SlideShare a Scribd company logo

ATLRUG Rails Security Presentation - 9/10/2014

Download as PPTX, PDF
J
jasnow

ATLRUG RailsGoat Security Evening Presentation on 9/10/2014 by Ken Johnson

Software
1 of 32
Railsgoat
Introductions • Ken Johnson – CTO @nVisium – Former LivingSocialite – Develop heavily in Rails – Railsgoat Co-Author • Mike – Director of ProServ @nVisium – Former LivingSocialite – Isn’t here to defend himself, I can say what I want – Paler than me – Trendsetter of the “Skhaki”
Why? • Why not? • Lack of quality training available • Assist all of you!
RAILSGOAT CONFIG
Railsgoat Current Config • Rails 3.x • Custom Authentication • MySQL (optional) & SQLite • Mailcatcher • RSpec tests • **Easy to find credentials**
Railsgoat Upcoming Config • Rails 4.x • Devise Authentication (w/ Tutorials) • MySQL & SQLite (optional) • Mailcatcher • RSpec • Open to suggestions
MODEL LAYER
Model Layer – Mass Assignment • Mass- Assignment – Not a huge issue in Rails 4… unless you instantiate models with data *outside* of the controller – Rails 2 & 3 (don’t be ashamed, someone in this room is running 2.x) – Yes, very much a problem – Audit for fun & profit – Ready, set, hack!
Model Layer – Hashing/Encryption • Hashing vs. Encryption • Strong hashing algorithms • Strong encryption algorithms • Rack::Utils.secure_compare vs. “==“ • Be careful how you re-use
Model Layer – SQL Injection • ActiveRecord - Safe… well, sort of • http://rails-sqli.org/
PRESENTATION LAYER
Presentation Layer – XSS • XSS = Cross-Site Scripting (aka – html injection) • html_safe • JSON 3.2x
Presentation Layer – Browser Behavior • Cookies – Client-side vs. Server-side • Headers – CSP – secure_headers
LOGIC LAYER
Logic Layer – Insecure DOR • Do not trust users • Prevention
Logic Layer - RCE • Remote Code Execution – YAML – Marshal
Logic Layer – Regexp • Be careful with your Regular Expression • Subtle Logic Flaw (demo)
Logic Layer - CSRF • Somewhat well known aspects – Meta tag helper – On by default – protect_from_forgery filter • Not so well known… – `match` routes bypass – Chain of execution is not halted
Logic Layer – Session Handling • Logout – reset_session – Clear session values • Login – reset_session • before_filter(s) – Take a whitelist approach • Base access decisions off the current_user
Logic Layer - Redirection • redirect_to …. You scoundrel • Why does this matter? • URI.parse()
Logic Layer – Authentication Tips • Account Lock-Out • Password Complexity • Enumeration • Password Hashing • (heads-up) – Covering Devise auth in upcoming release of Railsgoat
UNIT-TESTS & REGRESSION
Unit-Tests / Regression Testing • Railsgoat has examples – RSpec • Regression Testing – Why – How
DEFENSIVE TOOLS
Defensive Tools • Brakeman • Bundler-Audit • Ensnare • Rack-attack
ROADMAP
Roadmap • Use GitHub Issue Tracker • Recap of upgrade effort • Extensible so looking for more contributors
Q&A • Questions?
Free Subscription • Send an email to contact@seccasts.com • Subject line – ATLRUG Free Sub – We will setup on Friday
Contact • Twitter: – @cktricky – @mccabe615 • Email: – ken@nvisium.com – mike@nvisium.com • Railsgoat – http://railsgoat.cktricky.com
Thanks to the following • Al Snow • Jim Manico • Jack Mannino • Justin Collins • Neil Matatall • …and a bunch of other folks as well
THANK YOU ATLRUG

Recommended

Scala for java developers 6 may 2017 - yeni
Scala for java developers 6 may 2017 - yeniScala for java developers 6 may 2017 - yeni
Scala for java developers 6 may 2017 - yeniBaris Dere
 
ATLRUG Security Workshop - 9/10/2014
ATLRUG Security Workshop - 9/10/2014 ATLRUG Security Workshop - 9/10/2014
ATLRUG Security Workshop - 9/10/2014 jasnow
 
