Robby on Rails: Tag security

1Password and Fluid.app

Robby Russell — Fri, 04 Apr 2008 09:22:00 -0500

I’ve been really happy with my purchase of 1Password so far. If you’re not familiar with it, I would really recommend their free-trial. I’ve been really impressed with how quickly it became reliant upon it. 1Password works across several browsers, imports existing passwords, and even has integration with your iPhone. However, over the past month, I’ve been wishing that it worked with my Fluid applications.

1Password 2.6.BETA-2 was released a few days ago one of the features added was integration with Fluid applications.

Signing into Lighthouse with 1Password

I’m glad to see that Agile Web Solutions was so quick to respond to the flurry of people requesting this.

Rails Code Audit Tips - Filtered Parameter Logging

Robby Russell — Mon, 16 Jul 2007 22:50:00 -0500

It’s been a month since I posted, Audit Your Rails Development Team and now I find myself sitting in a hotel room in Mankato, Minnesota with Graeme after a long day of walking through the documents that we delivered to our client after conducting a Rails Code Audit and Review. Our client felt that it would be a great idea to have us visit with six of their employees and walk through the various topics that we brought up in our process. We’ve been doing several of these audits recently and are thought that it would be a good idea to begin sharing some problems that we’ve discovered across projects.

As much as we like to find lots things that we’d recommend improving in Rails applications, we also want to make sure that as many projects as possible avoid some of these common oversights. So, expect to see more posts related to things that we find through our Code Audit and Review process.

Today, I’d like to point out a potential security problem that is often overlooked by developers and system administrators.

Log files.

Does your application request any of the following information from your users?

Social security number
Credit card date (number, expiration date, etc..)
Passwords

BY DEFAULT, all of this data is being written to your production log file. Even if you’re encrypting this data in your database, request parameters (get/post) are all written to your production logs without any encryption. Log files are also notorious for having insecure file permissions, so if you’re on a shared host, other accounts on the server might be able to view them. Regardless of how secure you think your server is, this isn’t data that you want sitting around.

Lucky for you, Ruby on Rails has an easy solution to this problem! All that you need to do is use the filter_parameter_logging method in your controller(s). We generally add something like the following to our application controller.


  filter_parameter_logging :social_security_number, :password, :credit_card_number, 'some-other-param'

This will replace the value from the parameters with [FILTERED], which solves this problem rather nicely.

So, it would be our recommendation, that if your application is storing any sensitive data, that you take advantage of this simple solution. Be sure to read more about filter_parameter_logging before you implement this for various usage examples.

Stay tuned for more tips and tricks. If you’re interested in contracting us for our Rails Code Audit and Review service, give us a call.

Tomorrow, Graeme and I will be meeting for another day with our clients and then we fly home to Portland, Oregon in the evening. We survived our first tornado warnings, which was exciting as we don’t get those on the west coast. ;-)

Question: Travel Restrictions

Robby Russell — Sun, 10 Sep 2006 12:09:00 -0500

Travel restrictions?

When I purchased my tickets for my trip to London for RailsConf Europe through travelocity.com, it showed me the following warning (after I paid).

Traveling in the UK:

If you are traveling within the UK, you will have to check ALL of your belongings. Wallets, IDs, and necessary medications are the exceptions, and must be carried in a plastic bag (clear bags are recommended).
Laptops, mobile phones and iPods are among the electronic items banned in carry-on luggage on British flights.
Liquids, gels, and pastes are no longer permitted in carry-on luggage on board any aircraft within the U.S. and UK (This includes toothpaste, sunblock, and perfume.)
Please check our website for updates and the latest information.

So, I follow that link and come across this page, which doesn’t mention laptops, mobile phones, or iPods.

Does anybody know what the current restrictions are for flights to and from the US and UK?

Robby on Rails: Tag security

1Password and Fluid.app

Related Post(s)

Rails Code Audit Tips - Filtered Parameter Logging

Question: Travel Restrictions