From Rails Security to Application Security
Location: Saal Maritim C Audience level: Intermediate
Much has been said about Rails Security, in the sense of protecting
Rails deployments against a number of possible attacks. However,
preventing technical vulnerabilities does not mean your Rails
application actually is secure: Each application has its very own
security objectives, which are as hard to find out for a developer as
the other domain-specific requirements.
When employing classical security engineering for acquiring the
security requirements, the resulting security model may turn into a
straight-jacket and harm the application’s overall usability. In
essence, an intrusion of waterfall thinking loses the advantages of
Agile web development and the Rails framework in this area. Worse,
disappointing user acceptance can lead to premature project
In this talk, we will discuss approaches to elicit the actual security
requirements of a Rails application in a small-to-medium enterprise
and how to map these requirements into actionable elements of a Rails
Universität Bremen, TZI
Carsten Bormann, Honorarprofessor for Internet technology at the Universität Bremen, is a protocol designer by heart, a standardization geek by necessity, and an author of the first German-language book on AJAX.
Carsten regularly teaches on agile web development, Rails, and AJAX topics.
TZI, Universität Bremen
Steffen Bartsch is a researcher at TZI, Universität Bremen, currently involved in security- and Rails-related research projects with small businesses.