Saturday, February 16, 2013
Maintaining a Ruby on Rails application and keeping it secure might feel like a challenge with all the security attention that the framework has received recently. Here are my suggestions for staying ahead of the curve.
Read the Ruby on Rails Security guide - This guide discusses security best practices when writing Ruby on Rails code.
Join the Ruby on Rails Security Google group - Every patched Ruby on Rails vulnerability gets announced in this group.
Familiarise yourself with common web application security risks - The OWASP Top Ten is a great source for this: site and document.
Keep an eye on your popular gems for security patches - Devise, Rack and JSON recently had vulnerability patches.
Have an automated security scan as part of your build pipeline - Automated scans can not give you 100% confidence in your security status but it will highlight the most obvious flaws to you. Brakeman is a popular security scanner for Ruby on Rails that is easy to integrate with Jenkins.
Be ready to patch and deploy quickly - Be prepared to update and go to production at any point, be this on an application or infrastructure level. Adopting a Continues Delivery model will empower you to do this very easily.
Understand your application security threats and objectives - Threat modeling is a popular exercise to achieve this. It can be a formal process or a less formal process - the important thing is that you understand your application's security threats and objectives.
Have a security evangelist in your team - Give someone in your team the responsibility to take ownership of promoting security in your projects.
Other useful resources - Ruby Security, OWASP Ruby on Rails Cheatsheet
Wednesday, February 13, 2013
We've introduced pair programming as part of our interview process at REA a while ago. In general I think its been quite a success. Its a great way to get a perspective on a candidate that you otherwise won't get. You see a bit of how they work first hand, instead of trying to infer it from a conversation.
The following is a list of things that I find helpful to get the most out of a pair programming interview.