Code with Jason
Code with Jason
262 - Michael Lubas, Founder of Paraxial.io
In this episode I talk with Michael Lubas, founder of Paraxial, a software security product for Ruby on Rails applications. We discuss his background in both development and penetration testing, and his recent creation of GemShop - a deliberately vulnerable Rails 8 e-commerce application designed to teach developers about web security through hands-on experience. Michael explains common attack vectors like credential stuffing, the legal complexities around security research, and why developers are actually very interested in security despite stereotypes. We also cover his experience at Rails World and how Paraxial helps Rails developers get started with security.
- Paraxial.io
- Michael Lubas on LinkedIn
- michael@paraxial.io
- Nonsense Monthly
Hey, it's Jason, host of the Code with Jason podcast. You're a developer. You like to listen to podcasts. You're listening to one right now. Maybe you like to read blogs and subscribe to email newsletters and stuff like that. Keep in touch.
Speaker 1:Email newsletters are a really nice way to keep on top of what's going on in the programming world, except they're actually not. I don't know about you, but the last thing that I want to do after a long day of staring at the screen is sit there and stare at the screen some more. That's why I started a different kind of newsletter. It's a snail mail programming newsletter. That's right. I send an actual envelope in the mail containing a paper newsletter that you can hold in your hands. You can read it on your living room couch, at your kitchen table, in your bed or in someone else's bed, and when they say what are you doing in my bed, you can say I'm reading Jason's newsletter. What does it look like? You might wonder what you might find in this snail mail programming newsletter. You can read about all kinds of programming topics, like object-oriented programming, testing, devops, ai. Most of it's pretty technology agnostic. You can also read about other non-programming topics like philosophy, evolutionary theory, business, marketing, economics, psychology, music, cooking, history, geology, language, culture, robotics and farming.
Speaker 1:The name of the newsletter is Nonsense Monthly. Here's what some of my readers are saying about it. Helmut Kobler, from Los Angeles, says thanks much for sending the newsletter. I got it about a week ago and read it on my sofa. It was a totally different experience than reading it on my computer or iPad. It felt more relaxed, more meaningful, something special and out of the ordinary. I'm sure that's what you were going for, so just wanted to let you know that you succeeded, looking forward to more. Drew Bragg, from Philadelphia, says Nonsense Monthly is the only newsletter I deliberately set aside time to read. I read a lot of great newsletters, but there's just something about receiving a piece of mail, physically opening it and sitting down to read it on paper.
Speaker 1:That is just so awesome, feels like a lost luxury. Chris Sonnier from Dickinson, texas, says just finished reading my first nonsense monthly snail mail newsletter and truly enjoyed it. Something about holding a physical piece of paper that just feels good. Thank you for this. Can't wait for the next one. Dear listener, if you would like to get letters in the mail from yours truly every month, you can go sign up at NonsenseMonthlycom. That's NonsenseMonthlycom. I'll say it one more time nonsensemonthlycom. And now, without further ado, here is today's episode. Hey, today I'm here with Michael Lubas. Michael, welcome.
Speaker 2:Hey, jason, thanks for having me on the show.
Speaker 1:Thanks for being here. You are the founder of a product called Paraxial.
Speaker 2:Can you tell us about that a little bit and a little bit about yourself? Yeah, thank you. So you know great to be here. My name is Michael Lubis. I'm the founder of Praxio, which is a software security product. I'm a developer. I worked in software and also offensive security, so penetration testing for banks and startups and things. So I really like security. At the same time, I've also found that a lot of security people like they wouldn't go to Railsworld, for example, like there were a few security people there. But I've noticed that you know, my security friends see me as like the Ruby programmer guy and then my programmer friends sort of see me as the security guy. So I've sort of got my feet in both areas there.
Speaker 1:I see, yeah, and you're kind of making inroads into the Ruby community, which is great, and I hope you're finding the Ruby community warm and welcoming. Oh yeah, it's fantastic, yeah, and you created this thing recently called Gem Shop, which is pretty interesting. Can you tell us about that?