Indic threads pune12-typesafe stack software development on the jvm
Indic threads pune12-typesafe stack software development on the jvmIndic threads pune12-typesafe stack software development on the jvm
Indic threads pune12-typesafe stack software development on the jvmIndicThreads
 
Selenium Online Training
Selenium Online Training Selenium Online Training
Selenium Online Training Nagendra Kumar
 
Scala adoption by enterprises
Scala adoption by enterprisesScala adoption by enterprises
Scala adoption by enterprisesMike Slinn
 
Solr
SolrSolr
SolrPeter Svehla
 
Why ruby and rails
Why ruby and railsWhy ruby and rails
Why ruby and railsReuven Lerner
 
Day 2 - Intro to Rails
Day 2 - Intro to RailsDay 2 - Intro to Rails
Day 2 - Intro to RailsBarry Jones
 

Recommended

Scala for java developers 6 may 2017 - yeni
Scala for java developers 6 may 2017 - yeniScala for java developers 6 may 2017 - yeni
Scala for java developers 6 may 2017 - yeniBaris Dere
 
ATLRUG Security Workshop - 9/10/2014
ATLRUG Security Workshop - 9/10/2014 ATLRUG Security Workshop - 9/10/2014
ATLRUG Security Workshop - 9/10/2014 jasnow
 
Indic threads pune12-typesafe stack software development on the jvm
Indic threads pune12-typesafe stack software development on the jvmIndic threads pune12-typesafe stack software development on the jvm
Indic threads pune12-typesafe stack software development on the jvmIndicThreads
 
Selenium Online Training
Selenium Online Training Selenium Online Training
Selenium Online Training Nagendra Kumar
 
Scala adoption by enterprises
Scala adoption by enterprisesScala adoption by enterprises
Scala adoption by enterprisesMike Slinn
 
Solr
SolrSolr
SolrPeter Svehla
 
Why ruby and rails
Why ruby and railsWhy ruby and rails
Why ruby and railsReuven Lerner
 
Day 2 - Intro to Rails
Day 2 - Intro to RailsDay 2 - Intro to Rails
Day 2 - Intro to RailsBarry Jones
 
Laravel 4 presentation
Laravel 4 presentationLaravel 4 presentation
Laravel 4 presentationAbu Saleh Muhammad Shaon
 
Day 9 - PostgreSQL Application Architecture
Day 9 - PostgreSQL Application ArchitectureDay 9 - PostgreSQL Application Architecture
Day 9 - PostgreSQL Application ArchitectureBarry Jones
 
Intro to SharePoint 2010 development for .NET developers
Intro to SharePoint 2010 development for .NET developersIntro to SharePoint 2010 development for .NET developers
Intro to SharePoint 2010 development for .NET developersJohn Ferringer
 
WTF TDD?
WTF TDD?WTF TDD?
WTF TDD?jeremyw
 
A tale of 3 databases
A tale of 3 databasesA tale of 3 databases
A tale of 3 databasesChris Skardon
 
Moving advanced analytics to your sql server databases
Moving advanced analytics to your sql server databasesMoving advanced analytics to your sql server databases
Moving advanced analytics to your sql server databasesEnrico van de Laar
 
Reactive meetup 0 copy
Reactive meetup 0 copyReactive meetup 0 copy
Reactive meetup 0 copyPatrick Charles
 
Ceylon module repositories by Aleš Justin
Ceylon module repositories by Aleš JustinCeylon module repositories by Aleš Justin
Ceylon module repositories by Aleš JustinUnFroMage
 
Adopting Elixir in a 10 year old codebase
Adopting Elixir in a 10 year old codebaseAdopting Elixir in a 10 year old codebase
Adopting Elixir in a 10 year old codebaseMichael Klishin
 
Automating angular
Automating angularAutomating angular
Automating angularCharles Max Wood
 
Sbt, idea and eclipse
Sbt, idea and eclipseSbt, idea and eclipse
Sbt, idea and eclipseMike Slinn
 
Day 1 - Intro to Ruby
Day 1 - Intro to RubyDay 1 - Intro to Ruby
Day 1 - Intro to RubyBarry Jones
 
Riding IronRuby on Rails
Riding IronRuby on RailsRiding IronRuby on Rails
Riding IronRuby on RailsShay Friedman
 
