Your vulnerable applications allows anyone on the internet to:
None of us signed up for this. Security is wickedly hard to get right and it doesn't come with an instruction manual. At best, you're checking off a laundry list of OWASP vulnerabilities but this is not a viable strategy for keeping your software secure.
I'm Ali, and I am not a security consultant. I'm just a rank-and-file Rails developer. I've been building web applications for nearly seven years.
Every single codebase I've worked on has exposed trivially exploitable vulnerabilities.
I took an interest in web app security and I now consistently find multiple security flaws in Rails applications, often with only a brief code review or browse of the website.
Don't believe me? Ask this guy:
I was pretty confident that my rails app was secure. Then, lying on my couch,
I watched Ali remotely hack my site within minutes of showing it to him - damn. He followed this up with a concise explanation of what he'd done, and various recommendations for how I could prevent it from happening again. Incredibly valuable. A savvy hacker would've ripped my app apart in minutes if I'd launched without it.
I say again: I've never worked as a professional security researcher. The reason that I find these vulnerabilities is that most Rails developers are tragically unaware of the basic security requirements of their applications.
This is not through negligence or stupidity. Programmers who are smarter than me push insecure code to production all the time. What's lacking is an awareness of the behaviour of their code in an adversarial context.
I will continue to be the grumpy security guy on every team I'm hired into, but fixing the internet one Rails application at a time strikes me as somewhat inefficient.
I'm writing an ebook with all of my knowledge on finding and fixing vulnerabilities in Rails applications.
My goal is to get you to look at your code like an attacker would. Every line of code you write is potentially another round of ammunition in an attackers arsenal. Making this shift in mindset is the only way to keep your code secure in the long run.
The best way to instill this mindset in you is to dive into the technical details of real-life vulnerabilities. By showing you exactly the sort of vulnerabilities I'm talking about, you'll begin to identify patterns and themes that you can use to develop exploits in your own applications.
So along with the ebook, I'm offering a set of screencasts. Each screencast will walk you through introducing, exploiting and fixing a security vulnerability in a typical Rails application.
The vulnerabilities are each "based on a true story" but shockingly similar to code you'll find in the wild.
For each vulnerability we'll cover:
No one is going to pat you on the back for getting security right and production (usually) won't explode when you get it wrong. In the worst case scenario, your entire infrastucture is put to use by bad people without you or your employer ever knowing. No one is going to encourage you to build secure software, you have to make that choice.
We're not doctors or lawyers. If we make mistakes building web applications, we don't immediately ruin peoples lives. But building insecure software causes real harm to your employer, your users and society at large.
I'm not guaranteeing that you'll work through my material and your application will become an unassailable fortress.
All I'm offering is a fighting chance against attacks targeting the most common weakpoints.
A breakdown of the strategy, tactics and process you'll need to keep your work free of vulnerabilities.
If you're looking for quick fixes, this is not the book for you. My aim is to instill in you the habit of looking for vulnerabilities in any code you write.
The ebook, plus a step-by-step video break down of typical vulnerabilities that you find in a Ruby on Rails application.
For each vulnerability, we'll cover:
The Ebook + Screencast bundle, with a license granting use for all employees at your company.