But Rails is secure, why would I even need this?
Although Rails has reasonable defaults for security, that doesn't make it a secure framework because there is no such thing. Any framework can be used in an insecure manner, and we are humans; humans make mistakes, make wrong assumptions, which can lead to security flaws.
Shopify is one of the biggest companies using Rails, and I am sure you would agree with me that they hire great engineers, but still, as of this writing, there are more than 1400 reports resolved by them on HackerOne, and they paid out more than 2 million dollars in bounties.
There is also GitHub, another large company using Rails, and they resolved close to 1200 reports and paid out over 3 million dollars in bounties.
These examples show that even the best engineers and teams make mistakes, and having a penetration test helps to uncover those mistakes before a malicious actor exploits them.
Why should you hire me?
I am an OSCP-certified penetration tester with a lot of experience finding security flaws in Rails applications.
A few public security issues I found and reported:
What is a penetration test?
During a penetration test I am looking for vulnerabilies on a target. The target can be a network with various services available, a web-application with the hosting infrastructure or just a web-application on it's own.
A typical web-application engagement has the following steps:
- You get in touch and we do a scoping process to determine how much time I need to test the application. The process involves you answering a list of questions.
- You receive a quote
- Upon acceptance of the quote, we schedule a meeting to demo the application and answer some questions to help me with reconnaissance. Typically we schedule the date for the test at this point.
- I complete the test. This is not running bundle audit and brakeman on your codebase. It usually requires 5 days to test a regular sized web-application. During the test, I go over the functionality of the application with my interception proxy and I try to find vulnerabilities and security weaknesses in the application. In Rails applications the most common vulnerability is a direct object reference due to the lack of proper authorization.
- You receive the report and we can discuss any points that needs explanation.
- Your team fixes the findings, and we schedule a re-test
- After the re-test, you receive the Letter of Attestation
A penetration test can have different types:
- The consultant doesn't get any information about the system, just the domains/IP addresses for assignment. This mimics what a real attacker would start with, but it requires a bigger time investement to carry out a test.
The consultant is provided with all the information he needs about the target. Technologies used, network layout, how certain features work, etc.
This shortens the duration of the test and gets you the best results for your money.
- Similar to gray-box testing, but the application's source code is also provided to the consultant.
What does Security Engineering include?
If you subscribe to the Security Engineering service, you will have access to me for any security related problem/question. You will have a dedicated project in Basecamp, where you can create tasks for me. I handle those tasks within 2 working days.
- We are developing a new feature which has a security aspect, can you review or implementation plan and give us feedback?
- Can you review this pull request from a security perspective?
- Can you fill out this vendor security questionnaire we received from a prospective client?
- Can you vet our vulnerability reports?
- Can you review or CI/CD setup from a security perspective?
- We are becoming ISO 27001 Compliant and we are not sure how to solve this requirement. Can you advise us?
I only process a single task at a time, so I will usually be able to get done 2 tasks a week for you.I want to subscribe
You might need a penetration test for compliance or if you just want to verify the security of your application, we can help.
- A manual penetration test of a web application
- Covers compliance requirements
- Free re-test included
- You receive a report with the findings and recommended mitigations
- You receive a Letter of Attestation to present to auditors or customers