Hands on Gradle
Hands on GradleHands on Gradle
Hands on GradleMushfekur Rahman
 
Develop realtime web with Scala and Xitrum
Develop realtime web with Scala and XitrumDevelop realtime web with Scala and Xitrum
Develop realtime web with Scala and XitrumNgoc Dao
 
Practical IronRuby
Practical IronRubyPractical IronRuby
Practical IronRubyShay Friedman
 
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus HaganderPG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Haganderpgdayrussia
 
.Net Fundamentals
.Net Fundamentals.Net Fundamentals
.Net FundamentalsSunny Sharma
 
The New JavaScript: ES6
The New JavaScript: ES6The New JavaScript: ES6
The New JavaScript: ES6Rob Eisenberg
 
Challenges of moving a java team to scala
Challenges of moving a java team to scalaChallenges of moving a java team to scala
Challenges of moving a java team to scalaJoão Cavalheiro
 
ATLRUG Giveback - Sept. 2014 Announcements
ATLRUG Giveback - Sept. 2014 AnnouncementsATLRUG Giveback - Sept. 2014 Announcements
ATLRUG Giveback - Sept. 2014 Announcementsjasnow
 
ATLRUG GiveBack Announcements - Nov 2014
ATLRUG GiveBack Announcements - Nov 2014ATLRUG GiveBack Announcements - Nov 2014
ATLRUG GiveBack Announcements - Nov 2014jasnow
 

More Related Content

What's hot

Day 9 - PostgreSQL Application Architecture
Day 9 - PostgreSQL Application ArchitectureDay 9 - PostgreSQL Application Architecture
Day 9 - PostgreSQL Application ArchitectureBarry Jones
 
Intro to SharePoint 2010 development for .NET developers
Intro to SharePoint 2010 development for .NET developersIntro to SharePoint 2010 development for .NET developers
Intro to SharePoint 2010 development for .NET developersJohn Ferringer
 
WTF TDD?
WTF TDD?WTF TDD?
WTF TDD?jeremyw
 
A tale of 3 databases
A tale of 3 databasesA tale of 3 databases
A tale of 3 databasesChris Skardon
 
Moving advanced analytics to your sql server databases
Moving advanced analytics to your sql server databasesMoving advanced analytics to your sql server databases
Moving advanced analytics to your sql server databasesEnrico van de Laar
 
Ceylon module repositories by Aleš Justin
Ceylon module repositories by Aleš JustinCeylon module repositories by Aleš Justin
Ceylon module repositories by Aleš JustinUnFroMage
 
Adopting Elixir in a 10 year old codebase
Adopting Elixir in a 10 year old codebaseAdopting Elixir in a 10 year old codebase
Adopting Elixir in a 10 year old codebaseMichael Klishin
 
Sbt, idea and eclipse
Sbt, idea and eclipseSbt, idea and eclipse
Sbt, idea and eclipseMike Slinn
 
Day 1 - Intro to Ruby
Day 1 - Intro to RubyDay 1 - Intro to Ruby
Day 1 - Intro to RubyBarry Jones
 
Riding IronRuby on Rails
Riding IronRuby on RailsRiding IronRuby on Rails
Riding IronRuby on RailsShay Friedman
 
Develop realtime web with Scala and Xitrum
Develop realtime web with Scala and XitrumDevelop realtime web with Scala and Xitrum
Develop realtime web with Scala and XitrumNgoc Dao
 
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus HaganderPG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Haganderpgdayrussia
 
The New JavaScript: ES6
The New JavaScript: ES6The New JavaScript: ES6
The New JavaScript: ES6Rob Eisenberg
 
Challenges of moving a java team to scala
Challenges of moving a java team to scalaChallenges of moving a java team to scala
Challenges of moving a java team to scalaJoão Cavalheiro
 

What's hot (20)

Laravel 4 presentation
Laravel 4 presentationLaravel 4 presentation
Laravel 4 presentation
 
Day 9 - PostgreSQL Application Architecture
Day 9 - PostgreSQL Application ArchitectureDay 9 - PostgreSQL Application Architecture
Day 9 - PostgreSQL Application Architecture
 
Intro to SharePoint 2010 development for .NET developers
Intro to SharePoint 2010 development for .NET developersIntro to SharePoint 2010 development for .NET developers
Intro to SharePoint 2010 development for .NET developers
 
WTF TDD?
WTF TDD?WTF TDD?
WTF TDD?
 
