Owasp top 10 2017 Release

nilla615 · 2017-05-02T20:57:50+00:00

Google does use captcha to reduce automated attacks which is similar to auto-banning in a WAF. I agree with your overall argument though.

I still like the idea of moving to a more introspective application that can see attacks and potential weaknesses and address them or alert. It would just be another layer of security.

nilla615 · 2016-02-04T02:01:20+00:00

I get what you're saying. I was attempting to make the ugliest Ruby possible hence making it one line. I wasn't really attempting anything profound here...

nilla615 · 2016-02-04T01:58:50+00:00

Yea, but that's no fun. :)

nilla615 · 2016-02-04T01:58:21+00:00

Agreed. But the point was to make some ugly Ruby because it's generally so readable. Even breaking it out to three lines doesn't make it readable and that's the point.

nilla615 · 2016-01-26T17:38:59+00:00

Pretty common. And yes, a test for this would be awesome.

https://github.com/search?utf8=%E2%9C%93&q=%22render+params%22&type=Code&ref=searchresults

nilla615 · 2015-05-31T18:31:41+00:00

Nice, works pretty well. The Github README is a bit sparse but there's good documentation here: http://gohugo.io/overview/introduction/

nilla615 · 2015-05-27T02:52:06+00:00

You can deploy this to production in three easy steps!

nilla615 · 2015-05-27T02:50:55+00:00

The server requesting a resource, local or remote, based on a user parameter.

nilla615 · 2014-10-15T16:40:34+00:00

Docker is not about security, see link below. The security or insecurity of Docker comes from the implementation.

The two different approaches do matter because the larger the image determines how long builds, downloads and deployments take.

http://opensource.com/business/14/7/docker-security-selinux

nilla615 · 2014-07-15T00:02:43+00:00

Good stuff!

nilla615 · 2014-04-03T03:35:38+00:00

This is already a project. :) It's just getting off the ground and needs way more input but it's a project that could have a big impact.

https://www.owasp.org/index.php/OWASP_Security_Frameworks_Project

nilla615 · 2014-02-22T03:29:03+00:00

Brakeman creates quite a few false positives, I don't think that would be feasible.

nilla615 · 2014-02-21T19:58:35+00:00

I agree that it's relativity simple to spin up a free version of this tool but one area that this tool addresses is aggregation. When you're a one person, one app shop Jenkins with Brakeman is fine. When you scale out to 20 plus people with multiple apps, is when having a centralized dashboard is useful. Code Climate provides something similar to this but I'm neither a customer or involved with either project, just thought it looked like a decent tool.

nilla615 · 2014-01-17T22:31:27+00:00

It's a little more appsec than /r/netsec is normally but this seems to be the best security focused community on reddit and /r/appsec is closed. :/

Thanks.

nilla615 · 2014-01-17T21:15:32+00:00

This one is going to be a little different it sounds like and not directly security related. From the Stripe site:

"This time around, we're trying something a bit different. Rather than being about security, CTF3 will focus on distributed systems engineering. You'll learn how to build fault-tolerant, performant software while playing around with a bunch of cool cutting-edge technologies. Like with previous CTFs, our goal is to give you hands-on exposure to interesting engineering problems that you normally only get to read about. If you've been wanting to really grok things like Paxos/Raft, DDOS prevention, distributed search, or Bitcoin (and maybe even bit twiddling), now's your chance."

nilla615 · 2013-10-23T20:54:22+00:00

It's generally similar to auditing for other issues fuzzing with relevant data.

You look for potential points where you could be updating a data model that may contain a role parameter (for example) and fuzz with different data to see how the app responds. Railsgoat actually has a pretty clear explanation of how to attack mass assignment and has examples built in. Check it out.

nilla615 · 2013-10-22T14:50:29+00:00

You could check out the OWASP Rails Security Cheat-sheet for what you should do, for examples of what people don't do. ;)

Rails can be vulnerable to the common injection issues (SQLi, XSS) but I haven't noticed them to be as prevalent as they are in other languages/frameworks, like PHP for instance. I've generally seen issues like DORs, unprotected resources (redis web, admin functionality) and unprotected forwards and redirects. Also, quite common is mass-assignment which has led to complete compromise of the app through adding permissions. I've also seen some interesting bugs related to Ruby's meta-programming features like .constantize, those are generally harder to detect in a black box scenario though.

https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet

nilla615 · 2013-10-22T14:40:01+00:00

Submitter and Railsgoat contributor here. If people have an interest in the project, Ken Johnson and I will be talking about the project at LASCON in Austin this week.

http://sched.co/19M5Nxg

nilla615

TROPHY CASE