Speaker 2:Yeah, exactly so. When you're teaching people about web security so, for example, vulnerabilities like cross-site scripting, sql injection, remote code execution your listeners are probably familiar with some of those or they might not be, which is totally fine they're typically not covered in like an intro to programming course, unless you really study security. It's hard. Like you know, a software developer wouldn't exploit like SQL injection in their day-to-day work. They'd probably just get a pop-up that says, oh, don't do this, it's vulnerable, do this other thing. And then they kind of move on. But I think to teach security it's really good for the developer to get experience. You know, like exploiting the vulnerability, reading the code like, hey, this is a vulnerable application. Gemshop in this case is an e-commerce site, so it looks like you can buy gemstones. I think most people can imagine that. And if you were a business selling gemstones online and there was a security problem in your sales site, that would obviously be very bad. People could issue an order for a gemstone that costs several thousand dollars. Maybe they hack it so it's a dollar, or they steal people's credit cards, or they just hack it and cause a data breach just to be annoying. There's definitely an element of that online. So GemShop is written in Ruby on Rails. For Rails 8, which I think is beneficial because a lot of material online about security they'll just have a basic Python flask or Nodejs or PHP app and it's like, okay, yeah, that's how you don't have SQL injection in PHP, but we use Rails and ActiveRecord, so it's a little bit different in my day-to-day work. So that's the goal. I should mention that GemShop is not the first vulnerable project like this.
Speaker 2:I want to give a shout out to Rails Goat, which is an OWASP project. They started it I believe it was about 12 years ago and it was updated to about Rails 6. That's a really great project. I actually used it several years ago when I was first learning Rails. I was working for a fintech company. Really great project. I just wanted to kind of continue that mission. Really great project. I just wanted to continue that mission. There was so much hype around Rails 8. I was at Rails World. The people listening might have seen the Praxial booth exposure to this kind of learning material, especially now, not to um like, get into like a controversial subject, but I think there's a lot of people using AI tools right now to ship code and um. You know, I think the tools are getting better, but there is definitely a security risk there right now.
Speaker 1:Yeah, yeah and um, I'm definitely open to getting into that too, because it's very much a it's a part of our reality now. So, this gem shop thing yes, I don't know if this is the right question, but, like if I'm interested in learning about security, what do I like do with this thing? What do I do?
Speaker 2:with this thing. So my goal was to get the project out. It's kind of like, you know, just ship the thing I think that's beneficial and then go on a podcast right now to talk about it. I would say it depends on your level of experience. So maybe you're an experienced a lot of Rails developers, I think, have a lot of experience.
Speaker 2:If you already know what cross-site scripting and SQL injection is, you can just start reading the code and try to find them and exploit them on your own. You'd probably know, oh yeah, to exploit cross-site scripting, you would insert a script tag and try to get it to reflect or be viewed by a victim user. If you're coming at security completely new, you have no idea what these acronyms mean. I'm actually working on some educational material. It may end up being like a training at that conference, but I'll be putting out like blog posts, maybe some YouTube videos actually so you can subscribe to the blog and the Paraxial channel. But essentially it'll be like walking through, like hey, like what is SQL injection? What's the impact? How would you exploit it? Um, so I want to get that material out um soon, but I think just getting the project out was like definitely the first step in in, you know, this whole plan of work that I have yeah, um, okay, and is it?
Speaker 1:like you know, I've only taken the most cursory glance at gem shop. Is it like a repo that I can download, or do I like interact with it? Uh, where it's hosted, or like, how does that part work?
Speaker 2:yeah, so you definitely don't want to host it unless you know what you're doing, because I meant like, do I interact with it where it's hosted right now oh, no, no, no, um.
Speaker 2:So right, right now it's like a, it's like a github, it's like the source code is up on github, um. But if you were to run it on like, let's say, you had like your own kind of um projects on like an aws account and you were like, oh, I'm gonna start up a new server. Don't, don't put gem shop on it, because somebody can hack into the server and then like, scan your network and like, hack into, like, like, especially. Then scan your network and hack into, especially if you work in a corporate environment, do not run this on a corporate network. Run it locally or in an isolated network, if you know how to do that. And the reason is because somebody can hack into it.
Speaker 2:But the way to get started is just download the repo and run it as a Rails 8 project and browse around order of browse around like order some gems. That's actually a really good point that the first step when you do a pen test is you just use the application and you kind of do a threat model, which is a fancy word, to say like, what are the kind of like risks of this? So, like for an e-commerce application, you know, you know it would be like a user account being compromised, like somebody stealing data. Um, thinking about the risks of it, um, that's kind of like your first step with with gem shop okay, so maybe kind of getting familiar with what it is and yeah posing the question to yourself like how could I attack this exactly?