A tale of 3 databases
A tale of 3 databasesA tale of 3 databases
A tale of 3 databases
 
Moving advanced analytics to your sql server databases
Moving advanced analytics to your sql server databasesMoving advanced analytics to your sql server databases
Moving advanced analytics to your sql server databases
 
Reactive meetup 0 copy
Reactive meetup 0 copyReactive meetup 0 copy
Reactive meetup 0 copy
 
Ceylon module repositories by Aleš Justin
Ceylon module repositories by Aleš JustinCeylon module repositories by Aleš Justin
Ceylon module repositories by Aleš Justin
 
Adopting Elixir in a 10 year old codebase
Adopting Elixir in a 10 year old codebaseAdopting Elixir in a 10 year old codebase
Adopting Elixir in a 10 year old codebase
 
Automating angular
Automating angularAutomating angular
Automating angular
 
Sbt, idea and eclipse
Sbt, idea and eclipseSbt, idea and eclipse
Sbt, idea and eclipse
 
Day 1 - Intro to Ruby
Day 1 - Intro to RubyDay 1 - Intro to Ruby
Day 1 - Intro to Ruby
 
Riding IronRuby on Rails
Riding IronRuby on RailsRiding IronRuby on Rails
Riding IronRuby on Rails
 
Hands on Gradle
Hands on GradleHands on Gradle
Hands on Gradle
 
Develop realtime web with Scala and Xitrum
Develop realtime web with Scala and XitrumDevelop realtime web with Scala and Xitrum
Develop realtime web with Scala and Xitrum
 
Practical IronRuby
Practical IronRubyPractical IronRuby
Practical IronRuby
 
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus HaganderPG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
 
.Net Fundamentals
.Net Fundamentals.Net Fundamentals
.Net Fundamentals
 
The New JavaScript: ES6
The New JavaScript: ES6The New JavaScript: ES6
The New JavaScript: ES6
 
Challenges of moving a java team to scala
Challenges of moving a java team to scalaChallenges of moving a java team to scala
Challenges of moving a java team to scala
 

Viewers also liked

ATLRUG Giveback - Sept. 2014 Announcements
ATLRUG Giveback - Sept. 2014 AnnouncementsATLRUG Giveback - Sept. 2014 Announcements
ATLRUG Giveback - Sept. 2014 Announcementsjasnow
 
ATLRUG GiveBack Announcements - Nov 2014
ATLRUG GiveBack Announcements - Nov 2014ATLRUG GiveBack Announcements - Nov 2014
ATLRUG GiveBack Announcements - Nov 2014jasnow
 
Cloud expo-east-2015
Cloud expo-east-2015Cloud expo-east-2015
Cloud expo-east-2015argvader
 
Introduction to Panamax from CenturyLink
Introduction to Panamax from CenturyLinkIntroduction to Panamax from CenturyLink
Introduction to Panamax from CenturyLinkLucas Carlson
 
Layers box agder docker
Layers box agder dockerLayers box agder docker
Layers box agder dockerIstvanKoren
 
Docker Madison, Introduction to Kubernetes
Docker Madison, Introduction to KubernetesDocker Madison, Introduction to Kubernetes
Docker Madison, Introduction to KubernetesTimothy St. Clair
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetesrajdeep
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesImesh Gunaratne
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014Carlo Bonamico
 

Viewers also liked (10)

ATLRUG Giveback - Sept. 2014 Announcements
ATLRUG Giveback - Sept. 2014 AnnouncementsATLRUG Giveback - Sept. 2014 Announcements
ATLRUG Giveback - Sept. 2014 Announcements
 
ATLRUG GiveBack Announcements - Nov 2014
ATLRUG GiveBack Announcements - Nov 2014ATLRUG GiveBack Announcements - Nov 2014
ATLRUG GiveBack Announcements - Nov 2014
 
What is Panamax
What is PanamaxWhat is Panamax
What is Panamax
 
Cloud expo-east-2015
Cloud expo-east-2015Cloud expo-east-2015
Cloud expo-east-2015
 
Introduction to Panamax from CenturyLink
Introduction to Panamax from CenturyLinkIntroduction to Panamax from CenturyLink
Introduction to Panamax from CenturyLink
 
Layers box agder docker
Layers box agder dockerLayers box agder docker
Layers box agder docker
 
