A security advisory has been released for libpng, the "official PNG reference library". Libpng is used by ImageMagick, "a software suite to create, edit, and compose bitmap images". Some Rails applications use it to convert, resize or to create thumbnails. The original security advisory was issued by oCERT:
Applications using libpng that install […]
I'm back from the Rails Conference Europe in Berlin. I realize that a 45 minute talk is hardly enough to tell everything which is important to say about Rails security. Moreover, you will never get the level right in a talk about security (or generally): There are Rails newbies, everyday-programmers and even security experts.
Anyway, I […]
Tags: General
As many Rails projects use the OpenID service to authenticate its users, I want to bring some of its security issues to your attention which were announced recently. Gareth Heyes found a cross-site request forgery attack vector with MyOpenID, one of the bigger OpenID providers. MyOpenID reacted promptly, but other providers have the same problem. […]
Tags: General
The Ruby On Rails Security Project is now also touring in real life, spreading the word of secure programming. I am doing a conference session for the two main upcoming Ruby On Rails events in Europe. The first one is in German on June, 22nd, the second in English on September, 19th:
http://www.rails-konferenz.de/
http://www.railsconfeurope.com/
I see you […]
Tags: General
You might have heard of the MySpace phishing attack at the end of last year. Bruce Schneier has analyzed 34,000 real-world user names and passwords and it turns out, as expected, that most of the passwords people use are quite easy to crack. The most common passwords are:
Common Passwords: The top 20 passwords are (in […]
Tags: General
Follow-up of your comments:
Dan Kubb has some interesting comments about the OS security, and uses MySQL in a strict mode by using the sql-mode directive in my.cnf:
sql-mode = ansi,traditional,no_engine_substitution,
no_auto_value_on_zero,no_dir_in_create,
no_unsigned_subtraction
And, yes, the MySQL user I’m creating is only for “normal” Rails access, not for db migration or testing. I agree, Rails/Rake should provide means to use […]
Tags: Database (MySQL) · General
