Ruby on Rails Security Audits and Code Reviews

Manual Code audits

What’s the difference between a review (see below) and an audit? Security (code) audits give you some time to reflect and check the bigger picture. In the daily code review process it might not be apparent that, for instance, two changes in different pull requests have introduced a new inconsistency.

Peer code reviews

There’s a crowded market for code review software, but to get started it doesn’t have to be so complicated. In smaller to mid-sized projects, a pull-request cycle is enough. That means someone who wants to merge a portion of code creates a pull request in a git web UI or via the command line git request-pull. The latter summarizes the changes and requires some discipline to get it reviewed. A git web UI like GitHub includes a collaboration tool to comment on, amend and merge in these changes.

Automatic security audits

In my opinion, automatic tools don’t replace code reviews by humans. But they’re definitely a great addition to manual reviews. So run it before every commit, or only every Friday, in the beginning.

Brakeman: Static code vulnerability scanner for Rails

Analyzes the source code and reports known security vulnerabilities