Docker Madison, Introduction to Kubernetes
Docker Madison, Introduction to KubernetesDocker Madison, Introduction to Kubernetes
Docker Madison, Introduction to Kubernetes
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 

Similar to ATLRUG Rails Security Presentation - 9/10/2014

SQL Server Worst Practices - EN
SQL Server Worst Practices - ENSQL Server Worst Practices - EN
SQL Server Worst Practices - ENGianluca Sartori
 
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...Spark Summit
 
Scala Frustrations
Scala FrustrationsScala Frustrations
Scala Frustrationstakezoe
 
High Performance Rails with MySQL
High Performance Rails with MySQLHigh Performance Rails with MySQL
High Performance Rails with MySQLJervin Real
 
Performance and Abstractions
Performance and AbstractionsPerformance and Abstractions
Performance and AbstractionsMetosin Oy
 
MyHeritage backend group - build to scale
MyHeritage backend group - build to scaleMyHeritage backend group - build to scale
MyHeritage backend group - build to scaleRan Levy
 
Web Development using Ruby on Rails
Web Development using Ruby on RailsWeb Development using Ruby on Rails
Web Development using Ruby on RailsAvi Kedar
 
Apache Con 2021 Structured Data Streaming
Apache Con 2021 Structured Data StreamingApache Con 2021 Structured Data Streaming
Apache Con 2021 Structured Data StreamingShivji Kumar Jha
 
Cycling for noobs
Cycling for noobsCycling for noobs
Cycling for noobsSteve Lee
 
From Concept to Clustered JAC (jira.atlassian.com) - Graham Carrick
From Concept to Clustered JAC (jira.atlassian.com) - Graham CarrickFrom Concept to Clustered JAC (jira.atlassian.com) - Graham Carrick
From Concept to Clustered JAC (jira.atlassian.com) - Graham CarrickAtlassian
 
Providence: rapid vulnerability prevention
Providence: rapid vulnerability preventionProvidence: rapid vulnerability prevention
Providence: rapid vulnerability preventionSalesforce Engineering
 
From Pilot to Product - Morning@Lohika
From Pilot to Product - Morning@LohikaFrom Pilot to Product - Morning@Lohika
From Pilot to Product - Morning@LohikaIvan Verhun
 
Where Django Caching Bust at the Seams
Where Django Caching Bust at the SeamsWhere Django Caching Bust at the Seams
Where Django Caching Bust at the SeamsConcentric Sky
 
Efficient working with Databases in LabVIEW - Sam Sharp (MediaMongrels Ltd) -...
Efficient working with Databases in LabVIEW - Sam Sharp (MediaMongrels Ltd) -...Efficient working with Databases in LabVIEW - Sam Sharp (MediaMongrels Ltd) -...
Efficient working with Databases in LabVIEW - Sam Sharp (MediaMongrels Ltd) -...MediaMongrels Ltd
 
Architectural Patterns for Streaming Applications
Architectural Patterns for Streaming ApplicationsArchitectural Patterns for Streaming Applications
Architectural Patterns for Streaming Applicationshadooparchbook
 
Website optimization with request reduce
Website optimization with request reduceWebsite optimization with request reduce
Website optimization with request reduceMatt Wrock
 
Storage Systems For Scalable systems
Storage Systems For Scalable systemsStorage Systems For Scalable systems
Storage Systems For Scalable systemselliando dias
 

Similar to ATLRUG Rails Security Presentation - 9/10/2014 (20)

SQL Server Worst Practices - EN
SQL Server Worst Practices - ENSQL Server Worst Practices - EN
SQL Server Worst Practices - EN
 
Internals of Presto Service
Internals of Presto ServiceInternals of Presto Service
Internals of Presto Service
 
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
Using SparkML to Power a DSaaS (Data Science as a Service): Spark Summit East...
 
