First and foremost, I want to thank @RayHightower and @ChicagoRuby for having us to talk about Rails Security in the Wild. I was impressed (all over again) by the group and the atmosphere of passion for technology that permeated the event. Also thanks to Hugo and ThoughtWorks for hosting the event. I would also like to thank my partner in crime Jon Claudius (@claudijd) for putting together some sweet beefy demos. Also, Jon Rose, Brett Hardin (@miscsecurity) and Dan Schleifer have contributed a lot to the talk and my general mindset of reaching out to developers over the past couple of years. Thanks.
The next thing I want to say is that developers are smart. After the talk, I was
impressed with the detailed questions and even some corrections to some of the content I talked about. Someone named Robin corrected me in an area where I had glossed over the abilities of can-can. Another person seemed to find a problem with one of the tools we talked about - hopefully we'll get the feedback to the tool developer and be able to get that fixed.
Most of the talks we have given have been to a security audience, where I represent the developer. There
was something amazing about asking "Raise your hand if you are familiar with OWASP" and having 2 people out
of an estimated 95 people raise their hands. I think Jon Claudius' jaw dropped even though we've been
doing this and telling "Breakers" that they need to work harder to get to "Builders" for a couple of years.
It more than confirmed what I've been saying in our Builders Vs. Breakers talks!
Two out of ninety five Rails developers were familiar with OWASP
The focus of the talk was to show some specific security items at a detailed level. To do this, we created sample broken applications (links to github below) and demonstrated hands on what the issues were. We talked about:
Session Store - Using BURP Proxy to replay HTTP requests after logout with default CookieStore
Command Injection (https://github.com/claudijd/command_injection) - Getting a command to run and using ncat to stream a shell that manipulated the system live
Forceful Browsing (https://github.com/Jemurai/triage) - Replaying delete commands on data we shouldn't own with BURP
XSS (https://github.com/claudijd/xss) - Using BEEF to make the most of an XSS
We also talked about a number of other items like Mass Assignment, using SSL, File Upload issues, etc. As much as possible, we tried to relate real world problems we have seen in the wild.
One thing I can definitely say is that if you want to get developers to pay attention to XSS, BEEF helps.
Another thing we did early in the talk was ask participants with laptops to gem install brakeman and run it on a project. A fair number (> 10) did so and most identified issues in their applications. This made for great follow up conversation after the talk and even at the bar later. This was a very cool outcome for us - to see people hands on looking at their code and seeing the issues. I think @brakeman deserves some
kudos - it found the XSS, Command Injection and SQLi we demonstrated and did NOT produce many false positives. Some participants noted some findings that turned out to be ok, but we agreed that the scanner itself was right to raise them.
Of course most of the developers we talked to may have a long way to go before they will be so strongly aware of application security that they will stand on their own and follow OWASP recommendations without a supporting process. On the other hand, this group should be applauded for taking an interest and starting to think more proactively about security.
A great quote from one of the developers was:
I have enough trouble getting my team to build things correctly without security! How am I supposed to add security into the mix?
I assure you that this developer is top notch in both contribution and leadership. The security industry needs to make sure not to alienate this type of person - but rather to recruit them, listen to them, and help them to lead a movement to improve security from within the development community.
One of the best things I could see for the security industry would be for industry leading software development companies, like ThoughtWorks, The Wisdom Group, and others to embrace and pro-actively think about application security. Thought leaders at the front of the curve in technology adoption, process innovation and such are in a particularly powerful position to advance the state of the art when it comes to application security. I'm hoping to make Jemurai a small influence in that direction.
Jon and I would appreciate any feedback from folks that were there. We set up this survey to provide feedback. Thank you!
Thank you again to ChicagoRuby for inviting us and all those who came out!