Speaker 1:got it, okay, okay. And it's almost like uh putting yourself in an adversary's shoes and and trying to think of again how they would attack it, so that you can think of how to uh protect against those attacks.
Speaker 2:Yeah, that's a great point, Because anytime you put like a web application which I think most people listening to this podcast are familiar with when you put like a web app on the public internet, it's just going to get attacked immediately. Like there's nothing you can really do to stop that fact, like there's mitigations you can put in place. Of course I have a company that does that, but the reality is that anything you put online will be attacked. For example, something really common that I've seen is people will. They'll be well-versed in secure coding, so we'll be like we don't have SQL injection, we don't have remote code execution. We check the source code is completely secure and then they put their application online and somebody runs a bot to just try login attempts in a credential stuffing attack. Where the way this works is you probably have 100 accounts online and not all of those sites, like a golf forum doesn't have really good security, so the golf forum gets hacked. Now your like email and password pair, for the golf forum is public, like it's online. Somebody grabs it and then people reuse their passwords constantly Maybe not this audience, because it's a little more technical, but just like online, people reuse passwords every day. So somebody writes a bot to do like 100,000 login attempts and every login attempt is for a different user, user accounts get compromised. That's like the most common attack.
Speaker 2:Like if I had to, just like I've personally dealt with those attacks, if I had to like rank, like what's the most likely threat, I actually asked, like the big LLM models like Claude and ChatGPT, like I'm a developer, like doing a web app, like what is the biggest security risk I should care about? And it was like man-in-the-middle attack, which is just like completely wrong. Interesting. They're really good for some security things. I actually am optimistic about AI for security but like for that, it was just like completely wrong. It's like credential stuffing in my experience, maybe because it's more like developers of Rails applications are probably more like small business Because, like you know, apple and like Amazon have had these defense systems in place for, like eBay because they've had to deal with the attacks. But it's actually funny. People think like, oh, I'm too small to be a target. But in my experience, the bad guys for an attack like this or like credit card fraud, they like to go after smaller companies because they usually don't have protections in place yet.
Speaker 1:Interesting, interesting. That makes a lot of sense. Yeah, okay, so credential stuffing they get your credentials from somewhere, some source online that publishes that kind of stuff, and then they, they try credentials and then gain access of some user and then like, what are they trying to do exactly?
Speaker 2:um, like like let's say you have credit cards stolen in the account, that that's a big one If you can issue transactions and get the credit card data. It's just a common. Usually it's not as targeted as you'd expect. People will just run servers doing these attacks and then it's sort of like phishing Not like email phishing, but this may be a bad example, like literal phishing, where it's like oh, let me check my credential stuffing bot today. Oh, I got access to like these accounts. Like what the heck is this service? Let's check it. Maybe it gives a credit card, maybe it gives financial data, maybe it gives like medical data.
Speaker 2:These bots are just like constantly scanning the internet, looking for, like some people just do it for fun, like there's a lot of people online that just enjoy hacking, um, and they target. But. But like credential stuffing is something I've seen really well when I worked at a bank actually it was a fintech company. Um, you could imagine like why would somebody want to compromise your bank account and issue transactions and steal your money? That was a pretty they were pretty motivated there.
Speaker 1:Mm. Hmm, yeah, interesting and something I'm always, I've always been curious about. I don't know how much of the answer you know, but like some of these things are like illegal. And my first question is like how do you know whether something is illegal or not?
Speaker 1:like if I go and like find a place where people's credentials are published, yeah, um, I imagine it's probably not illegal just to visit that site and lay my eyes on that information and then, oh, interesting yeah yeah and then if I copy those credentials and like save them to my computer, maybe that's not illegal, if if I then go and actually log in, as that person is that illegal like, so I'm curious about that, and then I'm curious about, like how hackers um take measures to try to not get caught so that's a good question.
Speaker 2:I would say for the first part um, like viewing um leak credentials is not illegal, like I know people do this. There's a project called have I been pwned um which very famously aggregates it and it's a legal business. Um troy hunt is the individual who runs it. I believe he's australian. Like you know, he operates out of a Five Eyes country. The business is obviously very legal. I think he's actually gotten awards and been honored by law enforcement agencies, so obviously that work is good. He's doing that to benefit people.
