Link Search Menu Expand Document

Take security seriously while you're small and no one is likely to exploit you

Using a static analysis tool that scans for vulnerabilities is a great help for this.

Always be security conscious

Similar to performance and testing, you might not consider security very important in the beginning. However, it’s more productive to take care of it while you’re developing it.

Security is a more obvious pitfall than performance. Counterintuitively though, it’s often taken less seriously.

I was aware of the importance of security testing because of my consulting experience. We had a security review step that I used in Supplybunny as well. Fortunately, I didn’t have to learn a lesson about the importance of security through experience.

There are two ways to take care of security.

Follow security best practices for your tool

First, development must consider security a priority and do things correctly the first time. That means following best practices such as not allowing iterating over IDs, properly checking for authentication, not falling prey to simple exploits such as JS injection, CSRF, or SQL injection. These are all crucial development skills.

And use a security code audit tool

Secondly, periodically audit your code. Most libraries have a static analysis tool that audits code for security. For Rails, Brakeman is great. I’d periodically run it first to find the most dangerous vulnerabilities. If there were any, I’d immediately fix them. Then I’d run the lesser severity ones and put them in the following technical debt session.

Example of Brakeman output:

Suggest an improvement to this page (