other audits of Rails businesses & apps: Massachusetts data privacy

1 view
Skip to first unread message

Dan Croak

unread,
Feb 13, 2009, 10:37:28 AM2/13/09
to Ruby on Rails meets the business world
Hey folks,

I read the thread started by Obie about certifying the maturity of a
Rails business' process maturity.

I'm not particularly interested in that, but I am curious about
various kinds of "audits" of Rails apps and Rails business' processes.

Something like the Massachusetts data privacy law comes to mind.

http://www.informationweek.com/blog/main/archives/2009/02/as_an_informati.html

Wouldn't it be cool if the Rails community was known as championing
personal data privacy? As a Massachusetts resident, I'm kind of proud
of my legislators for pushing this law through.

My understanding is an auditor would basically have to:

* Determine where the Rails app's User's first+last name's information
goes throughout the system.
* Determine if at any point that data is associated with a credit card
number, SSN, or driver's license.
* Determine if those integration points are secure.

That doesn't seem unreasonable to me.

The maximum penalty "per incident" is $50,000. That's potentially
expensive. Not all businesses can pay for an auditor for this kind of
thing, but being certified would say to your customers: "your personal
information is personal. keeping it private is important to us. we are
diligent about treating you right."

Thoughts?

Dan Croak
http://thoughtbot.com

bcardarella

unread,
Feb 13, 2009, 11:04:34 AM2/13/09
to Ruby on Rails meets the business world
I think this is a much more constructive idea than RMM.

The issue of data privacy should be much more important to clients and
the client's potential customers than any type of certification. If
this could be standardized and have a method of proving that your app
is compliant to this standard would go a long way.

- Brian Cardarella

On Feb 13, 10:37 am, Dan Croak <dcr...@thoughtbot.com> wrote:
> Hey folks,
>
> I read the thread started by Obie about certifying the maturity of a
> Rails business' process maturity.
>
> I'm not particularly interested in that, but I am curious about
> various kinds of "audits" of Rails apps and Rails business' processes.
>
> Something like the Massachusetts data privacy law comes to mind.
>
> http://www.informationweek.com/blog/main/archives/2009/02/as_an_infor...

Jeremy McAnally

unread,
Feb 13, 2009, 4:49:35 PM2/13/09
to rails-b...@googlegroups.com
Aren't there already extra-Rails solutions to this sort of thing,
though? Like Verisign or what have you...

Seems redundant if a solution already exists.

--Jeremy
--
http://jeremymcanally.com/
http://entp.com/
http://omgbloglol.com

My books:
http://manning.com/mcanally/
http://humblelittlerubybook.com/ (FREE!)

Robby Russell

unread,
Feb 13, 2009, 4:53:32 PM2/13/09
to rails-b...@googlegroups.com
On Fri, Feb 13, 2009 at 1:49 PM, Jeremy McAnally
<jeremym...@gmail.com> wrote:
>
> Aren't there already extra-Rails solutions to this sort of thing,
> though? Like Verisign or what have you...
>
> Seems redundant if a solution already exists.
>

Agree with Jeremy here. If you were to get involved in auditing web
applications to make sure they comply with various legal regulations,
you'd expand your business a lot by not focusing exclusively on Ruby
on Rails.

Robby

--
Robby Russell
Chief Evangelist, Partner

PLANET ARGON, LLC
design // development // hosting w/Ruby on Rails

http://planetargon.com/
http://robbyonrails.com/
http://twitter.com/planetargon
aim: planetargon

+1 503 445 2457
+1 877 55 ARGON [toll free]
+1 815 642 4068 [fax]

Reply all
Reply to author
Forward
0 new messages