Scala Frustrations
Scala FrustrationsScala Frustrations
Scala Frustrations
 
High Performance Rails with MySQL
High Performance Rails with MySQLHigh Performance Rails with MySQL
High Performance Rails with MySQL
 
Performance and Abstractions
Performance and AbstractionsPerformance and Abstractions
Performance and Abstractions
 
MyHeritage backend group - build to scale
MyHeritage backend group - build to scaleMyHeritage backend group - build to scale
MyHeritage backend group - build to scale
 
Web Development using Ruby on Rails
Web Development using Ruby on RailsWeb Development using Ruby on Rails
Web Development using Ruby on Rails
 
Apache Con 2021 Structured Data Streaming
Apache Con 2021 Structured Data StreamingApache Con 2021 Structured Data Streaming
Apache Con 2021 Structured Data Streaming
 
Cycling for noobs
Cycling for noobsCycling for noobs
Cycling for noobs
 
From Concept to Clustered JAC (jira.atlassian.com) - Graham Carrick
From Concept to Clustered JAC (jira.atlassian.com) - Graham CarrickFrom Concept to Clustered JAC (jira.atlassian.com) - Graham Carrick
From Concept to Clustered JAC (jira.atlassian.com) - Graham Carrick
 
Providence: rapid vulnerability prevention
Providence: rapid vulnerability preventionProvidence: rapid vulnerability prevention
Providence: rapid vulnerability prevention
 
From Pilot to Product - Morning@Lohika
From Pilot to Product - Morning@LohikaFrom Pilot to Product - Morning@Lohika
From Pilot to Product - Morning@Lohika
 
33rd degree
33rd degree33rd degree
33rd degree
 
Where Django Caching Bust at the Seams
Where Django Caching Bust at the SeamsWhere Django Caching Bust at the Seams
Where Django Caching Bust at the Seams
 
Efficient working with Databases in LabVIEW - Sam Sharp (MediaMongrels Ltd) -...
Efficient working with Databases in LabVIEW - Sam Sharp (MediaMongrels Ltd) -...Efficient working with Databases in LabVIEW - Sam Sharp (MediaMongrels Ltd) -...
Efficient working with Databases in LabVIEW - Sam Sharp (MediaMongrels Ltd) -...
 
Breaking data
Breaking dataBreaking data
Breaking data
 
Architectural Patterns for Streaming Applications
Architectural Patterns for Streaming ApplicationsArchitectural Patterns for Streaming Applications
Architectural Patterns for Streaming Applications
 
Website optimization with request reduce
Website optimization with request reduceWebsite optimization with request reduce
Website optimization with request reduce
 
Storage Systems For Scalable systems
Storage Systems For Scalable systemsStorage Systems For Scalable systems
Storage Systems For Scalable systems
 

More from jasnow

app/assets/stylesheets - How to not make a mess
app/assets/stylesheets - How to not make a messapp/assets/stylesheets - How to not make a mess
app/assets/stylesheets - How to not make a messjasnow
 
ATLRUG Community Announcements for December 2016
ATLRUG Community Announcements for December 2016ATLRUG Community Announcements for December 2016
ATLRUG Community Announcements for December 2016jasnow
 
Commitment
CommitmentCommitment
Commitmentjasnow
 
ATLRUG Community/Giveback Announcments
ATLRUG Community/Giveback AnnouncmentsATLRUG Community/Giveback Announcments
ATLRUG Community/Giveback Announcmentsjasnow
 
ATLRUG Announcements - October 2016
ATLRUG Announcements - October 2016ATLRUG Announcements - October 2016
ATLRUG Announcements - October 2016jasnow
 
Seamless Migration
Seamless MigrationSeamless Migration
Seamless Migrationjasnow
 
ATLRUG Announcements - Septemer 2016
ATLRUG Announcements - Septemer 2016ATLRUG Announcements - Septemer 2016
ATLRUG Announcements - Septemer 2016jasnow
 
Hacking Aaway with ionic
Hacking Aaway with ionicHacking Aaway with ionic
Hacking Aaway with ionicjasnow
 
ATLRUG Announcements/Upgrade News - August 2016
ATLRUG Announcements/Upgrade News - August 2016ATLRUG Announcements/Upgrade News - August 2016
ATLRUG Announcements/Upgrade News - August 2016jasnow
 
ATLRUG Announcements - July 2016
ATLRUG Announcements - July 2016ATLRUG Announcements - July 2016
ATLRUG Announcements - July 2016jasnow
 
Ruby on Docker
Ruby on DockerRuby on Docker
Ruby on Dockerjasnow
 
Getting Answers to Your Testing Questions
Getting Answers to Your Testing QuestionsGetting Answers to Your Testing Questions
Getting Answers to Your Testing Questionsjasnow
 
