We were very pleased to be able to sponsor RailsConf again this year. Our CEO, Justin Collins, attended and presented a talk entitled “The Evolution of Rails Security” in the history track. Below are his impressions of the conference!
Focus on Rails, Past and Future
The talks this year seemed to re-focus on Rails itself, instead of Elixir/Node/React/etc.
DHH’s keynote discussed the ways in which Rails (and developer technology in general) has abstracted more and more of the underlying system, contributing to Rails’ success. However, the current state of web development is introducing more and more things a developer needs to know in order to build a modern application. Client-side JavaScript frameworks are a large part of this.
He also said developers really ought to know about security!
Security is a thing "you really ought to know" - @dhh #railsconf pic.twitter.com/2PcBY5ZX4O
— Brakeman Pro (@BrakemanPro) April 17, 2018
Looking forward, DHH suggested Rails needs to continue providing abstractions to reduce the cognitive load for developers. He also made a side point that abstractions are usually wrong to begin with, but improve over time - so don’t worry about getting it right the first time.
The ending keynote of the first day from Mark Imbriaco was a look back at his career at different companies, learning and re-learning lessons along the way. His conclusion was community the most important feature of Rails, and a strong community is how Rails will continue to “scale” into the future.
History Track
Adding to the retrospective feeling this year, a few talks (including my own) were in a track focused on Rails history.
Michael Hartl started the track with his talk “Ten Years of Rails Tutorials”. Michael walked through many of the changes in Rails through the years and how that impacted his series of Rails books. Of humorous note - major changes in Rails often occurred right after he would finish writing a tutorial!
I then presented my talk “The Evolution of Rails Security”. The first part of the talk detailed a selection of the major Rails security events over the years, starting with the first CVE in 2006(!). The second part of the talk covered a few of the major security features as they have been added to Rails.
After lunch, James Adam presented “Here’s to the Crazy Ones” - a walkthrough of the history of Rails engines. Surprisingly, the majority of the talk focused on how resistant much of the community was to idea of Rails engines. James spoke about how he continued patiently defending the idea from its release in 2005 until one day in 2008 when DHH emailed James to let him know he’d had an epiphany and now loved the idea of engines. The talk was a great personal and community story, with warnings regarding how we treat people and their ideas.
Security
Besides my own talk, I attended two other security-related talks.
The first was “Access Denied: the Missing Guide to Authorization in Rails” from Vladimir Dementyev. Vladimir covered the basic theoretical approaches to authorization, the Rails libraries that implement them, and then introduced a new library: action_policy. One thing I particularly enjoyed about his talk was the insight into the pain points of existing libraries.
The other security-related talk I attended was “Encrypted Credentials on Rails 5.2: Secrets to Success” from Christopher Rigor and Engine Yard. He presented how to use the “secrets” and “credentials” features recently added to Rails 5.1 and 5.2, respectively. These features allow easy management of an encrypted YAML file containing secrets for your application (or any file, really), although managing the master key is still up to you. Interestingly, he also hinted people are still not satisfied with the current state of this feature, so expect more changes in the future.
You can learn more about credentials in Chris’ blog post.
Final Thoughts
This was my sixth RailsConf since I first spoke at RailsConf 2012. The conference continues to draw 1,000+ attendees, with many being first-timers.
Overall, the Rails community continues to pull in new people, introduce folks to web development in general, and support many, many businesses from one person shops to the “enterprise”.
Want to know more about Brakeman Pro?
Brakeman Pro is a static analysis security tool for Ruby on Rails applications.
Brakeman Pro can be used as a desktop application, Ruby Gem, and as a Code Climate engine.
If you have not purchased Brakeman Pro yet, you can review pricing and purchase licenses directly from our site.
Need to try before buying? Take Brakeman Pro Desktop for a spin.
Please feel free to contact us with any questions!