Our Information Security experts are available to:
Audit your Rails application for common vulnerabilities, including:
- Mass Assignment Attacks
- Dangerous User Supplied Input Handling
- Cross Site Scripting
- Code Injection
- Controller Access Control Rules
Review your technical security controls that are required by applicable regulations
- PCI-DSS (Credit Card)
- HIPAA (Medical Data)
- Other laws or regulations as identified as applicable by your legal counsel
Run basic automated scans against a sandbox/test environment
- W3AF (Web Application Attack and Audit Framework) on BackTracks Linux
- Other tools as appropriate for your environment
- Work with your existing www.github.com or www.bitbucket.org hosted source repository
Security is Very Important!
Web applications are among the largest unprotected attack surfaces and the frequency of attack is increasing. Traditional network firewalls do little to prevent attacks against a vulnerable application. Even today, many web applications are susceptible to classic SQL injection, cross-site scripting (XSS) attacks, and other major attacks.
We are a USA-based team with significant computer science and production server experience.
Security reviews are performed by highly qualified consultants with experience in building and securing web applications.
Note: Our team members are technical information security experts, not lawyers.
While we do review your written information security policies to see how your
technical security controls align with your stated obligations, we do not provide legal advice.
We can review your infrastructure for many common security vulnerabilities
We systematically go through Ruby on Rails code looking for security vulnerabilities from the OWASP Top 10 list. The top errors that are frequently seen in web applications are:
|SQL injection||Unvalidated user input can manipulate database queries.||Data Breach; Identity Theft|
|Cross Site Scripting (XSS)||Malicious content can be introduced to a system such that end-users’ computers may become exploited by malware or social engineering attacks.||End-User System or Data Compromise|
|Session management / validation errors||For example, if user 500 can pull up a record belonging to user 300 then the authentication is broken. This often happens when the developers inaccurately assumed that no user modifies hidden form variables or session cookies.||Data Breach; Identity Theft|
|Insecure Cryptographic Storage||Passwords stored in plain text. Data encrypted to a private encryption key that is stored in the same database, etc.||Data Breach; Identity Theft|