Speaker 2:But, yeah, if you were to log into somebody else's bank account, that in the United States is a felony. It's a felony in most countries for obvious reasons. Like there's no legitimate reason to do that. There has been this trend in the security community where, for example, if you found a vulnerability in GitHub like that allowed you to hack into their server and then you stopped and just told them about it, they would actually give you money for that through the bug bounty program. Now, if you use that access to steal their entire database and extort them, yeah, that's a crime. But in general, the industry has gotten a lot more favorable to like kind of good faith research where, like you're reporting a vulnerability to to help um, and that's a complex topic. But what was the second question you had?
Speaker 1:I'm sorry oh, it's okay, like uh. How do hackers try to not get caught?
Speaker 2:oh well, it's not hard. Um like, if you're a hacker in a country that doesn't have an extradition treaty with the united states and you're hacking, like credit cards, they're like russia or China is not going to extradite somebody because the United States said they committed a crime and the internet is global. So that's one way. But the other thing is people do get caught a lot. This is a common one. People love DDoS for hire, like video games. A lot of the big botnets were literally just Minecraft players wanting to DDoS servers and individuals to knock them offline.
Speaker 2:And those people do get caught because they don't cover their tracks very well. And that's the thing it's like when you're doing this kind of crime. People think these people are geniuses, like, oh, you're a cyber criminal, you must be. So If you're smart enough, the really smart people, I think I think start businesses or work for like a tech company or they they make money legally. I actually think that if you're doing kind of like a legal crime, it's because you like weren't able to. It just doesn't make sense when you kind of run through the risk management of it, oh yeah, like you're gonna go to jail and get a felony and that's gonna ruin your life in in you know some very big ways and it's also morally wrong, like I. I don't, I, yeah, but it is a reality like there are.
Speaker 1:There are there's a lot of crime out there, online, especially yeah, I've thought about that before, like, uh, you observe these, uh, these organized crime organizations? Yeah, that's true and it's still work like you're building a business and everything that a business does. Yeah, um, and it's like a bunch of work and then, on top of that, you have all this risk of basically your entire life getting ruined, um, and it's like, if I'm gonna do all that work, uh, I'm not gonna do something illegal yeah, it seems better to do something legal obviously yeah, because it's not like.
Speaker 1:I mean, maybe there's some things that are just like totally easy money, but it doesn't really seem like it's.
Speaker 2:I, I think it's more of a psychological like it's exciting, you know, like you, like you think, like you think you're so cool for doing this, but then nobody really cares. You're just like another, like you're gonna get arrested. No one's really gonna care. Like oh, you commit a credit card fraud. Like here's your cookie.
Speaker 1:You're going to prison? Yeah, but that's really interesting. Um, people working from countries with no extradition treaty yeah, I was familiar with the fact that not every country has an extradition treaty.
Speaker 2:Well, they want to target people not in their home country, because you don't want to, like you know.
Speaker 1:Exactly.
Speaker 2:But yeah, if you're doing it to, you know people in a different country. They're usually a little more lenient. They're not going to probably arrest you.
Speaker 1:Yeah, they're usually a little more lenient. They're not going to probably arrest you, yeah, and so I knew that not every country has an extradition treaty with the united states, but I didn't know which countries didn't have one. Um, obviously it makes sense that china and russia wouldn't yeah, like there's a geopolitical element to it for sure. Yeah, maybe like north korea, I have no idea.
Speaker 2:No that's actually true. A lot of cryptocurrency theft. Um is North Korea like state. You know like you work for the North Korean government. They want you to do that to like their adversaries, like from a geopolitics perspective it's. There's actually indictments that I think the FBI or United States has done on. You know people that just work like they're like a tech worker in North Korea. You know they're not like a criminal master, but like yeah, they're not going to travel to the United States, but I don't think they were planning to anyway.
Speaker 1:Right, it's like your full time job is organized crime, but you work for the government of the country that you live in and this goes both ways.
Speaker 2:You know there are, like people in the United States who do very important national security work. You know it's not theft, they're not stealing cryptocurrency, but they're doing, you know, very important intelligence work and then you'll see, like China or Russia, be like yeah, this person is banned from our country. That does happen too, but this is a little different from the web application security. This is more like hacking iPhones and things like that.
Speaker 1:Yeah.
Speaker 2:Okay.