ATLRUG Announcments - May 2016
ATLRUG Announcments - May 2016ATLRUG Announcments - May 2016
ATLRUG Announcments - May 2016jasnow
 
ATLRUG Announcements and Fun Facts - April 2016
ATLRUG Announcements and Fun Facts - April 2016ATLRUG Announcements and Fun Facts - April 2016
ATLRUG Announcements and Fun Facts - April 2016jasnow
 
ATLRUG Announcements - March 2016
ATLRUG Announcements - March 2016ATLRUG Announcements - March 2016
ATLRUG Announcements - March 2016jasnow
 
Our ATLRUG.com Web Site
Our ATLRUG.com Web SiteOur ATLRUG.com Web Site
Our ATLRUG.com Web Sitejasnow
 
WebRTC: Real Time Video/Audio For Your App ...
WebRTC: Real Time Video/Audio For Your App ...WebRTC: Real Time Video/Audio For Your App ...
WebRTC: Real Time Video/Audio For Your App ...jasnow
 
ATLRUG Announcements for Feb. 2016
ATLRUG Announcements for Feb. 2016ATLRUG Announcements for Feb. 2016
ATLRUG Announcements for Feb. 2016jasnow
 
ATLRUG December 2015
ATLRUG December 2015ATLRUG December 2015
ATLRUG December 2015jasnow
 
Ecto Introduction by Patrick Vanstee
Ecto Introduction by Patrick VansteeEcto Introduction by Patrick Vanstee
Ecto Introduction by Patrick Vansteejasnow
 

More from jasnow (20)

app/assets/stylesheets - How to not make a mess
app/assets/stylesheets - How to not make a messapp/assets/stylesheets - How to not make a mess
app/assets/stylesheets - How to not make a mess
 
ATLRUG Community Announcements for December 2016
ATLRUG Community Announcements for December 2016ATLRUG Community Announcements for December 2016
ATLRUG Community Announcements for December 2016
 
Commitment
CommitmentCommitment
Commitment
 
ATLRUG Community/Giveback Announcments
ATLRUG Community/Giveback AnnouncmentsATLRUG Community/Giveback Announcments
ATLRUG Community/Giveback Announcments
 
ATLRUG Announcements - October 2016
ATLRUG Announcements - October 2016ATLRUG Announcements - October 2016
ATLRUG Announcements - October 2016
 
Seamless Migration
Seamless MigrationSeamless Migration
Seamless Migration
 
ATLRUG Announcements - Septemer 2016
ATLRUG Announcements - Septemer 2016ATLRUG Announcements - Septemer 2016
ATLRUG Announcements - Septemer 2016
 
Hacking Aaway with ionic
Hacking Aaway with ionicHacking Aaway with ionic
Hacking Aaway with ionic
 
ATLRUG Announcements/Upgrade News - August 2016
ATLRUG Announcements/Upgrade News - August 2016ATLRUG Announcements/Upgrade News - August 2016
ATLRUG Announcements/Upgrade News - August 2016
 
ATLRUG Announcements - July 2016
ATLRUG Announcements - July 2016ATLRUG Announcements - July 2016
ATLRUG Announcements - July 2016
 
Ruby on Docker
Ruby on DockerRuby on Docker
Ruby on Docker
 
Getting Answers to Your Testing Questions
Getting Answers to Your Testing QuestionsGetting Answers to Your Testing Questions
Getting Answers to Your Testing Questions
 
ATLRUG Announcments - May 2016
ATLRUG Announcments - May 2016ATLRUG Announcments - May 2016
ATLRUG Announcments - May 2016
 
ATLRUG Announcements and Fun Facts - April 2016
ATLRUG Announcements and Fun Facts - April 2016ATLRUG Announcements and Fun Facts - April 2016
ATLRUG Announcements and Fun Facts - April 2016
 
ATLRUG Announcements - March 2016
ATLRUG Announcements - March 2016ATLRUG Announcements - March 2016
ATLRUG Announcements - March 2016
 
Our ATLRUG.com Web Site
Our ATLRUG.com Web SiteOur ATLRUG.com Web Site
Our ATLRUG.com Web Site
 
WebRTC: Real Time Video/Audio For Your App ...
WebRTC: Real Time Video/Audio For Your App ...WebRTC: Real Time Video/Audio For Your App ...
WebRTC: Real Time Video/Audio For Your App ...
 
ATLRUG Announcements for Feb. 2016
ATLRUG Announcements for Feb. 2016ATLRUG Announcements for Feb. 2016
ATLRUG Announcements for Feb. 2016
 
ATLRUG December 2015
ATLRUG December 2015ATLRUG December 2015
ATLRUG December 2015
 
Ecto Introduction by Patrick Vanstee
Ecto Introduction by Patrick VansteeEcto Introduction by Patrick Vanstee
Ecto Introduction by Patrick Vanstee
 

Recently uploaded

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 

Recently uploaded (20)

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 

ATLRUG Rails Security Presentation - 9/10/2014

  • 2. Introductions • Ken Johnson – CTO @nVisium – Former LivingSocialite – Develop heavily in Rails – Railsgoat Co-Author • Mike – Director of ProServ @nVisium – Former LivingSocialite – Isn’t here to defend himself, I can say what I want – Paler than me – Trendsetter of the “Skhaki”
  • 3. Why? • Why not? • Lack of quality training available • Assist all of you!
  • 5. Railsgoat Current Config • Rails 3.x • Custom Authentication • MySQL (optional) & SQLite • Mailcatcher • RSpec tests • **Easy to find credentials**
  • 6. Railsgoat Upcoming Config • Rails 4.x • Devise Authentication (w/ Tutorials) • MySQL & SQLite (optional) • Mailcatcher • RSpec • Open to suggestions
  • 8. Model Layer – Mass Assignment • Mass- Assignment – Not a huge issue in Rails 4… unless you instantiate models with data *outside* of the controller – Rails 2 & 3 (don’t be ashamed, someone in this room is running 2.x) – Yes, very much a problem – Audit for fun & profit – Ready, set, hack!
  • 9. Model Layer – Hashing/Encryption • Hashing vs. Encryption • Strong hashing algorithms • Strong encryption algorithms • Rack::Utils.secure_compare vs. “==“ • Be careful how you re-use
  • 10. Model Layer – SQL Injection • ActiveRecord - Safe… well, sort of • http://rails-sqli.org/
  • 12. Presentation Layer – XSS • XSS = Cross-Site Scripting (aka – html injection) • html_safe • JSON 3.2x
  • 13. Presentation Layer – Browser Behavior • Cookies – Client-side vs. Server-side • Headers – CSP – secure_headers
  • 15. Logic Layer – Insecure DOR • Do not trust users • Prevention
  • 16. Logic Layer - RCE • Remote Code Execution – YAML – Marshal
  • 17. Logic Layer – Regexp • Be careful with your Regular Expression • Subtle Logic Flaw (demo)
  • 18. Logic Layer - CSRF • Somewhat well known aspects – Meta tag helper – On by default – protect_from_forgery filter • Not so well known… – `match` routes bypass – Chain of execution is not halted
  • 19. Logic Layer – Session Handling • Logout – reset_session – Clear session values • Login – reset_session • before_filter(s) – Take a whitelist approach • Base access decisions off the current_user
  • 20. Logic Layer - Redirection • redirect_to …. You scoundrel • Why does this matter? • URI.parse()
  • 21. Logic Layer – Authentication Tips • Account Lock-Out • Password Complexity • Enumeration • Password Hashing • (heads-up) – Covering Devise auth in upcoming release of Railsgoat
  • 23. Unit-Tests / Regression Testing • Railsgoat has examples – RSpec • Regression Testing – Why – How
  • 25. Defensive Tools • Brakeman • Bundler-Audit • Ensnare • Rack-attack
  • 27. Roadmap • Use GitHub Issue Tracker • Recap of upgrade effort • Extensible so looking for more contributors
  • 29. Free Subscription • Send an email to contact@seccasts.com • Subject line – ATLRUG Free Sub – We will setup on Friday
  • 30. Contact • Twitter: – @cktricky – @mccabe615 • Email: – ken@nvisium.com – mike@nvisium.com • Railsgoat – http://railsgoat.cktricky.com
  • 31. Thanks to the following • Al Snow • Jim Manico • Jack Mannino • Justin Collins • Neil Matatall • …and a bunch of other folks as well

Editor's Notes

  1. Rails 2&3 - You can disable whitelisting, you can use blacklisting, you can simply add vulnerable attributes to the model (ouch)
  2. Session is reset but chain of execution is not halted