First and foremost, I want to thank @RayHightower and @ChicagoRuby for having us to talk about Rails Security in the Wild. I was impressed (all over again) by the group and the atmosphere of passion for technology that permeated the event. Also thanks to Hugo and ThoughtWorks for hosting the event. I would also like to thank my partner in crime Jon Claudius (@claudijd) for putting together some sweet beefy demos. Also, Jon Rose, Brett Hardin (@miscsecurity) and Dan Schleifer have contributed a lot to the talk and my general mindset of reaching out to developers over the past couple of years. Thanks.
The next thing I want to say is that developers are smart. After the talk, I was impressed with the detailed questions and even some corrections to some of the content I talked about. Someone named Robin corrected me in an area where I had glossed over the abilities of can-can. Another person seemed to find a problem with one of the tools we talked about - hopefully we'll get the feedback to the tool developer and be able to get that fixed.
Most of the talks we have given have been to a security audience, where I represent the developer. There was something amazing about asking "Raise your hand if you are familiar with OWASP" and having 2 people out of an estimated 95 people raise their hands. I think Jon Claudius' jaw dropped even though we've been doing this and telling "Breakers" that they need to work harder to get to "Builders" for a couple of years. It more than confirmed what I've been saying in our Builders Vs. Breakers talks!
Two out of ninety five Rails developers were familiar with OWASP
The focus of the talk was to show some specific security items at a detailed level. To do this, we created sample broken applications (links to github below) and demonstrated hands on what the issues were. We talked about:
- Session Store - Using BURP Proxy to replay HTTP requests after logout with default CookieStore
- Command Injection (https://github.com/claudijd/command_injection) - Getting a command to run and using ncat to stream a shell that manipulated the system live
- Forceful Browsing (https://github.com/Jemurai/triage) - Replaying delete commands on data we shouldn't own with BURP
- XSS (https://github.com/claudijd/xss) - Using BEEF to make the most of an XSS
One thing I can definitely say is that if you want to get developers to pay attention to XSS, BEEF helps.
Another thing we did early in the talk was ask participants with laptops to
gem install brakeman and run it on a project. A fair number (> 10) did so and most identified issues in their applications. This made for great follow up conversation after the talk and even at the bar later. This was a very cool outcome for us - to see people hands on looking at their code and seeing the issues. I think @brakeman deserves some
kudos - it found the XSS, Command Injection and SQLi we demonstrated and did NOT produce many false positives. Some participants noted some findings that turned out to be ok, but we agreed that the scanner itself was right to raise them.
Of course most of the developers we talked to may have a long way to go before they will be so strongly aware of application security that they will stand on their own and follow OWASP recommendations without a supporting process. On the other hand, this group should be applauded for taking an interest and starting to think more proactively about security.
A great quote from one of the developers was:
I have enough trouble getting my team to build things correctly without security! How am I supposed to add security into the mix?I assure you that this developer is top notch in both contribution and leadership. The security industry needs to make sure not to alienate this type of person - but rather to recruit them, listen to them, and help them to lead a movement to improve security from within the development community.
One of the best things I could see for the security industry would be for industry leading software development companies, like ThoughtWorks, The Wisdom Group, and others to embrace and pro-actively think about application security. Thought leaders at the front of the curve in technology adoption, process innovation and such are in a particularly powerful position to advance the state of the art when it comes to application security. I'm hoping to make Jemurai a small influence in that direction.
Jon and I would appreciate any feedback from folks that were there. We set up this survey to provide feedback. Thank you!
Thank you again to ChicagoRuby for inviting us and all those who came out!