Speaker 1:Yeah, and it's kind of interesting. It's like kind of shooting fish in a barrel type thing. Maybe if you're located in one of those countries and you just want to do all the crime you want to do, but you're targeting people in the US.
Speaker 2:You're never going to get in trouble. It's sort of like a mass because of automation, like you can target, for example, like when I register like a new domain, that when you do the TLS certificate, like with let's Encrypt or any TLS certificate that gets published, and then I immediately see people like start scanning the server for vulnerabilities.
Speaker 1:Yeah, interesting.
Speaker 2:I'm curious.
Speaker 1:This is like totally not uh important, but I'm just really curious which countries don't have an extra extradition treaty with the U S? Oh and interesting, I went to chat GPT and it's completely broken. There's no styling on it whatsoever.
Speaker 1:All right, so I guess I'm not going to do that right now.
Speaker 1:Okay, so, coming back to web application security, you know a big part of programming in general is feedback loops and you know I like to. It's good when you can like make a change to a system and then put it in production and see how users respond to it, and stuff like that. With security, it seems a little bit different, because it's almost like you don't ever want the feedback loop to happen, or or like you put things in place, you're putting things in place so that things don't happen, um, and to me that feels just like so much different. It's like you put an anti-phishing measure in place or something like that, and the only way that you know if it works is well, as I'm saying this, I'm not sure if it's true, but like the only way that you know it works is if a phishing attack doesn't happen. And it's like just because there were no phishing attempts today doesn't mean anything, um, and you have to like wait for a real one to happen. I don't know, I don't know. Can you speak to that a bit?
Speaker 2:so that that's actually a great point. Um, this is something I've been interested in, which is testing your security controls. So, for example, during the Rails 8, well, the Rails World keynote, where David was talking about Rails 8, he mentions like Linux server security, like how do you do that? And it's like just using the built-in firewall on the server to like block, want to only open 80 and 443 and maybe 22, for example. The thing that you can do, though, is actively test that measure with a port scanner.
Speaker 2:So this is a Praxial feature, actually, that recently launched, where you think, okay, the only ports on my VPC should be like 80 and 443. Praxial can scan that for you like every day or every week to test it. Or like another example would be I think that we're like protected against credential stuffing, but you can just you could try a credential stuffing attack against your own site, like that's legal, to test the control. So that's like a really important thing to do when you have like security, and like when you have to implement security, is ensure you have a feedback system where you're getting metrics. That's like, yes, like we scanned it today and we checked the code, and we have the metrics to show that we're actually doing security every single day.
Speaker 1:Yeah, interesting, okay. So I don't remember how much you and I talked about this last time we talked, michael, when we talked offline, but I do consulting, as you know, a lot around automated testing and sometimes people ask me how to write a test for such and such a thing, because that's a big question in general, like, hey, I have this change I need to make. How do I test this? And a lot of times the answer is like well, this isn't the kind of thing that you write an automated test for. This is the kind of thing that you put monitoring in in place for, um, like I don't like a background job, for example, like how do I test that this background job is running every day. It's like, well, that's not an automated test. Automated tests are for behavior. Um, if what you want is to verify that the test is running every day, then the thing for that is monitoring. Um, and so I'm like sometimes helping people like expand their view of what testing is, and that also is is adjacent to things like testing in your deployment pipeline.
Speaker 1:Like I implemented a system once where we did blue-green deployments.
Speaker 1:It's a very rudimentary blue-green deployment system where, basically, it would do a smoke test in the deployment process, where we would have our original nodes that were live, and then it would create a new node with the new version of the system on it and perform a health check on the node.
Speaker 1:The health check was just when you visit the root route, does it return 200? That was the only health check, so very rudimentary, but if, and only if, we got a 200, then we would start routing traffic to that node and stop routing traffic to the existing nodes, and so that was a kind of an automated test, but it was different from, like, the kind of automated test that would go in a test suite. And so the security testing stuff makes me think of another part of that picture where it's like, in addition to my regular test suite for behavior, where it's like, in addition to my regular test suite for behavior, in addition to my monitoring, in addition to the testing as part of my deployment pipeline, we can also have these automated security tests which are I don't know whether to categorize them as like tests or monitoring or kind of both at the same time or what, but that idea to me like just makes a lot of sense.
