Monthly Archives: January 2010

rails security review checklist

Posted on by | 7 Replies

I’m reviewing the security of a web app built with Ruby on Rails, so I put together a checklist for a security audit. This isn’t a bank or high security situation, but there were a number of engineers and quite a bit of open source code, so I thought a few checks were in order.

Here’s the list I came up with that I thought other folks might appreciate as a starting point (special thanks to the sfruby list, Mike Gunderloy, and Scott Bronson for feedback):

0) Make sure your Rails and gems are up to date for latest security patches (see rails security mailing list for recent advisory notes)

1) Active Record audit:
  A) SQL injection:
    (i) whole word search for “find”, “first”, and “all” then visually inspect all instances of ActiveRecord find calls for potential SQL injection vulnerability (also search for “sql” not whole work search to find find_by_sql and “execute” to find cases where raw sql is executed.
    (ii) search your models for “named_scope” and check :conditions
  B) check for mass assignment Either disable mass assignment as Eric suggests in his article, or audit its use. If doing an audit, check every model to make sure it declares which attributes are settable with attr_accessible. (While attr_protected may technically work, a white list approach is recommended by security experts and the rails security advisory on this topic)

2) Scripting attack: search all eRB files for <%= and ensure that if dynamically generated text was originally entered by the user, it is HTML escaped. Consider rails_xss

3) Secure Access: If some of the site does not have public access, check controllers and ensure that public actions are specifically allowed and that protected access is the default

4) search for “eval” (whole word) and verify that usages are safe

5) search for “forgery” (not whole word), make sure that
config.action_controller.allow_forgery_protection = false
is only disabled in test config
protect_from_forgery should be in the ApplicationController, unless there is a good reason for it not to be

6) check user auth and review that controller actions are limited to expected use

7) passwords: not saved as clear-text in the db, not logged

8) check that private data is not stored in cookies

must we be arrogant jerks?

Posted on by | 3 Replies

Much of Clay Shirky’s recent rant about women rang true to me. However, it took me much of the day, including talking with my friend Val Liberty to figure out what felt off about his rant. Over a whole day of dog walking, chatting over coffee and monopoly with the kids, we spent about 5 minutes talking about Clay’s post, but our talk colored my thinking about it. We covered gender issues, success, humility, and diversity, along with tech talk and business plans.

I know there are many paths to success. I routinely meet and do business with successful people who value integrity and honest communication. Peldi Guilizzoni, founder and CEO of Balsamiq, has recently modeled how to become a huge success while being a genuinely nice guy (and perhaps partly because of it). I know many other folks who have taken similar paths to success, though I don’t know anyone else who has documented it as thoroughly.

You don’t need to be an arrogant jerk to be confident. It is not lying to state what you believe you can do, instead of merely what you have done in the past. Clay Shirky clearly states the issue in the middle of his rant:

…people who don’t raise their hands don’t get called on, and people who raise their hands timidly get called on less. Some of this is because assertive people get noticed more easily, but some of it is because raising your hand is itself a high-cost signal that you are willing to risk public failure in order to try something.

However, he follows that by saying that it is a false hope “to imagine that women could be forceful and self-confident without being arrogant or jerky.” I disagree. Sure we have to risk being perceived as arrogant jerks (or some less pretty name). Perception is seldom reality, and the reality we live rarely matches that of our male peers. We have to put up with being criticized as emotional when our colleagues are admired for their passion. Nevertheless, we share the world and we need to figure this out. We have to work together with our non-sexist peers to change what is acceptable… both by changing what people are used to seeing and hearing from women AND by modeling other ways to become successful.

how to look for a job

Posted on by | 4 Replies

I recently gave the following advice about looking for a job. I thought maybe other folks would find it useful. It’s kind of a next generation job search, it’s an expansion of what Ted Leung called Job Search 2.0.

  1. Write down your ideal job, then take a serious look at yourself and think whether you would hire yourself for it. If not, what skills do you need to develop that would make you the ideal candidate for that job?
  2. Write down a list of 5-10 companies you would love to work at. I would argue that you don’t know if you would love to work there until you have had a genuine conversation with someone who works there or who has worked there recently. If you don’t know 5 companies where you would love to work, then find them.
  3. Write in your blog* at least once a week about something in your field that would be interesting to a potential colleague at your dream company.
  4. Figure out what are the relevant conference, local meetups or whatever for your target job. Start attending those. Consider whether you could propose giving a talk. If you don’t feel qualified, what can you do to while unemployed that would qualify you to give such a talk? Do it.
  5. Tweet each blog post and about web articles you read in your field that are interesting.
  6. Consider volunteering doing something altruistic that hones the skills required for your dream job.

Be active in your field even if you don’t have a job. If you keep honing your skills and your ability to communicate about them, two things will happen:

  1. You will know better what you want to do and who you want to do it with
  2. Your job will find you

If you don’t have a blog, start one

You have something to say that no one else is saying. Even if there is some repetition with what other people have said, that is ok. I’m sure my blog is mediocre at times, but it is often excellent, and sometimes I don’t know when I write something whether it is old hat or new insight… sometimes it seems old to me since the idea has been rattling around my head for a while, but everyone else thinks it is amazing…. sometimes I think it is amazing, and everyone else ignores it. Writing a blog has helped me figure out what I am passionate about.

In any case, your blog tells a public story about you and when you are seeking a job that is really important. Also, there are less experienced people in your field who might really find what you have to say helpful. It is both marketing and a public service. Over time, google will find your resume more often on the front page of searches, and over time people reading your blog will think…. maybe this person is a fit for this position that has just gotten approved, maybe I should call him or her before I post the job.

Start by just writing a little bit about interesting stuff you’ve read. Linking to other people’s writing on the Web invites them to read what you write (if they are following their referrers as most people do). Some of those people will like your blog and come back or tell their friends or tweet about it. Eventually you will have a small following of people in your field who are interested in the same things you are. That is unique, compelling and powerful.