As we have stated several times before (New OWASP guide: Secure Application Development on Facebook and Ruby on Rails Security Guide) OWASP, The Open Web Application Security Project, is a great organization tasked with providing comprehensive security knowledge for companies, individuals, organizations and developers.

This week they came out with a new finished OWASP Project: The Top 10 Security Threats of 2010.

The project website is located here and the full 22 page report can be found here: OWASP Top 10 for 2010 (pdf)

Basically what this is, is a break down of the most severe security issues in web applications for the year 2010. What’s especially scary about it is however, that these 10 security issues have stayed largely unchanged since the Top 10 of 2007. In fact only two issues have been replaced on the list, making the OWASP top 10 security threats of 2010 (the new ones are bold):

1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards

What this shows us is that despite the efforts of OWASP, Aconiac and similar organizations, the security field has stayed largely unchanged and developers are still making the same mistakes in their designs and code. It might very well not be entirely possible to change this fact in general, even given 10 years from now.

But while companies in general may be making these mistakes, you don’t have to! The OWASP report includes several pages describing the security issues in detail, including an analysis of the risk it imposes on your business and what impact a breach might result in. We encourage you to download and read the entire 22 page PDF and make it mandatory reading for every developer and designer in your organization.

Presenting a new company venture from Aconiac: the mobile security company Hoodgate.

For several years now,  smart phones have increased in popularity and will continue to do so for years to come. We are truly only in the beginning of this development and can expect to see even faster and better systems in the future.

One thing that is however still lacking is effective handling of mobile security for a company with more than a few employees. Most available solutions are monolithic solutions where a company buys a software suite with some number of features (anti-virus, anti-spam, locking mechanism etc.) and then has to manually install this suite onto every single employee’s phone one by one, and subsequently if any additions are made to the software later on, in most cases you’d have to do the same manual reinstall all over again. In the end this can lead to enormous financial costs for a company, simply in shear terms of man-hours used!

Hoodgate is adopting another solution to the problem! Hoodgate will be offering a service where you, as a customer, can handle all your employee’s phones through a central control panel. Through this control panel you can then create a “Mobile Security Policy” for your company.

A “Mobile Security Policy” is basically the features you want to have, e.g. the ability to find a given phone through GPS, encrypted e-mails, remote lock of the phone (in case of theft), voice logging, and much more. Once you have a customer profile you can easily buy new features, remove old or order specially developed ones, and all these changes to your “Mobile Security Policy” are automatically sent to all your employee’s phones, ultimately making management of security for your mobile workforce much easier and cheaper. It is then the Hoodgate software on these phones that take in updates and synchronizes with the company “Mobile Security Policy” stored with Hoodgate online, rather than your system administrators having to do it manually.

Hoodgate is just starting up now, and does not at the moment have a finished product. We will however be making regular updates on how the development is going, and try to continually involve future customers in the development, in order to make as good a product as humanly possible.

The platforms we intend to support are the following:

With development prioritizes more or less in that order, so that the primary platform is Android.

All the plans above are of course still preliminary and open for change, and you can easily have a say in those changes and speak your mind to us. All you have to do is comment on this blog post, contact us directly or on one of the social networks we’re on (links are farther down). We’re very curious to hear what you think, even if you’re the type of guy/girl who loves to point out flaws in plans or designs – a real hacker type person! Feel free to contact us and point out what we’ve done wrong or haven’t thought about. In the end your opinions might very well result in an even better final product.

The company website can be found at http://www.hoodgate.com/ although it’s still very preliminary. As we state several times on the page: We’d rather use our time developing the software you need rather than worry about website details at the moment. The short comings on the site will however be handled within the near future.

You can also find us at other places on the web. We invite you to get involved and get your voice heard. We’re listening!:

As is sadly often the case, well-meaning newcomers to programming take on the newest and/or most popular programming language/framework available. And as you might suspect, they usually get it wrong and make every design and security mistake possible along the way!

This is a trend that we’ve seen with pretty much every popular programming language out there – like for example PHP, which sadly still holds the record for most insecure websites written in the language.

One very popular web framework these days is Ruby on Rails, created by the very talented 29 year old Danish guy David Heinemeier Hansson. It uses a Model-View-Controller construction and emphasizes good design by such principles as DRY (Don’t Repeat Yourself). By all means it’s a very good web framework! But as with PHP, a lot of newcomers get it wrong. Either by not following the Ruby on Rails conventions or by ignoring security!

Now, we’re not here to teach you about design. If you want to learn more about proper software design, a good place to start is simply your local library. Look for books on topics like Design Patterns, Software Engineering, Extreme Programming, Test Driven Development and Agile Software Development.

However what we do want to teach you about, is proper security in Ruby on Rails! Luckily, we don’t have to take out extreme amounts of time from the work we need to do, to get you trained in RoR security – instead we can simply refer to the work already done by the OWASP organization. OWASP is an organization working to improve web application security in the entire world, by means of a whole bunch of different projects for developers, security professionals and end users. One of these projects is the Ruby on Rails Security Guide V2 project which includes a PDF file detailing the different security concerns and solutions concerning Ruby on Rails development.

If you are going to develop Ruby on Rails applications (or if you’re simply curious) please download the Ruby on Rails Security Guide from OWASP and read it before doing any production deployment of applications.

Note: If you’re too busy to go to the project page on OWASP and find the download link, then here’s a direct download link instead: Download the Security Guide