Following close on the heels of heartbleed we have seen a resurgence in questioning C as the implementation choice for critical infrastructure. With performance innovations on managed runtimes the option to implement more and more critical pieces in alternative languages is becoming tangible. Of course this brings along with it a different set of problems. To re-write a system like OpenSSL or even just to implement SSL/TLS on top of a managed runtime there are some serious obstacles to overcome.
Every year billions of dollars are spent on preventing breaches. While some of these systems are doing a sufficient job of keeping data away from the hands of attackers, it has become clear that there is no real way to prevent breaches with 100% certainty. Of course time should be spent building proper controls, but if we hope to survive the next decade, we need to focus on detection and remediation.
In this talk, three Rails security specialists will take a journey through a terrifying Rails application to illustrate common security problems we have seen in the real world. The discussion will include how to identify, fix, and prevent the issues with an emphasis on practical advice. Along the way we will share our experiences and perspectives concerning securely implementing applications. We hope it is a bit scary, and yet fun … like a horror movie!
Web development libraries for Clojure have started to mature, but there are still quite a few gaps. Although there has been some activity in securing Clojure web applications, there has not been much of an effort into documenting the options or even explaining what should be done. This includes authentication and password management, securing application responses and options, as well as code review and deployment. This talk will explore what is available, what is coming, and what does not yet exist in any open and consumable fashion.