Recent Readings on App Sec, CI, Apple's OS', Freedom and Cyberpunk
Hope everyone has been getting into the 2013 swing of things! I know with a few days of out of office I had a chance to catch up on a bunch of reading. Some of these really filtered up to the top and I thought I would shoot off a really quick post on a few things I've tweeted about lately, or, at least flagged recently for personal digestion..
Hijacking Ruby on Rails apps through exposed "secret" tokens .. or Let Me Github That For You - An analysis on the insecure handling of the secret_token.rb file present within Ruby (Rails) apps. As this is the secret key that's subsequently used for other secret key generation it should not, naturally, be committed into your GitHub repo. In Rails apps, 'rake secret' can help generate a new random string for population into your secret_token.rb file.
Codesake - A quickly (and extensible) static analysis tool, or, at least the beginnings of one. I took a moment to skim Paolo's code the other day and it looks like this could potentially grow into something quite powerful. Not yet a Brakeman replacement, but, definitely something to keep an eye on.
I Never Liked The Term Rugged Software - If you have trouble keeping up with all of Dinis' content I can't really blame you, he posts a LOT, and, quite often to a depth that I struggle with. Regardless, this short and sweet post from him sort of stuck with me for a few days, and whilst I sort of like the idea of Rugged Software, it more often makes me think of beards as opposed to resiliency.. Maybe Dinis is onto something!
Continuous Integration Security Testing - Jason over at Intellavis performed a quick review of a few web security tools which could be run in automated fashions to assist with continuous integration. I don't really know if I agree with his conclusion (although, I do really enjoy w3af), I do think that more people should be doing this sort of work. If you're working on a security tool and aren't enhancing or exposing APIs or thinking about more flexible use-cases, you're doing it wrong.
The Legacy of NeXT Lives on in OSX - saw this tweet from @merbist (RTd from someone I can't recall). Anyway, his tweet couldn't summarise this article better: "Extremely well written article explaining Apple's underlying architecture for iOS/OS X strongly recommended."
Jacob Appelbaum's #29c3 Keynote - I started watching this on the TV at home, and even got the wife into it. Really insightful presentation and certainly had me thinking and reflecting on my involvement with open source software.
Warren Ellis on Conservative Characters, Cyberpunk and Women who write SF - Warren, who is easily my favourite author of the past few years, posted this really quick Q&A on his blog. Having just released his latest novel, Gun Machine (which I promptly Kindled and smashed a good 10% in the first sitting), Warren's list of authors and other books gave me a future reading list I'll have to get started at some point. Also, if you haven't had a chance to read Crooked Little Vein get it. Whilst pretty short, I haven't enjoyed reading a novel as much as this since I read (and understood) Neuromancer (not that Crooked Little Vein is in anyway a SF/Cyberpunk novel).