We were very pleased to be able to sponsor RailsConf again this year. Our CEO, Justin Collins, attended and presented a talk entitled “The Evolution of Rails Security” in the history track. Below are his impressions of the conference!
Focus on Rails, Past and Future
The talks this year seemed to re-focus on Rails itself, instead of Elixir/Node/React/etc.
He also said developers really ought to know about security!
Looking forward, DHH suggested Rails needs to continue providing abstractions to reduce the cognitive load for developers. He also made a side point that abstractions are usually wrong to begin with, but improve over time - so don’t worry about getting it right the first time.
The ending keynote of the first day from Mark Imbriaco was a look back at his career at different companies, learning and re-learning lessons along the way. His conclusion was community the most important feature of Rails, and a strong community is how Rails will continue to “scale” into the future.
Adding to the retrospective feeling this year, a few talks (including my own) were in a track focused on Rails history.
Michael Hartl started the track with his talk “Ten Years of Rails Tutorials”. Michael walked through many of the changes in Rails through the years and how that impacted his series of Rails books. Of humorous note - major changes in Rails often occurred right after he would finish writing a tutorial!
I then presented my talk “The Evolution of Rails Security”. The first part of the talk detailed a selection of the major Rails security events over the years, starting with the first CVE in 2006(!). The second part of the talk covered a few of the major security features as they have been added to Rails.
After lunch, James Adam presented “Here’s to the Crazy Ones” - a walkthrough of the history of Rails engines. Surprisingly, the majority of the talk focused on how resistant much of the community was to idea of Rails engines. James spoke about how he continued patiently defending the idea from its release in 2005 until one day in 2008 when DHH emailed James to let him know he’d had an epiphany and now loved the idea of engines. The talk was a great personal and community story, with warnings regarding how we treat people and their ideas.
Besides my own talk, I attended two other security-related talks.
The first was “Access Denied: the Missing Guide to Authorization in Rails” from Vladimir Dementyev. Vladimir covered the basic theoretical approaches to authorization, the Rails libraries that implement them, and then introduced a new library: action_policy. One thing I particularly enjoyed about his talk was the insight into the pain points of existing libraries.
The other security-related talk I attended was “Encrypted Credentials on Rails 5.2: Secrets to Success” from Christopher Rigor and Engine Yard. He presented how to use the “secrets” and “credentials” features recently added to Rails 5.1 and 5.2, respectively. These features allow easy management of an encrypted YAML file containing secrets for your application (or any file, really), although managing the master key is still up to you. Interestingly, he also hinted people are still not satisfied with the current state of this feature, so expect more changes in the future.
You can learn more about credentials in Chris’ blog post.
This was my sixth RailsConf since I first spoke at RailsConf 2012. The conference continues to draw 1,000+ attendees, with many being first-timers.
Overall, the Rails community continues to pull in new people, introduce folks to web development in general, and support many, many businesses from one person shops to the “enterprise”.
Want to know more about Brakeman Pro?
Brakeman Pro is a static analysis security tool for Ruby on Rails applications.
If you have not purchased Brakeman Pro yet, you can review pricing and purchase licenses directly from our site.
Need to try before buying? Take Brakeman Pro Desktop for a spin.
Please feel free to contact us with any questions!