The third and last day of the RailsConf Europe started with a wonderfully well presented keynote by Cyndi Mitchell of ThoughtWorks
, called Bring Ruby to the Enterprise, Not the Other Way 'Round, of which I unfortunately can't find an online version.
The second keynote of the day was about Best Practices, by Marcel Molina and Michael Koziarski, which gave some interesting insights, such as using explicit (and long) names for actions and having small controllers (not more of 5 actions per controller and 5 lines per action), you should use the models for that.
After the break, I assisted the Building Rich Internet Applications with Flex and Ruby on Rails by Simeon Bateman, where he presented the possibilities of using Flex to create rich internet applications, supported by Mac, Windows, and (soon) Linux.
Building applications with Flex
AMV2 open sourced (Tamarin project in Mozilla)
HTTPService -> connect RESTful interfaces in Rails
WebORB -> plugin for Rails (themidnightcoders.com)
The next session, Ruby on Rails Security, by Heiko Webers, while a bit basic at the beginning, gave some interesting insights as well. Some unedited notes follow:
"An insecure server is like a tunnel into Fort Knox"
- unprivileged user
- deactivate modules
- uploads out of DocumentRoot
- disallow access, allow in particular
- unpriv. user
- bind localhost whenever possible
- independent users for databases
- leftover files
- debug actions
- Google Hacking Database ???
- OWASP Top Ten
- User Agent Injection
- XSS, Browser Injection
- session_id after auth
- sniffing, read document.cookie using code injection
UA Injection Countermeasures
- Markdown (for mark-up)
- RedCloth (some injection still possible)
- Full HTML
- blacklist filter
- whitelist filter: WhiteListHelper plugin
- No HTML at all
- no strip_tags (you can go around and still inject some code)
- use sanitize, SafeERB plugin
- Unauthorized reading (without using  in finds)
- Needs ', " or nil + line break
- Conditions hash
- ActiveForm plugin: i.e. validates_length_of, validates_format_of for regexp
- Mass Assignment (modify form names when using arrays)
- Assign individually, use attr_accessible
- Output filters, sanitize!
Finally, I assisted to the MindMeister Development Study Case by Michael Hollauf. MindMeister
is a collaborative mind map web application, wonderfully designed and with a lot of potential. He presented us with mostly the business part of the application, usability, and several other aspects of marketing a start-up.
We were also informed that the RailsConf Europe 2008 will be in Berlin as well. All I can say is I expect to be there next year (and maybe Portland, too), and that I'll be writing a post recapping my impressions on this year's RailsConf Europe, which has been very interesting, and of course, a lot of fun.