I’m saving some notes from the second talk of this Austin on Rails meeting so I don’t lose them somewhere on my phone.
Securing Rails for the Enterprise – Marcus J. Carey
Marcus was that rare speaker: very casual, very entertaining, and very informative.
Here are some of the tools he mentioned.
General Purpose Tools
- PaperTrail – A tool to manage your logs. He recommends only logging errors so it’s really obvious when something is happening.
- Burp – General purpose security, most basic tool, number 1 most used tool by people who will try to break in.
- Zap – General purpose security tool.
- Nikto – General purpose security tool.
- Breakman – Rails-specific security scanner
- Bundler audit – checks your gems and gem dependancies for vulnerabilities
- Gem Canary – Similar to bundler audit.
- Devise – secure authentication!
- Devise-zxcvbn – rejects weak user passwords
- devise-security-extension – enterprise-level security for devise
- devise-google-authenticator – add 2-factor auth to your app that works with Google’s Authenticator app.
General Rails advice:
- User models should never inherit from active-record::base
- Use uuid’s instead of sequential ids/keys
- Rely on current_user from devise instead of anything else
- No capitals in the controller!
We did it! One functional Ruby gem, made!
If you didn’t come to career day, you can check out our presentation (above) or our github repo: Wikiwhat. You can find Bonnie, my partner in crime on this endeavor @BonMatts on Twitter.
Of course, there are a lot of bits and pieces to still work on, and we have a ton of features we’d like to add, but I’m pretty happy with how well it turned out.
And hey! Jimmy Wales retweeted us! That was pretty cool. :D
For my final project, I’m working with Bonnie Mattson on a Ruby gem, currently called ‘Wikiwhat’, for the Wikipedia API! This is a really fun project, and also really challenging. The last few weeks of class have focused on working with frameworks and engines, and less on writing basic Ruby code, so it has been a nice change of pace.
One of the first challenges for this project has been getting the gem to build and install correctly. We use
bundler to install and manage gems for our projects. Awesomely, we can also use it to build our gem too!
Here is a short outline of the process.
- Use bundler to create a scaffold directory for the gem. This is nice because it takes care of a lot of details that are potentially easy to forget, like listing all the files that should be included in the gem.
bundle gem <GEMNAME>
- Write your gem! (no, it didn’t go that quickly, but you get the idea)
Build your gem! A hint here is that you need to include the version number in your build command. Also, include the .gemspec file ending. (UPDATE: This is not where you include the version number. That is later!) EX:
gem build <GEMNAME>.gemspec
This will build your gem in the directory where you run this command.
- In the same directory, run the install command:
gem install <GEMNAME-version>.gem
It did take us quite a while to get to this point. We definitely had some malformed files and/or structure in our gem such that it either would not build or would not install. A few of the problems we had:
The final challenge was to be able to require it in IRB and run a command!
- Open IRB and require the gem:
If it returns
true, you’re 99% of the way there!
- Run a command! Obviously, this one is going to vary from gem to gem. If it works the way you expect, you are done! In our case, we ran our call method:
And got back the first paragraph of the wiki article on Albert Einstein, just like we wanted. Yay!
So far, we have mainly used this great guide from RubyGems.org.
I also really enjoyed this podcast on Ruby Gems from Ruby Rogues.