Suggest modification to this talk

Title

Description

In this talk, three Rails security specialists will take a journey through a terrifying Rails application to illustrate common security problems we have seen in the real world. The discussion will include how to identify, fix, and prevent the issues with an emphasis on practical advice. Along the way we will share our experiences and perspectives concerning securely implementing applications. We hope it is a bit scary, and yet fun ... like a horror movie!

Aaron is a Principal Consultant at Cigital where he helps drive better secure programming practices. Aaron is the creator of Repsheet, an open source framework for web application attack prevention. He is a co-author of Programming Clojure and a previous member of Clojure/core.

Justin is a PhD candidate at UCLA, a member of the application security team at Twitter, and primary author of Brakeman, a static analysis security tool for Rails.

Matt is a veteran agile software developer with a focus on security. His mission is to empower developers to build code more securely through training, secure agile process adoption (Security in SDLC) and technical solutions. He enjoys soccer, reading and spending time with family.

Help us caption & translate this video!

http://amara.org/v/FGZn/

Date

Summarized using AI?

If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.

Show "Summarized using AI" badge on summary page

Summary

Markdown supported

The video titled "Tales from the Crypt" features a presentation by three Rails security specialists: Aaron Bedra, Justin Collins, and Matt Konda, who take the audience through a fictional yet illustrative scenario involving a Rails application, Rubas l.com, to highlight common security vulnerabilities developers might encounter in real-world situations. The discussion emphasizes practical advice on how to identify, fix, and prevent security issues, with a strong narrative that keeps the content engaging.

Key points discussed include:
- **Scenario Setup**: The narrative begins with a hectic workday at a startup, where developers discover unusual customer orders and increasing user complaints, suggesting a security breach.
- **Cross-Site Request Forgery (CSRF)**: The root cause of the issue is identified as CSRF, which occurred due to commenting out a method that protects against such vulnerabilities.
- **Mass Assignment and SQL Injection**: The talk delves into how poor parameter handling allowed an attacker to exploit the database using SQL injection, gaining access to sensitive user data.
- **Password Management**: The team finds their application using MD5 for password hashing, highlighting the need for secure password practices.
- **Audit and Testing Tools**: The presenters recommend tools like Brakeman for static analysis to catch vulnerabilities early in the development process and emphasize the importance of regular vulnerability scanning.
- **Best Practices for Security**: The discussion wraps up with suggestions on improving security through enhanced training, code reviews, and employing automated tools to ensure secure coding practices.

The video ultimately illustrates that while frameworks like Rails offer certain built-in security features, responsibility lies with the developers to maintain vigilance and adhere to best practices to prevent vulnerabilities. The concluded message emphasizes the need for continuous learning and adaptation in the fast-evolving landscape of security threats, encouraging developers to proactively address security in their coding practices.

Cancel