Kevin - The vulnerabilities in Hacme Casino are fairly straightforward, but this is partially by design, as we are trying to reach people who may not be as familiar with Rails. The first place I presented Hacme Casino was to a group of Salesman who wouldn't know AJAX from Apple Jacks. The way I like to think of it is both as a marketing tool and as an awareness tool. As I continue to work on it, I hope to make the vulnerabilities gradually more difficult, like our "adjustable-difficulty" hangman app :)
With our other free tools, we don't cover the code review angle in the user guide, but in our Writing Secure Code classes we go through the Hacme applications and fix them. We don't have a Ruby class at this point, but in our general/design-level class (Building Secure Software) we might go through the code flaws and fixes. As for an article, go for it, I would be more than happy to chip in. Alex -----Original Message----- From: Kevin Clark [mailto:[EMAIL PROTECTED] Sent: Friday, August 25, 2006 2:51 PM To: [email protected]; [EMAIL PROTECTED] Subject: Re: [Sdruby] RE: Hacme Casino Alex, Are there plans to release information for how to correct these errors or is the idea that we can pay foundstone to audit and cleanup our code? ;) I've only looked through the first 4 vulnerabilities so far but they're all fixed fairly easily and can avoided with very little work. Would Foundstone be upset if I wrote up an article on how to avoid those problems? If I wrote the article would you rather I link the pdf or host it locally? Kev _______________________________________________ Sdruby mailing list [email protected] http://lists.sdruby.com/mailman/listinfo/sdruby
