Relevance Inc., a Ruby on Rails software development practice that specializes in application product development, training and consulting recently announced the launch of its Rails Security Audit.
This service focuses on helping enterprise companies identify security vulnerabilities in Rails applications. Relevance's audit team is comprised of senior Rails professionals who have strong backgrounds in security testing and risk management consulting.
"The inspiration for launching the services is that we saw a need for customers to have independent software reviews," said Justin Gehtland, president and co-founder of Relevance. "The more we recommended security audits to our customers, the more we realized we could provide the audits."
Such security audits are especially important as companies work to meet the June 30 deadline to comply with the PCI Data Security Standards. Requirement 6.6 of PCI DSS refers to application security and states that in order for companies to accept credit card transactions, they must either install a Web application firewall or complete a code review.
Rails Security Audit does meet the PCI requirement for application security, Gehtland said.
"It's important for customers to be aware of PCI DSS and understand it," Gehtland said. "Then they have to get past the cost-prohibitive parts of it. We're looking at this as a way to give assurance that they can know if their application meets their requirements for PCI DSS."
The audit service is composed of five comprehensive phases:
- Source Code Audit: Review of the application's source code and identification of vulnerabilities to test in subsequent phases. Key elements include reviewing input sanitization, SQL querying and sensitive data storage.
- XSS Audit: Test of all endpoints exposed by the application to verify that scripts cannot be injected into the application. This reduces the risk of cross-site scripting (XSS), which can expose sensitive customer data, violate privacy, and lead to further compromises.
- SQL Injection Audit: Test of all endpoints exposed by the application to verify that SQL cannot be injected into the database.
- Fuzzing Audit: Crawl and index the application for fuzzing vulnerabilities. Fuzzing is an automated attack that bombards an entire application with bad data and verifies that the application responds appropriately.
- Deployment Stack Audit: Test of the production environment and examination of key elements such as the operating system, web server and applicable databases.
The Rails Security Audit is generally completed in one week, and pricing is based on the size of the project and the amount of technical debt. A customized quote is produced after members of the Relevance team meet with prospective clients. Each audit provides enterprises with a detailed report summarizing vulnerabilities as well as outlining fixes.
In conjunction with the launch of the new service, Relevance has released its Tarantula tool to the open-source community. Tarantula crawls Rails applications and identifies data breaks that are vulnerable to fuzzing. For more information about the tool, visit http://opensource.thinkrelevance.com/wiki/tarantula.