Brandon Dees (@brandondees) and I are both really big security geeks when it comes to technology. We are both really into bringing multi-factor authentication as standard equipment to the applications that we build. With something you have, and something you know, instances like the Buffer app breach can be mitigated in many circumstances.
Major Vulnerability, Action Required. A major vulnerability for OpenSSL 1.0.1 was announced today, April 7, 2014. The Heartbleed Bug, CVE-2014-0160, is a major vulnerability that may lead to secret key disclosure. A discussion of this vulnerability can be found on the Hacker News thread on the Heartbleed vulnerability.
As tax season rolls around, it is important to keep an eye on the tax credits that are available to startups. These credits are easy to forget because it is not something that just anyone can claim on their business tax returns. But as startup company or an existing business building software that has a risk of failure, the government wants to provide financial incentives you to build it within the United States.
Each year, one of the better credits that are available to companies commissioning a custom software development project is the Federal Research & Development Tax Credit. The IRS publishes its Audit Guidelines on the Application of the Process of Experimentation for all Software.
In today’s issue of the Mastering the Terminal series, I present to you the easy way to find your top website referral sources using only tools available on the Linux (or Unix) command line and your raw Apache access file.
In this issue
- Get and compare the current Git branch in BASH
- New book of the month
- Don’t Make Me Think, 3rd Edition
- In the news
- PaperClip (Ruby on Rails) Insecure Defaults
- Yahoo user accounts compromised through third party database breach
- Buffer database compromised through compromise of MongoHQ support credentials
My favorite revision control system is Git. I use it to maintain all of my Ruby on Rails projects, my Linux system configuration, and even this blog!
In my web development work, I like to automate as much as possible with BASH shell and Ruby scripts. This makes my work easier by replacing repetitive tasks with simple commands and reduces the instances of certain classes of mistakes in my daily workflow. One of those mistakes that I would like to avoid is accidentally publishing a draft post to the live website.
Here is how I use the value of the current Git branch to keep from accidentally publishing a post to the real website before it is ready!
For years, I lived with a secret that I did not want to share. I never learned how to type properly! As a professional software developer with a couple of computer science degrees from Georgia Tech, that’s difficult to admit.
I have locked myself out of important accounts more than a few times. Just this morning, I found myself again locked out of a MySQL database server on an Ubuntu Linux machine. Though this should work with any Debian-based Linux that uses the
apt-get package management system.
Fortunately, I had administrative access to the server through SSH and thus was able to reset the MySQL root password with the package management script. It only took one, simple command.
When a contract requires anti-virus on all computers, even the Mac OS X systems, which do you choose?
Macs are not Commonly Affected, in the traditional sense
One nice thing about working in a heavily Mac OS X environment, which most Ruby on Rails development companies are is that there just are not the number and variety of viruses on the platform as there are in the Windows environment.
This is not to say that a Mac user does not face many security threats – they do face threats, nor that they cannot be hacked – they most certainly can be hacked. In fact, a review of Secunia’s Vulnerability Report: Apple Macintosh OS X is a good exercise here. All this said, Macs are just not commonly known to be affected by viruses in the same sense that a Windows or DOS computer has been. And some of this is the economics of virus authoring.
However, as a Mac OS X user, I am not invulnerable and I am still required by contract to install and use anti-virus software.
The PCI Requirement
Everyone who has had to deal with a company accepting credit card transactions knows about the Payment Card Industry Digital Security Standards (PCI-DSS). You can read the rules for yourself at Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures – Version 2.0 (PDF document). It’s 75 pages long, and in my personal opinion is great light bedtime reading. Among its requirements is that all companies that handle credit card data in anyway, even just keying it into a web-based terminal, must maintain an vulnerability management program. This prescriptively requires that the business must: