puts Blog.new(”nonsense”)

Rails Security Audit is an straight-talking introduction to the techniques for keeping your Rails app secure. Over the course of 47 pages, Aaron Bedra tackles the security audit process, common security-related bugs, essential server lockdown tactics, and an approach for assessing the severity of the issues you find.

Rails offers sound solutions for keeping your application safe from the likes of SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and the perils of mass assignment, but are you sure you’re using those solutions? Without a proper understanding of these exploits, it’s unlikely that a developer would safely navigate past those issues entirely. Aaron provides easy-to-follow examples of each exploit, shows the consequences of ignoring them, and introduces the tools and techniques for identifying and avoiding those problems.

Going beyond Rails-specific security, Aaron covers a handful of guidelines for ensuring good server hygiene. As a developer (read: not a system administrator), I personally couldn’t tell you which ports should be open on a server and which ones are an invitation for trouble. Aaron remedies that situation by demonstrating the tools for determining how well your server is currently secured and providing scripts and instructions for getting you to where you need to be.

The book closes out the discussion on server security with additional recommendations for restricting access to your servers, but it stops short of providing any direction for doing so. While a quick round of Googling would likely locate a decent tutorial, I’d rather have seen the information included in the book (even if it just took the form of pointers to recommended tutorials).

Once you’ve identified the security issues in your app, Aaron offers honest, no-nonsense advice regarding the next step: “I guarantee at some point you will audit an application and find something in the form of a security hole. Your job as an auditor is to present the vulnerability, period.” Translation: security audits aren’t about sugar-coating your findings or pulling punches. He then pragmatically explains that anything other than the quick fixes will likely warrant further exploration of the actual risk posed by the issue, and provides a step-by-step walkthrough of a sample risk analysis effort.

If you’re even the least bit uncertain about any of the topics discussed above, you owe it to yourself to check out Aaron’s highly-approachable guide to assessing the state of security in your Rails app.

Full disclosure: Aaron and I work together at Relevance, and his potential for hacking into my laptop inspires great fear in me. Nevertheless, I stand by the comments above even in the face of that adversity.

The first print copies of Scott Davis’s new book, Groovy Recipes: Greasing the Wheels of Java, debuted last week at 2GX.

I had the pleasure of reviewing the book prior to its release, and I’m happy to say that Scott has clearly assembled the go-to guide for turning Groovy into every Java developer’s perfect utility knife. Whether you need to quickly parse an Atom feed, serve up an Excel spreadsheet from your Grails app, or create a tarball on the fly, this book will show you how. In true Groovy style, Scott does away with all unnecessary ceremony and gets right down to business. In almost every section, the very first thing you see is code - the recipe for solving to the problem at hand - and if you want to stick around for the clear and informative explanation, well, that’s strictly optional.

I recently finished a tech review of Venkat Subramaniam’s upcoming book from the Pragmatic Programmers, Programming Groovy: Dynamic Productivity for the Java Developer, and I was pleased to find that Venkat included a healthy dose of “the red pill.”

Scott Davis’s red pill/blue pill metaphor is spot on …

You take the blue pill, the story ends, you wake in your bed and you believe whatever you want to believe.

Many developers (and almost all Groovy tutorials and books to date) are still focused on the more conservative features of the Groovy language. Admittedly, the conveniences offered by that slice of Groovy are nothing to scoff at, but it’s frankly short-sighted to stop there. After all, it’s metaprogramming (i.e., the red pill) that gets the credit for much of the coolness that one experiences in a Grails app. And without metaprogramming, Groovy wouldn’t have a chance in the DSL world.

Venkat clearly wasn’t content to let Groovy metaprogramming continue to take a back seat. Instead, he’s dedicated four whole chapters to this important topic. By page count, that’s more than 20% of the book! And that’s not even counting the numerous cameos that metaprogramming makes in other chapters, especially in the discussions on testing and DSLs. Want to know when to use #invokeMethod versus #methodMissing? Venkat’s got you covered. Need to get your head around categories, expandos, and the ExpandoMetaClass? You’re all set. Not sure how to differentiate between method injection and method synthesis? Not for long.

The beta book is available now. Of course, it’s beta, so you’ll have to be forgiving of the areas that still need some polish. But whether you check out the book now, or you wait for it to graduate from beta status, the red pill awaits. Bottom line: You simply won’t find a more comprehensive resource for getting up to speed on Groovy metaprogramming.

The Chinese version of Getting Started with Grails made its debut last week.

In fact, InfoQ has been steadily growing their Chinese Grails portal for quite a while now. There you’ll find updates on the recent Groovy and Grails support in IntelliJ IDEA 7, Guillaume Laforge waxing philosophical on Groovy DSLs, a (familiar) article on using Grails+EJB3, and more.

Add these resources to the Japanese and Korean docs on grails.org, Sven’s upcoming German book on Grails, and undoubtedly several other international resources in the works, and we’re rapidly starting to see a whole new meaning to good i18n support.

InfoQ has just published my review of the must-read book, Groovy in Action.  If you're doing anything with Groovy, or even considering it, you really owe it to yourself to pick up a copy of this book.  If you haven't had a chance yet to check out Groovy in Action, the review should give you a good idea of what to expect from the book, and Manning has also thrown in two chapter excerpts from the book (including one on the incredibly handy Groovy JDK) to give you a feel for it first-hand.

If you notice that the review reads a bit differently than what you might typically expect, that's due to InfoQ's unique requirements for its reviews.  InfoQ reviews aim to "contain less metadata and more data, or said differently, less talk about the book and more talk of the content in the book."  The hope is that the reader learns something even while reading the review.  It seems like a cool idea to me.  So, what do you think?  Let us know in the comments over on InfoQ or below.

InfoQ has just released my new book, Getting Started with Grails, and it's available as a free download for you to digg into and find out what Grails is all about.  The book walks you through building a Grails app from scratch, and introduces various Grails features over the course of several iterative development cycles.  So, download the book, grab the sample code, and enjoy!

It was a sincere pleasure to work with the many talented reviewers that helped out on this book.  I hope you find this book helpful, and please feel free drop me a line with any feedback or post a comment below.  Groove on!