Ruby on Rails bottom up security – authentication and session management check

Reading Time: 1 minute


This post is about checking “The Gates” of your Rails application.

Every web application is a set of urls. Some of them are publically available and some are available only to you (e.g. your bank account page should be available only to you and your spouse).

Modern web application authentication works as follows:

  • there is log in page where you enter your username/password
  • backend checks that combination
  • if this combination is valid, backend returns in Set-Cookie header long, unique, hard to guess string of characters. This is session string.
  • Browser takes that value and sends it in Cookie header in all following requests.
  • Backend checks cookie value and it needs to be same as one assigned to username/password combination
  • there should be logout endpoint that removes session string form username/password combination.

More about Ruby on Rails session security can be found here.

If you want to start your own session management, this could go wrong in infinity number of combinations.

So what can you do? Use Devise gem with following options:

  • store session in database
  • session must expire after some user inactivity time
  • log out feature must be implemented.
  • rotate devise key value (most frequently means more security).

In future security audits you only need to check devise configuration, that devise if updated with (possible) latest security patches and that devise security key rotation is active.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Learning risk management by example

Reading Time: 2 minutes


After taking state of the art software learning courses, I concluded that best way to comprehend knowledge is to learn by using examples of presented  materials.

How to measure quality of a course or workshop? For me, one metric are examples used in course or workshop. Of course, not THE NUMBER of examples, but my subjective measure how examples helped me to understand theory. And what is more important, how those examples help me to remember what I learned.

My examples of such courses are Rapid Software Testing  by Satisfice or BBST courses by AST foundation.

Today is SATURDAY and it was RAINY morning, and I drove to my hometown Zabok in EARLY morning. Security of my trip was jepordised on third stop light. Traffic lights were off. This was intersection with one direction road and intersection had road signs.

Should I wait for traffic lights be repaired? In that case, I will be late.

Since it was SATURDAY, EARLY RAINY morning, the traffic on the intersection was very light and it was intersection with one direction road, I crossed the intersection SAFER than on working day.

Ok, that was example, but what is the topic?

Your project is using a lot of 3rd party software components. Those components could have important security fixes. Deployment of new version for 3rd party component requires testing.

You are at YOUR crossroad with jeopardised security, this time of your product.

Should you upgrade? Will your sprint be late because of it? Do we need to deploy? Can project be secure enough without the patch?

This is security risk analysis for your product in the context of 3rd party component security fix. You need to create questions and answers in the context of your product and related to software security domain.

Can you give us any example?


Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Ruby on Rails bottom up security – sql injection check

Reading Time: 2 minutes


This post will explain how to check your Ruby on Rails code base against sql injections [Wikipedia].

After you have read Wikipedia source link about sql injections, you are ready to proceed. It is important to state that Ruby on Rails offers one of the best (if not the best framework) out of the box sql injection protection.

But sometimes, developer needs to be able to override this protection for some “Twin Peaks” feature requests. In that case, even experienced Rails developer could make sql injection attack possible. On the other spectrum, if your company can only afford junior Rails developers, this check is a must.

Here is how you should hunt such protection overrides. First, head to Rails SQL Injection site. This page lists many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input. You will use this site as a reference.

Open your terminal, go to root folder of Rails project repository, and use this cmd:

grep -H -r 'search for activerecord method' * | less

You need to replace search term with active record method name. Here you need to be creative in order to filter out results that do not represent active record method.

Here is the punch line:

Never, ever, trust the user input!

Which means that user input must not be directly used in active record methods. Again, refer to Rails SQL injection site in order to learn how to recognize code that is prone to sql injection.

Wait, but I am using Windows that do not have grep! Well, Google is your friend, there is a number of open source tools that will help you.

We also need to check all custom SQL queries using command:

grep -H -r 'execute' * | less

grep -H -r 'params\[' * | less

Same as for the active record methods, user input must not be directly used in custom SQL queries.

p.s. Twin Peaks feature request makes developer to have experience  very similar to experience of watching Twin Peaks: “The Return” [source].

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Testival 2017 second day report

Reading Time: 2 minutes


This post is about opening keynote and open sessions that I attended.

We gathered 40 software testers, which is 20% increase! Alex Rodionov open keynote was about Testers Anxiety. Which was hit to bulls eye because every software tester experienced that.

Software testers usually first spot contradictions in the product which makes them alert and that leads to Anxiety. Alex stated how can you identify that you are lousy tester, if there are bugs in product that you missed. Very simple. I like statement that programming is analysis decomposition, and software testing is composition analysis. Testing is like art. In testing, you should never stop looking for answers.

Then Alex switched to automation in software testing. He mentioned testing pyramid and asked question do we automate too much/enough? Do we trust our automation checks? Software testing is less deterministics and involves many checks, while in automation there is only one check. Then he explained model based testing that is smarter way to do automation.

My first session was proposed by me: What is exploratory testing?  Exploratory testing is so much overused that almost become buzzword. I realized that I can not explain what is exploratory testing. So I started making wiki notes based on this excellent blog post: Exploratory testing pathway by the Marcel Gehlen. I explained to the group what I have learned so far about Exploratory testing. In that way, I expanded that understanding (by teaching others, you also learn).

Second session was about software testing tools that we use in daily jobs and issue that we had by using those tools. I learned about Web Shaper and Charles proxy. Also, Chrome dev tool throttle does not give real results. There was idea proposed by Marko that it would be much better to connect mobile devices to “shitty router”.

During the lighting talks I presented Black Box Testing Machines that could be found in this excellent blog post by Katrina the tester. Post presents various games and puzzles that are used in teaching the software testing.

Zeljko presented Scratch, Vim, and why you should not go to the conferences.

Marko presented impressive set of Jenkins jobs and created on the fly new testing environment by clicking one job!

In UX testing session, discussion whent to the direction which tools are used for user behaviour analysis.

Last session was about state of the selenium. Selenium team will no longer support Browser drivers, that is now vendor responsibility. Selenium conf and Watir Bazar are excellent conferences and if you want to write maintainable browser automatization in Ruby, you should read Cucumber and Cheese book.

In closing session we shared our AHA moment and gave away a set of Test Sphere cards!

That was it! See you next year at Testival 2017!


Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Testival 2017 first day report

Reading Time: 1 minute


TL;DR means too lazy to read (I got several inquires about that).

For contet of this blog post, Nova Runda is responsible party. This post is about first day on Testival 2017, free testing conference.

We had 33 participants, of which there where 12 influenced female testers. We have never emphasized problem of gendered diversity in software testing, but with honest approach  what is software testing, we attracted that number of female software testers.

What I like about Testival is that we have returning participants, and they brought new software testers. along So, open space event approach is good direction.

We started with introductions and proposals for open event slots. And guess what, no hesitation, no need that old Testival testers to start posting their proposals:

“Zeljko, we need to arrange those proposals according to number of votes” I asked. No need for that, participants done this by them selfs, they even created new rooms!:


We are starting tomorrow at 9.00 am with Alex Rodionov opening keynote. See you there.


Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather