +0000

Most websites have a contact form for visitors to fill out a message that is then e-mailed to the owner or support contact for the website. When working with a Rails app that will be hosted in a cloud environment that does not supply outbound email delivery it can be convenient to use a Gmail (or Google Apps) account at first for outbound delivery. The trouble is that Google’s SMTP server will rewrite the email address set in the email message to match the address of the account.

Wikipedia blackout tomorrow in protest to SOPA/PIPA

Tue, 17 Jan 2012 00:00:00 +0000

Tomorrow (Jan 18) Wikipedia will be shut down for 24 hours in protest of Congress’ continuation of consideration of the Stop Online Privacy Act (SOPA) and Protect IP Act (PIPA).

The Wikipedia blackout demonstrates the chilling nature of what can happen when websites can be shutdown on mere accusation without due process. The new requirements could even stifle early-stage investment in internet startup companies.

Rails: TypeError: nil can't be coerced into Float

Sat, 14 Jan 2012 00:00:00 +0000

When working on Ruby on Rails website some of the common errors that you need to check for is nil objects when something else was expected. For instance, suppose one of your ActiveRecord models has a price field. Further suppose that the user left this field blank instead of entering 0.0 as the price. This computation will fail: quantity = 3 # ... amount_to_charge = price_field * quantity It fails with a “TypeError: nil can’t be coerced into Float” exception.

OpenSSL: Encrypt a File with a Password from the Command Line

Mon, 09 Jan 2012 00:00:00 +0000

{% render_partial _includes/series/encryption.md %} Do you know how to use OpenSSL to protect sensitive information in storage instead of just in transit across the network? In fact, your can use the OpenSSL command line too to encrypt a file on your Mac OS X, Linux, or FreeBSD based computer. Support for the library are included by default in PHP and Ruby. So there is no reason not to use it to add additional security to your web applications.

Integrate Blog Content with your Rails 3 Website with Pure Ruby Code and RSS

Mon, 02 Jan 2012 00:00:00 +0000

The full sample code used for this post is available as a Ruby on Rails 3.1 project at https://github.com/rietta/SimpleBlogFeed. Suppose you have built an amazing new website using Ruby on Rails 3. It has tons of features and some great content. However, one thing it is lacking is a solid blog section. You would like to avoid writing your own blog code in Rails since there are already tons of solid blog applications to choose from - Wordpress, Moveable Type, Typepad, Blogger.

How to automate copyright notice updates in Ruby on Rails

Mon, 26 Dec 2011 00:00:00 +0000

I sure hope everyone had a wonderful Christmas with their families. I am personally enjoying taking a few days off work and doing some reading. On Christmas morning, I bought a copy of Rework (Kindle edition) by Jason Fried and David Heinemeier Hansson. The “Go” Chapter alone is worth the price of admission! One day I may share more about this book. However, today it seems like a great time to share another Ruby on Rails coding trick with you.

Conditionally Including Resources on SSL or non-SSL to Avoid Mixed Content Security Warnings in Ruby on Rails

Wed, 21 Dec 2011 00:00:00 +0000

When building content that can be delivered on an encrypted HTTPS connection it is necessary to reference all of the embedded resources, 3rd party badge images, embedded YouTube videos, etc, from an HTTPS url. Otherwise a mixed content error will imply to your users that the website is not safe, ouch!

Adding RANDOM alias to RAND in MySQL without Changing Ruby on Rails Code

Mon, 19 Dec 2011 00:00:00 +0000

While building the new website for http://www.sqlconverter.com, I recently ran into a slight compatibility issue between the SQLite3 database used for local initial development and MySQL when the site was prepared for production. What was the compatibility issue? It was the random function!

iPhone + Mobile Camp Birmingham

Wed, 23 Dec 2009 00:00:00 +0000

The iPhone + Mobile Camp Birmingham on December 12 was a lot of fun. Brian and Andria of Appsolute Genius did a great job putting together the event. There were good sessions on both the technical and business aspects of building apps. Brian and I lead a discussion about some of the business and legal considerations of working with the iTunes App Store.

Web Application Security & Performance

Tue, 22 Sep 2009 17:07:00 -0500

As a business owner or manager, you need to be aware of the main legal liability and technical challenges that face any critical website or application. Your business will be better positioned to succeed if you understand how to answer these five key questions: Is your business making one or more of the top five web application mistakes that generate business risk? How can performance and security assessments help increase your ROI?

Basics of iPhone Development @ SIEGE 2009

Fri, 11 Sep 2009 00:00:00 +0000

I am really looking forward to SIEGE 2009 in Atlanta. I will be participating in the panel session on the Basics of iPhone Development on Friday, October 2.

Authentication Without Encryption for Ham Radio

Mon, 17 Aug 2009 00:00:00 +0000

In April 2004, I gave a talk for the Atlanta Radio Club about the possibilities for authenticated digital communication for amateur radio applications. I published the document on my Georgia Tech website at that time. Since I no longer have an account at Georgia Tech, I am re-posting the document here. Authenticating on a Ham Internet The FCC regulations for amateur radio, part 97, rule that encryption cannot be used to obscure the meaning of communications.

Startup Professionals Musings: Startups: Top 10 Funding Sources

Tue, 10 Mar 2009 00:00:00 +0000

Martin Zwilling posted a summary of the Top 10 Funding Sources for startup companies. I personally funded my current company with the proceeds of the sale of a previous business and lots and lots of sweat equity. While Mr. Zwilling mentions bartering services for equity, it is also quite possible to barter services for a profit sharing arrangement with the people who help with a particular project. This way the company equity remains with the founders and yet those who take the risk to invest in one or more projects can be rewarded for their time investment once that project takes off in the marketplace.

Tired of Contact Form Spam?

Fri, 25 Jan 2008 00:00:00 +0000

Many of my customers have been receiving an increasing amount of spam through their website contact forms. The spammers fill in fake names, email addresses, phone numbers, and a junk message with lots of links. To counter these spammers, one must make the web-form difficult for a spambot to fill out and yet keep it usable for valued human guests. CAPTCHAS are used in a lot of places online, but randomized field names are preferable because no strain is put on a human guest.

Software Marketing Metrics

Mon, 29 Jan 2007 00:00:00 +0000

In software marketing, it is important to change one thing at a time and measure the results. Continual iterative improvement is the best way to achieve long term, measurable, results. So what are conversion ratios? Conversion ratios are simply tools to measure how effectively your product is being sold. They can often be easily computed directly from your web logs. The Overall Conversion Ratio, the Download Conversion Ratio, and the Trial Conversion Ratio are particularly useful, and easy to calculate, for those selling software on the internet.

The SIC-2007 Call for Papers is Hot off the Press

Sun, 21 Jan 2007 00:00:00 +0000

The SIAF Board released their call for papers and presentations for SIC 2007, in Denver Colorado. The annual Shareware Industry Conference is a lot of fun for software developers and marketers. I had a blast last year when I presented Business Intelligence for the Micro-ISV.

Happy Copyright Notice Update Day!

Mon, 01 Jan 2007 00:00:00 +0000

Today, New Year’s Day, is the first day on the Gregorian calendar. It is also the perfect opportunity to update those various copyright notices. Therefore, I like to call today Copyright Notice Update Day. Comments< Jimmy M. Espana Pretty funny Frank ;) Take care, JME

Georgia Tech to Compete in Network Security Contest

Thu, 07 Dec 2006 00:00:00 +0000

Students from the Georgia Institute of Technology competed in the 2006 UCSB International Capture The Flag contest. The Tech team was called int80 and consisted of about forty graduate students and some undergraduates. The Georgia Tech team, int80, came in 5th place. The winner of the contest was the TU Vienna team, We_0wn_Y0u. The results can be seen at http://www.cs.ucsb.edu/~vigna/CTF/final_results.html. The final video is at http://www.cs.ucsb.edu/~vigna/CTF/iCTF_UCSB_2006.mov.

The new City of Johns Creek

Fri, 03 Nov 2006 00:00:00 +0000

I look forward to voting for the council members for the new City of Johns Creek, Georgia, next week. Our new city was chartered by the Georgia General Assembly in HB 1321 earlier this year. One thing that bothers me about the name of the city is that they have completely dropped the possessive. The city is named after John’s Creek, a stream that runs through what used to be John Roger’s property.

Support Does Not Scale. Customer Service Does.

Thu, 10 Aug 2006 00:00:00 +0000

Patrick McKenzie posted a fabulous article on how customer service scales. It is an excellent article to help small business owners think about how small things are important in customer service communications. On a slightly unrelated note, it is a big mistake for most companies to outsource customer service. Customer facing processes, particularly customer service, are sources of business intelligence on customers’ needs and frustrations. Great pause must be taken when considering outsourcing or ignoring vital customer processes.

A.R.M. Yourself Against SQL Injection

Tue, 08 Aug 2006 00:00:00 +0000

To effectively protect your web application from SQL injection attack, you must ARM yourself. That is, when writing applications, be sure to validate all input strings There are three, and only three, options when given a piece of data: Accept it Reject it Modify it It might seem obvious that all input must be validated. Too often, webmasters and programmers are focused on getting a working application under time pressure and may not implement the best security practices.

Business Analysis of Web Application Information

Mon, 26 Dec 2005 19:23:00 +0000

Gain Insight into Your Web Application’s Data through MySQL and Microsoft Excel Data Integration: An Important Reporting Tool Businesses often use a collection of independently developed applications, with vendor-supplied database layouts. In order to understand the big picture of the business it is important to pull information from multiple sources into a flexible analytical tool. One such tool is the ubiquitous spreadsheet application, such as Microsoft Excel, that is capable of pulling information from multiple sources and performing various analytical reporting functions.

Extend Firefox: Your Guide to Writing Firefox Extensions

Wed, 09 Nov 2005 00:00:00 +0000

After three weeks of work, the first draft of Extend Firefox is complete and available on this website. This document explores the process for creating an extension for Firefox 1.5. The topics covered include adding a button to the status bar, adding a menu item, adding a preference pane. The tutorial goes in depth, with copious code samples, how to actually do something with the buttons once they are added. The sample code is all from program called Home Page Scheduler that was developed for this tutorial.

A product website without pricing information is really annoying!

Sun, 14 Aug 2005 00:00:00 +0000

Looking at the website, of a product in which I am interested, that does not show the price is frustrating! It is frankly amazing to me how many product websites from reputable companies do not make it easy to find out how much their widgets cost. When I cannot determine the price on the same page as the product information, I generally assume it is too expensive and move on. I wonder how many potential customers are turned away by hard to find pricing information.

Saying no to PayPal Phishing Attacks

Tue, 09 Aug 2005 00:00:00 +0000

Users on my mail server, well at least the ones with domains subscribed to the filtering service, no longer receive PayPal spoofs unaltered! The trick to catching this vermin is both simple and accurate. An e-mail is certainly a phishing attack when all three of the following conditions are met: The From address claims to be paypal.com The Received header, which indicates the address of the computer from which the e-mail was actually received, is not paypal.

Upcoming Beta Release: SQL Converter 2 for Excel

Mon, 25 Jul 2005 00:00:00 +0000

There is nothing quite like the exhilaration from lack of sleep and high levels of caffeine present during a marathon coding week. Fortunately, I am able to take my time this week preparing SQL Converter 2.0 for Excel for beta release. The core program is functioning well and I have spent the last day wrestling with Windows Installer issues. From a developer perspective, building object oriented software in VBA for Excel is a pain.

Less is more! Google offers less talk

Thu, 21 Jul 2005 00:00:00 +0000

Yesterday I was visiting my grandmother, who had recently purchased a new computer and wanted to use the Internet. The person who had helped her install her computer had set her up with Juno because it was free. However, my grandmother found it impossible to use because it was too visually distracting. She wanted access to a few things including e-mail, IM, and maps. She and I changed her dial-up service to that provided by her local phone company and then registered a gmail.

