Shuttlefare

Wednesday, October 1, 2014
Ruby on Rails Development
shuttlefaremain

Airport Shuttle Services

I joined Shuttlefare in the middle of their web application experiencing a pretty severe security breach. The systems servers were completely compromised and leaking credit card data almost hourly. They weren't using any 3rd party services lke Stripe or Braintree, thus directly violating PCI DSS. I advised directly to the CEO and worked diligently with PCI SSC to prevent a company-wide shutdown. I performed a full scale security audit to determine the source of the server breach. Documented and communicated a detailed audit of the system and security-related issues to executives and SSC. Executed absolutely insane amounts of debugging, refactoring, and upgrades to old or bad code. A core component of the breach was that the Ruby on Rails framework and associated gems were so out of date, a list of unpatched pubically and widely known vulnerabilities over like a 4 year period existed at multiple levels of Shuttlefare's platform.

So I upgraded this massively complex rails installation and associated gems to v4 from an out-dated v2. You can't do this all at once either, you have to upgrade versions, gems, databases, etc. together in increments up to each major release, and test the app at each upgrade level. I had to do heavy amounts of DevOps work, server configurations, migrations, and maintenance too. I automated the server build process to speed up deployment. Set up continuous deployment. And migrated the new upgraded codebase (while maintaining the old breached/patched code on Digital Ocean) to a fresh, secure Rackspace server; configuring production, staging & database instances, while implementing a new RackConnect firewall. Eventually, I patched all of Shuttlefare's security holes and brought the system back in compliance with PCI security standards. I left this project after I interviewed and vetted some new developers to be hired.

Tech StackRuby 1.x/2.x, Rails 2.x/3.x/4.x, MySQLJSONSassCoffeeScriptjQuery, Modernizr, HTML5, Underscore.jsBootstrapNginxPassenger, GoDaddy / SSL, New Relic, Google Analytics, Amazon Cloudfront, Youtube, Slack, AtlassianGitGithubGoogle Maps API, Heap, SessionCam, Quantcast, Rspec, OmniauthMemcached
ActiveMerchant



Link copied!