From Rails Security to Application Security
Location: Saal Maritim C
Much has been said about Rails Security, in the sense of protecting Rails deployments against a number of possible attacks. However, preventing technical vulnerabilities does not mean your Rails application actually is secure: Each application has its very own security objectives, which are as hard to find out for a developer as the other domain-specific requirements.
When employing classical security engineering for acquiring the security requirements, the resulting security model may turn into a straight-jacket and harm the application’s overall usability. In essence, an intrusion of waterfall thinking loses the advantages of Agile web development and the Rails framework in this area. Worse, disappointing user acceptance can lead to premature project termination.
In this talk, we will discuss approaches to elicit the actual security requirements of a Rails application in a small-to-medium enterprise and how to map these requirements into actionable elements of a Rails application.
Universität Bremen, TZI
Carsten Bormann, Honorarprofessor for Internet technology at the Universität Bremen, is a protocol designer by heart, a standardization geek by necessity, and an author of the first German-language book on AJAX.
Carsten regularly teaches on agile web development, Rails, and AJAX topics.
TZI, Universität Bremen
Steffen Bartsch is a researcher at TZI, Universität Bremen, currently involved in security- and Rails-related research projects with small businesses.