Most Rails applications typically use a bunch of gems. Some of these gems may be Rails engines. Devise, Shoppe and RailsAdmin are examples of engines. The simple definition of an engine is a mini Rails application. When you include an engine in your Rails application, you are actually including an application in your application. Unlike gems that provide simple library code like Faker or... READ MORE›

Back in December, the CISO of a financial services company explained how he took his company’s application security program from 0-60 in 12 months. Now, that same CISO explains why measurement was a critical component to the program’s success. As we developed our application security strategy, gaining buy-in from various stakeholders was an essential part of making it a success. But,... READ MORE›

Cross-site request forgery (CSRF) protection has been around in the form of protect_from_forgery since Rails 2 but somehow it's also the most misunderstood feature in the Rails community. To many Rails developers, the protection might seem like magic and thus the details of how it works are ignored like a black box. In this blog post, I will open up the black box and show how, in some situations... READ MORE›

Application security testing is an essential part of a global security strategy but if it is not done the right way it can poison your progress. Below I’ll explain the mistakes to avoid in order to test all your applications, find and fix the flaws whilst still creating a global application security programme. 1: Only testing the most critical apps In most cases companies believe that... READ MORE›

There are at least six types of open-source library vulnerabilities that we should all be concerned about. Before describing them it is worth reiterating that simply linking to a vulnerable library in your project doesn’t mean your application will have a vulnerability. You will only have a vulnerability if you are using the vulnerable methods of the vulnerable library in a vulnerable manner.... READ MORE›

I'm this security guy. I have a sweet resume with lists of security stuff I did. I got security skills certifications to show I can actually do security and not just be a moderately adequate opponent in Trivial Pursuit Security Edition. So people come to me and ask me to solve their security problems like, “Our client accesses our mojingle over the doobywassy blah blah hackers.”... READ MORE›

In order to keep up with the need for applications, companies are purchasing software at an accelerated rate. And if you are like most companies, your processes for vetting the security of your software is probably not very sophisticated. Most companies rely on questionnaires or even just a wink and a nod from the vendor’s account manager. Companies that recognize the risk introduced from... READ MORE›

Want your application security program to succeed? Get your boss on board. You need your CISO’s buy-in, and not just for scanning or pen testing a few business-critical apps – but for building a mature, robust program that secures every application the organization builds, buys or assembles. Here’s why: Reason 1: You need your boss to be a champion for your program with the C-... READ MORE›

Software supply chain security has arrived with Google’s Vendor Security Assessment Questionnaire (VSAQ)! Or has it? The web-based application released under an open-source license on GitHub contains the actual questionnaire Google uses to review its own software vendors' security practices before making a purchase. I know what you’re thinking: “if it’s good... READ MORE›