Speaker 2:Yeah, yeah, and that's what you really need to do. Like, for example, there's an audit called SOC2, which is pretty common for like software as a service companies. I'm sure people listening have dealt with it. And then there's the type two where, for example, a control in it is like like you must run static code analysis for security to like look for kind of OWASP top 10 SQL injection. For type one, all you have to do is say like in your policy, we're going to do that. For type two, they're going to ask for like okay, show us for the past six months that you've been doing this. Um, and that's like a feature that I've um seen people request, like with praxial io, where there's an email every week that says like yep, you're running this, you know it's, it's you're not going to find out.
Speaker 2:It's turned off when the audit comes up interesting, okay, um, yeah.
Speaker 1:so let's talk about praxial a bit. Like I mentioned before, you're working on getting into the Ruby community. Historically, most of your customers have been not Rails, not people using Rails applications.
Speaker 2:Remind me what your existing customer base has been using mostly customer base has been using mostly yeah, so close to Rails Elixir, which is a programming language that was created by Jose Valim, who is the creator of Devise and used to be on the Rails core team. So Elixir has Phoenix and then Ruby has Rails. Of course, I started in Elixir, which was a smaller market, because I was actually working at a company before I started Praxial, where we needed a security pool in place and just nothing supported Elixir at all. So I started Praxial, kind of solved that problem and then realized that the features were very similar to what people in Ruby on Rails need for security as well. So going to Rails World and talking to customers and getting them using the product was a really fantastic experience.
Speaker 1:Yeah, and I wonder if you and I I don't know did we meet at Rails World? I don't think we did.
Speaker 2:I don't think we did. It was a big, there were a lot of people.
Speaker 1:Yeah, but we might have walked right past each other or something like that. I'm sure I walked past the practice how was the conference like?
Speaker 2:what did you think of it?
Speaker 1:really nice. I was just talking about it yesterday actually. Um, you know, they had that. They had that, uh, soiree or whatever at the shopify office oh, that was cool with the bubble tea and the robot yeah, they had a Boston Dynamics big dog robot. I only heard about it. I didn't see it myself.
Speaker 2:Yeah, yeah, that was cool, that was fantastic, great conference. My only feedback like I love the conference, it was great. There was a speaker right above our booth, so like the dubstep music would play when I was trying to give like a product demo. Oh, but I mean there were people coming up to the booth, so it was.
Speaker 1:It was a fantastic conference yeah, yeah, and the venue was was really extraordinary um and the weather was good too, because we were like in the outdoor area yeah, so good job on the organizers for having good weather, but it was like for anybody who wasn't there, it was like this indoor, outdoor mix kind of thing Um, like you were inside and outside at the same time, kind of it was. It was pretty cool. Um, yeah, and it was. Uh, it was fairly large. I think there was just over a thousand people there. Oh, easily, yeah, it was huge.
Speaker 1:Yeah, yeah. Like somebody told me it was like 1060 or something like, that was the number of yeah and it's and it's sold out in like five minutes online or something I know so crazy.
Speaker 1:Um, but you know the the like good and bad thing about a conference like that is like everybody I know I I was. I was telling people at the conference like everyone I've ever met is here, and so it was like I would take, take two steps and encounter somebody I knew and then like, turn around, there's somebody else I know and it was just like non-stop. And there's so many people I knew there who I didn't even get a chance to talk to, just because yeah, like you see them walk by, you don't even get to yeah, um yeah.
Speaker 1:How was your experience? Did you get to to meet a lot of people, and so I guess you were manning the booth most of the time yeah, that was the big thing was the booth, because we just had people coming up constantly.
Speaker 2:I didn't even get to see that many talks. Um, I think we only saw like the keynote and the panel with like toby matts and and dav David, because we had so many people coming up to the booth, I lost my voice from giving demos. I remember people coming up to the booth and saying, hey, I know what this is, I need to buy this. These other vendors are just terrible. They're these big old enterprise. That was amazing. Oh, that's great. Sponsorship 100. Know, we're doing it again.
Speaker 1:It was, it was fantastic oh, that's really interesting because sometimes I wonder, uh, what the roi is like for people who do those sorts of sponsorships. Um, a lot of times it's for hiring, yeah do you want me to talk about that?
Speaker 1:oh yeah, I would love to hear about that and just to to finish that thought like, um, it's painful to watch because, like, unfortunately, quite a lot of the people who like do those booths like don't do the best job of it, um, and it's almost like they, they like scare people away. Like you wander over to the booth and like, hey, man, you want a job. It's like's like, bro, oh like they're just recruiting, yeah yeah, and that's like that's fine and good to do recruiting, but like don't do it like that you know, it's like you don't go to a party and like walk up to a girl and be like, hey, you want to go on a date.
Speaker 1:It's like whoa, that's like not the proper sequence and timing and stuff like that. Um, but yeah, I'm curious to hear your booth experience.
Speaker 2:Well, yeah, I think the big difference was we weren't recruiting, but we were like really happy if somebody walked up and they were like hey, like what is this, like what's security? Because that was kind of our target. Like we wanted to ask people like oh, like, are you a Rails developer? And usually they'd say yes and be like what are you doing for security? And they usually say like well, I, I don't know, um, like I don't even really know where to start. I'd be like that's great, like you can start with phyrexial um. So it just made the conversation flowed very naturally. People were interested, like I would start doing a demo and then we'd get like a little crowd forming around, like I would start doing a demo, and then we'd get like a little crowd forming around.
Speaker 2:Yeah, we'd get like a picture to put on.
Speaker 1:It was, it was great. Yeah, that's really cool. And then, like, did you have a way to like keep in touch with people or anything like that? Or like some people were even interested in like buying, buying the product right then and there, or something like that? I'm curious about that.
Speaker 2:Oh, yeah, I mean we got people's linkedin. Um, there was no badge scanner. I don't know if you've ever been to like a big, big conference. Yeah, those are annoying. People don't like them. We gave away um, yeah, we gave away air tags, which I think was smart because we could give away exactly where they are yeah.
Speaker 2:Yeah, it was like, well, we could give away like five of them. They were like pretty cheap, so we gave away a bunch. And then people would go to the conference like, oh, I won this air tag at this booth and all you have to do is sign up for the newsletter. Um, so people would come up just for the air tag and then they'd be like, oh yeah, we also kind of need security in our thing.
Speaker 2:So that was a nice straw. Um, yeah, I mean then the conference was just very well run, like it was very targeted, the people were really nice, they were very friendly, they were interested in the company. It's just great.
Speaker 1:Nice, I'm really happy to hear that. Do you do any kind of like email newsletter or anything like that?
Speaker 2:Yeah, I have a blog that people can sign up for. The email newsletter is nice too because it's kind of portable Like we have followers on X and LinkedIn and things like that, but like everyone checks their email and I really appreciate everyone who subscribed because it lets me, you know, send out news and updates. Like when I launched Gem Shop, I emailed the whole list about it. Or when there's like a new paraxial feature, people just kind of like to stay in the loop. It's pretty low volume. I usually only send about, I'd say, between one and four emails per month and it's not like, oh, like paraxial, like sale, like that's not a thing. It's more like an update, like a new feature or like a blog post about security People.
Speaker 2:It's funny there's like this wrong stereotype in the security community that developers don't care about security. In my experience, developers are very interested in security. Security people just don't produce much content targeted at developers care about security. In my experience, developers are very interested in security. Um, security people just don't produce much content targeted at developers. Um, it's like kind of written in like a cryptic language and if you write, you know, for a developer audience about security, they tend to be very receptive to it.
Speaker 1:That's been my experience yeah, I've bought a few books on security and hacking and stuff like that oh, yeah, yeah nice and it's just like I find the material very difficult because it's oh, what did you buy, oh? I don't know. I bought this one many years ago, called like the web hackers handbook or something like oh, that's, that's a good one.
Speaker 1:It's like a big the web application hackers handbook yeah, I, I think something like that and I remember going through it and I'm just like I I can't like make heads or tails of this or like figure out what I'm supposed to do with this information, or anything like that yeah, that that is I and I know the people who wrote that book.
Speaker 2:They're very, they make a very good product, but, um, it's very overwhelming, I would say, and that's actually something I focused on with praxical. As a company. It's most security firms. They kind of market like to security people, so they're like we're in aspm with sast and dast and rasp and barbecue and you're like what, what, what does that? With Praxial, my focus is much more of like you're a Rails developer, where do you start with security, like Praxial is going to get you on a roadmap, like on a path, because I think that's completely missing from the security industry. I have a lot of opinions on it, but I think that's a big one, exactly what you experienced.
