Austin on Rails – July 28, 2015

Posted on 2015/07/31 by clarecodes

I’m saving some notes from the second talk of this Austin on Rails meeting so I don’t lose them somewhere on my phone.

Securing Rails for the Enterprise – Marcus J. Carey

Marcus was that rare speaker: very casual, very entertaining, and very informative.

Here are some of the tools he mentioned.

General Purpose Tools

PaperTrail – A tool to manage your logs. He recommends only logging errors so it’s really obvious when something is happening.
Burp – General purpose security, most basic tool, number 1 most used tool by people who will try to break in.
Zap – General purpose security tool.
Nikto – General purpose security tool.

Rails-specific

Breakman – Rails-specific security scanner
Bundler audit – checks your gems and gem dependancies for vulnerabilities
Gem Canary – Similar to bundler audit.
Devise – secure authentication!
Devise-zxcvbn – rejects weak user passwords
devise-security-extension – enterprise-level security for devise
devise-google-authenticator – add 2-factor auth to your app that works with Google’s Authenticator app.

General Rails advice:

User models should never inherit from active-record::base
Use uuid’s instead of sequential ids/keys
Rely on current_user from devise instead of anything else
No capitals in the controller!

Free private remote git repos

Posted on 2015/07/22 by clarecodes

If you want a remote backup of your private git repos, a la Github but free, there are 3 options I know of.

BitBucket. Has unlimited free private repos, but sets limits on the number of collaborators. Also lacks issue tracking.
GitLab. Has unlimited free private repos, WITH free issue tracking that is very similar to how Github works.
DIY. Host it yourself! Except you have to pay for hosting. So there’s that.

I’m using GitLab for my Ultra Top Secret projects right now. So far so good! Their interface is a little rougher than GitHub, but more than workable.

Real Time Web Analytics