Rietta: Web Apps Where Security Matters

Rietta's Web Application Security Learning Center

Welcome to our catalog of resources on how to succeed with web application security. If you want to be able to focus on what’s most important or productive, you need to develop your application with a strong culture of Test Driven Development and you need to have a Defense in Depth strategy that includes the:

  1. Business model – especially removing sensitive information that is not truly needed
  2. Technical controls in development
  3. The configuration and management of the deployment environment – the devops.

Choose from the videos below. These are not easy concepts, but by learning them and putting them in place within your organization, you will greatly reduce your exposure to information security threats and protect your customers.

The New Series

Lesson 1 – As a Developer, You Can Prevent A Data Breach

As a developer, you can prevent a data breach! Don’t let your boss throw you under the bus when there is a predictable incident. Here’s how.

Lesson 2 – Blue, Red, and Purple Teams In Software Development

In a tradition setting in larger organizations software development carried out by a the blue team and a red team may be brought in to audit the security of the software, to pentest it, and to turn over a report of what the blue team needs to do to fix it. But this does not scale well to Agile-based approaches that ship code to production on a rapid basis through continuous integration. For this, we have to take a purple team approach that combines some of the concerns addressed by the red and the concerns addressed by the blue teams into a harmonized effort. Basically, as a developer, you have to consider security as you work.

The Big Picture

Defending Against Data Breaches, as a Practicing Ruby Developer

A 20 minute conference talk given at Rocky Mountain Ruby 2015.

The Basics

What information do I need to secure?

Question: What information do we need to keep secure?

Answer: It’s about classifying the information. You can read more on Frank’s blog post on this Commercial Information Security Classification System.

Is Ruby on Rails secure?

Question: Is Ruby on Rails secure? What if I add SSL?

Answer: Security is not an on/off switch. You need to ask three questions whenever you are interested in determining the appropriate security level for anything.

  1. Secure against what?
  2. What is the worst thing that can happen?
  3. Compared to what alternative?

Sadly, there is no secure switch to make all the risks go away! One should not look for magic pixie dust, but understand that security is a process that includes all aspects of the business model, application development, and deployment management practices.

Does a UUID make a secure API token for an Android or iOS application’s API RESTful endpoints?

So you need to implement an API token for mobile applications to access your backend server. A common practice among Ruby on Rails or Sinatra developers is to use a UUID. But is this a good idea? Is it secure enough? Can I just store it in plaintext in the database?

No, it’s not and for the same reasons that you should never store passwords in plaintext in the database. But they do make for great random usernames and following the same pattern you would for securely hashing passwords, you can make a very secure API token system for your application.

How to reduce an app’s vulnerability surface area while maintaining usability

Question: How do you eliminate surface area at multiple levels? How do you balance it the need for security with the need for usability?

Answer: It’s best to remove sensitive information from the business model. At the times that one cannot do that, technical controls to segment the sensitive data in a defense in depth strategy.