Ruby on Rails Security Project

Exploring the Security of Rails and friends.

Ruby on Rails Security Project header image 4

Entries from June 2007

Everything You Always Wanted to Know About Web Application Security - But Were Afraid to Ask

June 19th, 2007 · 3 Comments

Here is an interesting general document about web application security, a list with frequently asked questions: http://www.owasp.org/index.php/OWASP_AppSec_FAQ
It gives good advice on how to design the login process. It describes a best practice for the "Lost Password" feature, which is especially important these days where there are an increasing number of attacks based on this feature. […]

[Read more →]

Tags: Rails

Tour Dates

June 15th, 2007 · No Comments

The Ruby On Rails Security Project is now also touring in real life, spreading the word of secure programming. I am doing a conference session for the two main upcoming Ruby On Rails events in Europe. The first one is in German on June, 22nd, the second in English on September, 19th:

http://www.rails-konferenz.de/
http://www.railsconfeurope.com/

I see you […]

[Read more →]

Tags: General

Ajax Security

June 13th, 2007 · No Comments

Several sources, for example this, state that Ajax applications are more complex due to their asynchronous nature, or that Ajax might cause more entry points for attackers, whileother sources claim the opposite. However, the classes of attacks stay largely the same,so the advices given herein apply to Ajax applications, as well, especially input and output […]

[Read more →]

Tags: Rails

Use good passwords

June 5th, 2007 · 4 Comments

You might have heard of the MySpace phishing attack at the end of last year. Bruce Schneier has analyzed 34,000 real-world user names and passwords and it turns out, as expected, that most of the passwords people use are quite easy to crack. The most common passwords are:
Common Passwords: The top 20 passwords are (in […]

[Read more →]

Tags: General