Companies to do code review of crypto in an ActiveRecord / Ruby on Rails webapp? [closed]
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
开发者_运维百科 Improve this questionWe have written a Ruby on Rails application that allows a visitor to fill out a form with personal information (name, address & other confidential details), which is stored in a database until the information can be collected by a batch process running inside institution's firewall.
To prevent attackers from getting this confidential information in the event of a database compromise, we have devised a mechanism for automatically encrypting the user's input using OpenPGP before storing it in the database.
Where can I find a company that will assess this code and provide us with a report that we will be able to show to our customers? They would need to be familiar with both cryptography and with ActiveRecord.
We do, www.comsecglobal.com, or www.codefend.com.
Best, Sharone
Matasano are a good security research firm, and they're a Ruby shop.
Is there a particular reason why the database is vulnerable in this case?
If your database is protected by a firewall, you don't gain a great deal from encrypting the data.
If the encryption mechanism is on the same system as the database, a compromise to the box will probably mean the data can be accessed regardless.
If the encryption mechanism is not on the same system, then you are in a bit better situation, but with this architecture, you can easily control who has write and read access to the database quite effectively - your web application db user can be granted very limited write permissions, and the firewall can control network traffic between the app and the db. Communication between the webapp and the secure database can be uni-directional and over SSL.
Update
Security Enhanced PostgreSQL might also be worth a look:
Security Enhanced PostgreSQL (SE-PostgreSQL) is an extension of PostgreSQL relational database management system, based on Security Enhanced Linux (SELinux)'s security model and policy.
精彩评论