Rietta
Rietta.com Security

Rietta's Web Application Security Learning Center

As a Developer, You Can Prevent a Data Breach.

To be able to focus on what’s most important or productive, you need to develop your application with a strong culture of Test Driven Development and you need to have a Defense in Depth strategy that includes the:

  1. Business model - especially removing sensitive information that is not truly needed
  2. Technical controls in development
  3. The configuration and management of the deployment environment - the devops.

Mailing List

Join our low volume web app security matters mailing list.

Intro to the Learning Center

Why?

Frank’s Personal Story

What’s Application Security?

Application Security is About Making Software Resilient from Attack by Adversaries with Access

Spring 2017: Applied Appsec Lesson Series

Lesson 1 - As a Developer, You Can Prevent A Data Breach

As a developer, you can prevent a data breach! Don’t let your boss throw you under the bus when there is a predictable incident. Here’s how.

Lesson 2 - Blue, Red, and Purple Teams In Software Development

Application Security is About Making Software Resilient from Attack by Adversaries with Access

Lesson 3 - Coming Soon

Public Presentations

Defending Against Data Breaches, as a Practicing Ruby Developer

A 20 minute conference talk given at Rocky Mountain Ruby 2015.

The Basics: What information do I need to secure? (Excerpt)

Question:What information do we need to keep secure?

Answer:It’s about classifying the information. You can read more on Frank’s blog post on this Commercial Information Security Classification System.

The Basics: Is Ruby on Rails secure? (Excerpt)

Question:Is Ruby on Rails secure? What if I add SSL?

Answer:Security is not an on/off switch. You need to ask three questions whenever you are interested in determining the appropriate security level for anything.

  1. Secure against what?
  2. What is the worst thing that can happen?
  3. Compared to what alternative?

Sadly, there is no secure switch to make all the risks go away!One should not look for magic pixie dust, but understand that security is a process that includes all aspects of the business model, application development, and deployment management practices.

The Basics: How to reduce an app’s vulnerability surface area while maintaining usability (Excerpt)

Question:How do you eliminate surface area at multiple levels? How do you balance it the need for security with the need for usability?

Answer:It’s best to remove sensitive information from the business model. At the times that one cannot do that, technical controls to segment the sensitive data in a defense in depth strategy.

The Basics: Does a UUID make a secure API token for an Android or iOS application’s API RESTful endpoints? (Excerpt)

So you need to implement an API token for mobile applications to access your backend server. A common practice among Ruby on Rails or Sinatra developers is to use a UUID. But is this a good idea? Is it secure enough? Can I just store it in plaintext in the database?

No, it’s not and for the same reasons that you should never store passwords in plaintext in the database. But they do make for great random usernames and following the same pattern you would for securely hashing passwords, you can make a very secure API token system for your application.