Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
Inoculating Rails Auth Against Bug Bounty Hunters by Jason Meller You’ve rolled up your sleeves and built the most secure custom auth ever conceived by a dev team. Suddenly, your CTO informs you that your app will be participating in the Org's new Bug Bounty program. Terror fills your heart as you imagine security experts making mince-meat of your beautiful auth system. If only you knew their game plan... Kolide’s CEO, Jason Meller has been rolling his own Rails auth for over a decade and has the bug bounty receipts to prove it. In this talk, he will walk you through Kolide's actual bounty reports so you can level up your team’s auth system. __________ Jason Meller is the CEO and Founder of Kolide, a security focused infrastructure analytics company. Jason has spent the majority of his 11 year career building tools and products in Ruby on Rails to aid cyber security professionals with the goal of ultimately making the field more accessible to newcomers.
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In the presentation "Inoculating Rails Auth Against Bug Bounty Hunters," Jason Meller, CEO of Kolide, discusses enhancing the security of authentication systems within Ruby on Rails applications, particularly in the context of bug bounty programs. Meller emphasizes the importance of thoroughly understanding and managing authentication mechanisms to effectively address potential vulnerabilities that may be exposed by security researchers participating in such programs. Key points discussed include: - **Rolling Your Own Authentication**: Meller outlines his experience in creating secure authentication methods tailored for Kolide’s application, contrasting simple solutions like Devise with tailored solutions alongside significant development effort that comes with building custom authentication systems. - **Bug Bounty Programs**: He highlights the value of these programs in discovering vulnerabilities, citing that they function as ongoing, cost-effective penetration tests that can prevent costly security issues from going unnoticed. Meller advises companies to approach bug bounty participants with an open mindset, welcoming their reports rather than treating them defensively. - **Common Pitfalls**: Meller warns about the mistakes organizations make when implementing bug bounty programs, including being overly defensive, not adequately compensating valid reports, and poorly legislating the scope of the program. - **Real-World Examples**: He shares incidents from Kolide's bug bounty program, demonstrating how vulnerabilities have been discovered through effective testing by ethical hackers. One example includes how a chain of low-severity vulnerabilities combined could escalate into a serious exploit worth thousands of dollars. - **Mitigation Strategies**: The presentation concludes with best practices for mitigation, such as ensuring proper session revocation upon password resets, enforcing strong password policies, accounting for account enumeration, and implementing multi-factor authentication (MFA) securely. Overall, Meller advocates for an understanding of the intersection between user experience and security, urging developers to create resilient authentication processes that can withstand bug bounty scrutiny. In summary: - Be proactive about security in user authentication. - Embrace bug bounty feedback positively. - Invest in strong authentication practices to prevent significant vulnerabilities.
Suggest modifications
Cancel
