Talking head
MountainWest RubyConf 2014

This presentation, by Nick Howard, is licensed under a Creative Commons Attribution ShareAlike 3.0

Exploits happen when attackers discover that your application is actually an interpreter for a weird programming language with operators like ‘make admin’, or ‘consume all available memory’. Don’t give them access to that kind of computational power! Stop them at the very boundaries of your application’s input handling–the parser. By generating parsers tailored to the specific input formats of your app, you can prevent it from becoming a weird interpreter and make it harder to exploit. When you use a parser specific to your input format, it’s not only more secure, it’s better specified and definite. When you have a grammar for your inputs, you can give your API consumers better error messages and better documentation based on that grammar. Using Ruby’s metaprogramming superpowers, doing this doesn’t have to be a painful process. I’ve been working on a library called Muskox that aims to make generating parsers almost as simple as using Rails 4’s Strong Parameters. Writing code to secure your app’s inputs should be easy, fun and fast.

Rated: Everyone
Viewed 1,018 times
Tags: There are no tags for this video.