Rails makes it very easy to rapidly develop web applications, but doesn’t always make it so simple to deploy or secure them.
This talk is going to focus on best practices to secure your rails application, learnt through multiple high profile projects and penetration tests. The talk will be practical and show that this isn’t necessarily hard if thought about from the start.
We’ll also touch on getting the right balance of security without it getting in the way of the users.
A recent report by Veracode (http://www.veracode.com/reports/...) found cross-site scripting in 68% of surveyed web applications and SQL injection in 32%, even though these are well-known, easily preventable, and easily detectable vulnerabilities. As applications grow larger, it becomes harder and harder to manually verify that every line of code is adhering to security guidelines - even given the built-in protection available with Ruby on Rails.
Brakeman (http://brakemanscanner.org/) is an open source static analysis tool which provides painless vulnerability scans of Rails code from "rails new" through deployment. Running Brakeman as a part of continuous integration provides feedback during all stages of development and can alert developers immediately when a potential vulnerability is introduced. Bringing security testing as close to the developer as possible (even scanning as files are saved) means security problems are caught faster - and the sooner problems are found the cheaper they are to fix.
As a static analysis tool, Brakeman can be run without worrying about deploying the whole application stack: no webserver, database, configuration, or application dependencies required - not even Rails itself. This allows fast, easy vulnerability scans on any Rails project.
We talk a lot about testing in the Ruby and Rails community, but somehow security testing is passed over. This needs to change!
This talk will cover how to incorporate Brakeman into Rails development and how it can improve application security, as well as a look into how Brakeman works internally.
by Aaron Bedra
Building safe web applications isn’t always easy. The good news is that Rails provides a lot of features that will help you along the way. Aaron will walk you through the common mistakes made by web developers, and how to account for them while working with Rails. He will also walk you through some tools you can use to make securing your applications much much easier.
23rd–25th April 2012