Refresh the Triangle: Web Application Security
Posted 7 December 2007 under refreshthetriangle, ruby on rails, technologyAt last night’s Refresh the Triangle meeting, Clinton Nixon (who should totally get together with Harrison Ford and have a presidential name-off) gave a great talk on web application security. He explained that a web application essentially takes data in, does something with it, and then sends it back out, and that a secure application needs to be secure throughout the cycle.
Topics included cross-site scripting, malicious file execution, and various kinds of injection attacks. I’m pretty familiar with SQL attacks, but I never gave a lot of thought to how easily POST requests can be altered (Clinton used the Firebug extension) to add new elements or to override values that are only enforced at the view level. Makes me cringe to think about all of the unchecked
person = Person.new(params[:person])
in my Rails code. You can check out his slides or links for more information. Additionally, if you’re into Ruby/Rails nerdery, poke through the Subversion repository he posted — he’s working with some cutting-edge stuff. The make_resourceful plugin looks particularly good.
Thanks a lot to Viget Labs for organizing this event, and to Shoeboxed for providing the venue, their office in Brightleaf Square: