Jason Yeo

Jason Yeo

Jason is a software engineer at Veracode working on SourceClear's Agent team.

Stay up to date on Application Security

Posts by Jason Yeo
  • Rails_admin Vulnerability Disclosure
    | By Jason Yeo

    A few days ago, I found a CSRF vulnerability in rails_admin. rails_admin is a Ruby gem that generates administrative interfaces for your models automatically. Interestingly, this vulnerability is similar in nature to the one I found in administrate, a similar gem. Additionally, past Ruby gems…

    Read Article
     
  • TLS Verification in Ruby Client…
    | By Jason Yeo

    A week ago, a couple of security researchers warned about unverified TLS certificates in SSL libraries of some programming languages. You may read more at their blog. In summary, they found that all programming languages do not verify revoked certificates and languages like Python and PHP do not…

    Read Article
     
  • Rails Engines: Magic or Curse?
    | By Jason Yeo

    Most Rails applications typically use a bunch of gems. Some of these gems may be Rails engines. Devise, Shoppe and RailsAdmin are examples of engines. The simple definition of an engine is a mini Rails application. When you include an engine in your Rails application, you are actually including an…

    Read Article
     
  • When Rails' protect_from_forgery…
    | By Jason Yeo

    Cross-site request forgery (CSRF) protection has been around in the form of protect_from_forgery since Rails 2 but somehow it's also the most misunderstood feature in the Rails community. To many Rails developers, the protection might seem like magic and thus the details of how it works are ignored…

    Read Article