Manual Code audits
What’s the difference between a review (see below) and an audit? Security (code) audits give you some time to reflect and check the bigger picture. In the daily code review process it might not be apparent that, for instance, two changes in different pull requests have introduced a new inconsistency.
- You can do your own manual security code audit, learn here how to develop your own Rails security strategy for that.
- You can hire me for a Ruby on Rails security audit
Peer code reviews
There’s a crowded market for code review software, but to get started it doesn’t have to be so complicated. In smaller to mid-sized projects, a pull-request cycle is enough. That means someone who wants to merge a portion of code creates a pull request in a git web UI or via the command line git request-pull. The latter summarizes the changes and requires some discipline to get it reviewed. A git web UI like GitHub includes a collaboration tool to comment on, amend and merge in these changes.
Automatic security audits
In my opinion, automatic tools don’t replace code reviews by humans. But they’re definitely a great addition to manual reviews. So run it before every commit, or only every Friday, in the beginning.
Brakeman: Static code vulnerability scanner for Rails
Analyzes the source code and reports known security vulnerabilities
