I’m saving some notes from the second talk of this Austin on Rails meeting so I don’t lose them somewhere on my phone.
Securing Rails for the Enterprise – Marcus J. Carey
Marcus was that rare speaker: very casual, very entertaining, and very informative.
Here are some of the tools he mentioned.
General Purpose Tools
- PaperTrail – A tool to manage your logs. He recommends only logging errors so it’s really obvious when something is happening.
- Burp – General purpose security, most basic tool, number 1 most used tool by people who will try to break in.
- Zap – General purpose security tool.
- Nikto – General purpose security tool.
- Breakman – Rails-specific security scanner
- Bundler audit – checks your gems and gem dependancies for vulnerabilities
- Gem Canary – Similar to bundler audit.
- Devise – secure authentication!
- Devise-zxcvbn – rejects weak user passwords
- devise-security-extension – enterprise-level security for devise
- devise-google-authenticator – add 2-factor auth to your app that works with Google’s Authenticator app.
General Rails advice:
- User models should never inherit from active-record::base
- Use uuid’s instead of sequential ids/keys
- Rely on current_user from devise instead of anything else
- No capitals in the controller!