Rails Security Audit is an straight-talking introduction to the techniques for keeping your Rails app secure. Over the course of 47 pages, Aaron Bedra tackles the security audit process, common security-related bugs, essential server lockdown tactics, and an approach for assessing the severity of the issues you find.

Rails offers sound solutions for keeping your application safe from the likes of SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and the perils of mass assignment, but are you sure you’re using those solutions? Without a proper understanding of these exploits, it’s unlikely that a developer would safely navigate past those issues entirely. Aaron provides easy-to-follow examples of each exploit, shows the consequences of ignoring them, and introduces the tools and techniques for identifying and avoiding those problems.

Going beyond Rails-specific security, Aaron covers a handful of guidelines for ensuring good server hygiene. As a developer (read: not a system administrator), I personally couldn’t tell you which ports should be open on a server and which ones are an invitation for trouble. Aaron remedies that situation by demonstrating the tools for determining how well your server is currently secured and providing scripts and instructions for getting you to where you need to be.

The book closes out the discussion on server security with additional recommendations for restricting access to your servers, but it stops short of providing any direction for doing so. While a quick round of Googling would likely locate a decent tutorial, I’d rather have seen the information included in the book (even if it just took the form of pointers to recommended tutorials).

Once you’ve identified the security issues in your app, Aaron offers honest, no-nonsense advice regarding the next step: “I guarantee at some point you will audit an application and find something in the form of a security hole. Your job as an auditor is to present the vulnerability, period.” Translation: security audits aren’t about sugar-coating your findings or pulling punches. He then pragmatically explains that anything other than the quick fixes will likely warrant further exploration of the actual risk posed by the issue, and provides a step-by-step walkthrough of a sample risk analysis effort.

If you’re even the least bit uncertain about any of the topics discussed above, you owe it to yourself to check out Aaron’s highly-approachable guide to assessing the state of security in your Rails app.

Full disclosure: Aaron and I work together at Relevance, and his potential for hacking into my laptop inspires great fear in me. Nevertheless, I stand by the comments above even in the face of that adversity.

InfoQ recently posted the video of my presentation on Grails from QCon San Francisco. If 50 slides in 50 minutes sounds a tad formulaic and tired to you, then you’re in luck. Instead, you’ll see 50 slides in about 5 minutes, followed immediately by 50 minutes of no-nonsense live coding goodness.

In what could perhaps be described as a series of 12 back-to-back lightning talks, you can see what it takes to go from a blank slate to a deployable Grails app including…

• defining domain classes,
• setting up relationships,
• hooking up a database,
• establishing constraints and validation error messages,
• enjoying sexy dynamic finders,
• applying custom URL mappings,
• working with tag libraries,
• encapsulating business logic in services,
• integrating with existing Java code,
• sending e-mail,
• finding and installing plugins, and
• locking down the app with secure authentication and authorization

There’s some good Q & A in there as well. Unfortunately not all of the questions came through on the audio, but in most cases you can pick up the context from the reply.

You’ll also hear me reference Charles Nutter’s JRuby talk a few times over the course of the presentation, and I recommend checking out that video as well.