1

Using Brakeman

One of the tools I learned about at Ekoparty was Brakeman, an open-source vulnerability scanner which does static analysis of Ruby on Rails applications’ code to find security issues. It’s a gem, so installing it is straightforward:

Highlights of the Ekoparty training Security for web developers

At Ekoparty, during the pre-conference days I took the training Security for web developers by Andrés Riancho. The course was structured following the OWASP Top 10 vulnerabilities. For each one, the vulnerability was presented, attack vectors shown and a real running example was presented. We attacked it with a tool or by hand and then saw countermeasures. I summarize here the highlights …

Ekoparty 2015 summary

This October the Ekoparty 2015 security conference took place in Buenos Aires. I’ve been hearing about this event for years, and this time, thanks to the support of Carousel Apps, I decided to participate. The event had two main parts: training (2 days) and conference/talks (the next 3 days). I registered for one of the training courses (Security for web developers by Andrés …

Don’t forget to clear your client side state when logging a user out

When a user logs out from our web site, we are used to clearing the session and that’s it. When you are developing a single page application, you are likely to keep a lot of state on the client side, and that should be cleared too. For Ninja Tools, that meant going from the traditional re-frame initialize-db:

to having …

Forcing SSL in a Luminus application

We tend to be very security conscious at Carousel Apps and one thing we often do is force all our applications to run over TLS (aka SSL), that is, when you go to http://example.com we redirect you to https://example.com. This little article will show you how to do it in a Luminus application. First, add Ring SSL to your project by …

Run bundler-audit during testing

There’s a gem called bundler-audit that checks whether any of the gems in your project have open security advisors against them. A year or so ago there was an infamous month in which Rails itself got three of those. It was terrible and I think bundler-audit is a good idea. My only problem with it is having to remember to …