Speaker 1:Yeah, and I really like that port scanner example because that gives me a really clear, concrete example of something that paraxial would do. It's like oh, it scans my ports and I assume it would like alert me if anything's open that's not supposed to be open or closed.
Speaker 2:That's supposed to be open yeah, yeah, I should explain why that that is important. So, for example, let's say you're deploying a Rails app with Kamal and you leave port 3306, I believe is MySQL open. So you might be okay if you have a strong MySQL password. But essentially now your database is exposed to the public internet so anybody can just like try to log into it. And if you had a weak password, somebody could just log into your database and take everything and delete everything like really, really bad obviously. And you can just completely avoid that by closing the port, like even if there was a vulnerability like so this is another example where let's say there's a vulnerability in, like the mysql service.
Speaker 2:That's like listening on the port, even if you had a strong password, somebody could just send like some packets to hack that, exploit the vulnerability and then get access to your database. That's only possible if the port is open. If it's closed like, they just can't connect to it. So it's just like there's so much security benefit to just keeping the ports closed. And with Kamal it's funny that this was actually in the video there's a warning. I think it's the one where David's doing it, where he's like yeah, don't expose it to the public, you want to only bind it on localhost, but your web firewall should be doing that anyway. Um, so like you kind of want multiple layers, like you only want to listen locally, you want the port firewall, and then you also want to scan it with paraxial yeah, what are some?
Speaker 1:some other examples of things that um paraxial does in addition to like you can port scan your own site and not fbigov?
Speaker 2:yes, yes, the there's a check that you have to own the site that you're um scanning, which is a good thing, but like the main thing is really preventing a data breach, um, so, for example, if you were to push code that introduced like a command injection, where you just took user input and put it on like the unix command line, you know somebody could use that to break into your server and get SSH access. Praxio will check for that on every new GitHub pull request. There's actually an app that will give you feedback on that. People seem to really like that. So, vulnerabilities in code, vulnerabilities in your dependencies, if a similar problem is being introduced by some third party gem. It can also detect if there's a credential stuffing attack or credit card fraud, like we were talking about earlier.
Speaker 2:I had to deal with those attacks personally, so stopping them is kind of close to my professional experience. It just kind of gives you a toolkit to dramatically reduce the risk of an incident very, very quickly. That's really. The summary is like I know there's so much like, let's say, you wanted to read, like the web application hackers, that's like 800 pages and you read it and you're like, okay, well, where the heck do I start with my own Rails application. Praxio is kind of like a very actionable. It's kind of maybe I could even say it was influenced by Rails a bit where Rails kind of wants to get you on this path to like make a web application in a very opinionated way. I would say Praxial is kind of like an opinionated guide to security, to improving, because there's just so many different things you can do, but Praxial is just really the high priority items.
Speaker 1:Got it Okay, yeah, and I'll mention a couple of things that I want to mention, just that I try to mention on the podcast periodically. And then I want to ask you my final question, which is where people can find out more about paraxial and you and stuff like that. But the one thing I want to mention is Sin City Ruby. It's happening April 11th and 12th in Las Vegas, 2024. And if you're interested in attending, you can go to sincityrubycom. It's a very small conference. Attendance is limited to 100 people maximum.
Speaker 1:So it's it's, you know, rails world and those conferences are great. But this is a very different kind of conference where you can meet every single person there if you want to. Um, and and my hope for everybody who comes is you can come away having made like one new friend at the conference. And ironically, I find that I meet more people at a small conference than at a big conference, because the big conference interactions are just kind of superficial. It's like you say hi and then have a brief interaction and then that's that, whereas you're actually spending time with people at these smaller conferences, time with people at these smaller conferences. So SyncityRubycom is where you can go to find out more about that, michael. Where should people go to find out more about Paraxial and anything else?
Speaker 2:Yeah, the Paraxialio website has all the information. You can sign up for the newsletter. Gemshop is the most recent blog post. It's also up on the GitHub, which is linked on the website. People can also reach out to me if you're curious. I'm Michael Lubis on LinkedIn. My email is michaelpraxialio. You can just contact me directly if you have questions about security, your Rails app, you just have a business problem or something. I'm always happy to chat with anyone from the Ruby community.
Speaker 1:Awesome. Well, Michael, thanks so much for coming on the show.
Speaker 2:Yeah, I appreciate it. This was great, thank you.