tags:

views:

189

answers:

5
+11  Q: 

Companies to do code review of crypto in an ActiveRecord / Ruby on Rails webapp?

We have written a Ruby on Rails application that allows a visitor to fill out a form with personal information (name, address & other confidential details), which is stored in a database until the information can be collected by a batch process running inside institution's firewall.

To prevent attackers from getting this confidential information in the event of a database compromise, we have devised a mechanism for automatically encrypting the user's input using OpenPGP before storing it in the database.

Where can I find a company that will assess this code and provide us with a report that we will be able to show to our customers? They would need to be familiar with both cryptography and with ActiveRecord.

+1  A: 

Hi,

We do, www.comsecglobal.com, or www.codefend.com.

Best, Sharone

Comsec Global  2010-01-19 10:43:35
+1  A: 

Matasano are a good security research firm, and they're a Ruby shop.

caf  2010-01-19 23:06:47
+1  A: 

Dwayne,

We (meaning OffByZero) would be happy to help.

We have commercial experience with both cryptography and Ruby on Rails; in fact one of our products involves the use of PKI with Rails in order to tamper-proof tokens.

Please feel free to get in touch using our contact form.

Duncan Bayne  2010-01-20 21:44:41
+1  A: 

Is there a particular reason why the database is vulnerable in this case?

If your database is protected by a firewall, you don't gain a great deal from encrypting the data.

If the encryption mechanism is on the same system as the database, a compromise to the box will probably mean the data can be accessed regardless.

If the encryption mechanism is not on the same system, then you are in a bit better situation, but with this architecture, you can easily control who has write and read access to the database quite effectively - your web application db user can be granted very limited write permissions, and the firewall can control network traffic between the app and the db. Communication between the webapp and the secure database can be uni-directional and over SSL.

Update

Security Enhanced PostgreSQL might also be worth a look:

Security Enhanced PostgreSQL (SE-PostgreSQL) is an extension of PostgreSQL relational database management system, based on Security Enhanced Linux (SELinux)'s security model and policy.

Toby Hede  2010-01-22 07:15:35
+1  A: 

I second the Matasano recommendation. I have first-hand experience with their work and am a seasoned security engineer and ror developer myself. Matasano is by far the best choice for this work.

Dom Brezinski  2010-01-24 17:36:15

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security