WinZIP sold and needs technical improvements.

Mon, 18 Jul 2005 00:00:00 +0000

Henk on sharewareblogs.com is reporting that WinZIP has been sold to Vector Capital, which is the company that owns Corel, JASC, and Real Networks. I hope Nico Mak and company received the appropriate compensation for their years of work. Only time will tell if the new owners do more than just change some icons and increase the price for the WinZIP software. I hope they improve the performance on B2ZIP and GZIP compressed TAR files so that decompression can go on-the-fly.

A Little Huffman Coding with Java Tricks

Mon, 16 May 2005 00:00:00 +0000

A Huffman code is a way to utilize a binary tree to construct a minimal-length encoding for messages where certain characters or groups of characters have known frequencies. The tree used for such an operation called a Huffman tree. Huffman codes are the most efficient compression method for random data and are often found as steps in other compression algorithms such as JPEG and Deflate (ZIP). Building such trees is a very common exercise for Computer Science and Math classes so I can skip the details.

Re: David Bartosik: Why Robots.txt by Matt Benya

Sat, 07 May 2005 10:00:00 -0500

I came across a blog article, David Bartosik: Why Robots.txt by Matt Benya (Archive.org Link), which happens to mention RoboGen, a program for editing robots.txt files that I wrote nearly six years ago! I do enjoy finding references to my previous work. Mr. Benya’s explanation on of the robots.txt file reminds me of a situation I came across a few weeks ago. I had logged into one of the web servers and noticed the system was not responding as snappily as usual.

Improving my personal efficiency with KDE.

Sat, 07 May 2005 00:00:00 +0000

I have recently been struck with the “how can a good graphical environment help me be more efficient” bug. Many of the people I work with have migrated to Apple laptops for various reasons. It seams like the majority opinion is that Mac OS combines the best of the UNIX world with a very productive, HCI-friendly user interface and more applications. However, I do not own an Apple laptop so I figured this was a good opportunity to play around with the new KDE 3.4 on my FreeBSD 5.3-powered Toshiba Satellite. To sum it up, I like it and here is a screen shot of my current configuration with some random KDE-centric applications opened:

SWT and Swing in the News, Again.

Sat, 30 Apr 2005 00:00:00 +0000

It seems that the SWT vs. Swing is back in the news. Maybe it has never gone away but I have simply not noticed it as most of my work in the last year has either been doing packet inspection with C or simple scripting - aka no significant Java work. On the Thought: Gosling on SWT, “…Gosling says AWT == SWT. That’s sort of true but less true than more.

Part I: Introduction to SQL Injection

Sat, 23 Apr 2005 00:00:00 +0000

This is Part I of a serialization of a paper I have written on the SQL Injection defenses. As portions of the paper are finished I will post them on this blog. Topics will include a discussion on access control, security models, classification of attacks, and intrusion detection techniques. SQL injection is a technique often used to exploit database systems through vulnerable web applications. The techniques allows the attacker to not only steal the entire contents of relational databases but also, in many cases, to make arbitrary changes to the both the database schema and contents.

Symposium and Onward; SQL Lint

Thu, 14 Apr 2005 00:00:00 +0000

The UROC symposium, which was basically a poster conference, went very well. It was very interesting to see all of the undergraduate research that had gone on - from quantum cellular automata (QCA) for nano-computers to machine learning of simulated ant behavior. I was glad to get the feedback from the audience on the SQL Injection presentation and will continue to push to polish up the paper and set things up for the next stage of the work.

The Start of Something Interesting

Fri, 08 Apr 2005 00:00:00 +0000

I have never seriously considered the prospect of creating a Blog, while I have been a frequent subscriber to a number of others. In fact it was only this morning that I realized that Blogger was actually a product of Google, which goes to show how little attention I have paid to it. However, I figure this is as good a place to start as any and makes starting a lot easier than setting up blog software on my own server.