RailsConf Europe 2007: Day Three

The third and last day of the RailsConf Europe started with a wonderfully well presented keynote by Cyndi Mitchell of ThoughtWorks, called Bring Ruby to the Enterprise, Not the Other Way 'Round, of which I unfortunately can't find an online version.

The second keynote of the day was about Best Practices, by Marcel Molina and Michael Koziarski, which gave some interesting insights, such as using explicit (and long) names for actions and having small controllers (not more of 5 actions per controller and 5 lines per action), you should use the models for that.

After the break, I assisted the Building Rich Internet Applications with Flex and Ruby on Rails by Simeon Bateman, where he presented the possibilities of using Flex to create rich internet applications, supported by Mac, Windows, and (soon) Linux.

Building applications with Flex

AMV2 open sourced (Tamarin project in Mozilla)

HTTPService -> connect RESTful interfaces in Rails

WebORB -> plugin for Rails (themidnightcoders.com)                                           



The next session, Ruby on Rails Security, by Heiko Webers, while a bit basic at the beginning, gave some interesting insights as well. Some unedited notes follow:

"An insecure server is like a tunnel into Fort Knox"

    - unprivileged user
    - deactivate modules
    - uploads out of DocumentRoot
    - disallow access, allow in particular

    - unpriv. user
    - bind localhost whenever possible
    - independent users for databases
    - comments!
    - leftover files
    - debug actions
    - robots.txt
    - Google Hacking Database ???

Interpreter Injection
    - OWASP Top Ten
    - User Agent Injection
        - XSS, Browser Injection
        - xssed.com
    - session_id after auth
    - stolen!
    - sniffing, read document.cookie using code injection

UA Injection Countermeasures
    - Markdown (for mark-up)
    - RedCloth (some injection still possible)
    - Full HTML
        - blacklist filter
        - whitelist filter: WhiteListHelper plugin
    - No HTML at all
        - no strip_tags (you can go around and still inject some code)
        - use sanitize, SafeERB plugin

SQL Injection
    - Unauthorized reading (without using [] in finds)
    - Needs ', " or nil + line break
    - Conditions hash
Interpreter Injection
    - ActiveForm plugin: i.e. validates_length_of, validates_format_of for regexp
    - Mass Assignment (modify form names when using arrays)
        - Assign individually, use attr_accessible

    - Output filters, sanitize!

Finally, I assisted to the MindMeister Development Study Case by Michael Hollauf. MindMeister is a collaborative mind map web application, wonderfully designed and with a lot of potential. He presented us with mostly the business part of the application, usability, and several other aspects of marketing a start-up.

We were also informed that the RailsConf Europe 2008 will be in Berlin as well. All I can say is I expect to be there next year (and maybe Portland, too), and that I'll be writing a post recapping my impressions on this year's RailsConf Europe, which has been very interesting, and of course, a lot of fun.



Trackback URL for this entry:

Here's what others have to say about 'RailsConf Europe 2007: Day Three':

Null is Love » Blog Archive » RailsConf Europe
Tracked on Monday, October 01 2007 @ 07:07 PM CEST


Post a comment



newton.gra2.com is a blog about technology, opinion and random thoughts written by Daniel Alvarez, a computer engineer currently living in Zurich, Switzerland.


User Functions



Lost your password?

Latest posts

Stories last 24 hours

No new stories

Comments last 2 days

No new comments

Trackbacks last 2 days

No new trackback comments

Links last 2 weeks

No recent new links