Name: Going AUTH the Rails on a Crazy Train
Start: 2015-09-11T11:30:00+0100
End: 2015-09-11T12:29:00+0100

Back To Schedule

Going AUTH the Rails on a Crazy Train

Rails has a strong foundation in convention over configuration. In this regard, Rails handles a lot of security related conventions for developers, keeping them safe from vulnerabilities such as SQL Injection, XSS, and CSRF out of the box. However, authentication and authorization logic is largely left up to the developer. It is here that the abilities of the framework hit the end of the track and it’s up to the developers to keep themselves safe. In this talk, we take a look at patterns that we’ve seen across some of the largest Rails applications on the internet and cover common pitfalls that you as a security researcher and/or developer can watch out for. We will also be discussing and releasing a new dynamic analysis tool for Rails applications to help pentesters navigate through authentication and authorization solutions in Rails.

Speakers

Jeff Jarmoc

Jeff is a Senior Application Security Consultant at NCC Group who has contributed code to the Brakeman Rails Security Scanning tool. He’s perhaps best known in the Rails community for his whitepaper The Anatomy of a Rails Vulnerability in which he deeply explored remote code execution... Read More →

Tomek Rabczak

Tomek is an Application Security Consultant at NCC Group with experience in secure web application development, security tool research and development, code review, and penetration testing. Over the past 2 years, he has looked at and assessed the security of some of the largest... Read More →

Friday September 11, 2015 11:30 - 12:29 BST
Track 1

Track 1 Talk

44CON LONDON 2015

Jeff Jarmoc

Tomek Rabczak

Attendees (0)

44CON LONDON 2015

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Jeff Jarmoc

Tomek Rabczak

Attendees (0)