Suggest modification to this talk

Title

Description

RailsConf 2019 - Rails Security at Scale by Jack McCracken
_______________________________________________________________________________________________
Cloud 66 - Pain Free Rails Deployments
Cloud 66 for Rails acts like your in-house DevOps team to build, deploy and maintain your Rails applications on any cloud or server.

Get $100 Cloud 66 Free Credits with the code: RailsConf-19
($100 Cloud 66 Free Credits, for the new user only, valid till 31st December 2019)

Link to the website: https://cloud66.com/rails?utm_source=-&utm_medium=-&utm_campaign=RailsConf19
Link to sign up: https://app.cloud66.com/users/sign_in?utm_source=-&utm_medium=-&utm_campaign=RailsConf19
_______________________________________________________________________________________________
This is a sponsored talk by Shopify.

At Shopify we ship code. A lot of it. 1000 PRs a day. This means that our security team can’t reasonably take a look at every change that goes out to Shopify’s core product, let alone the hundreds of other projects deploying every day. Our team has developed some awesome tools and techniques for keeping Rails safe at scale, and we’d like to share them with you.

Date

Summarized using AI?

If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.

Show "Summarized using AI" badge on summary page

Summary

Markdown supported

In the 'Rails Security at Scale' presentation held at RailsConf 2019, Jack McCracken from Shopify discusses the security measures implemented in one of the largest Rails applications. With Shopify experiencing significant growth, managing security for over 800,000 merchants has become increasingly challenging. McCracken emphasizes the necessity of embedding security culture within the organization, where every developer understands the implications of their changes on users. Key points of the presentation include:  
  
- **Scaling Security:** With a growing number of developers, it’s impractical for a small security team to oversee all code changes. Developers must be made aware of their responsibilities in safeguarding the platform.  
- **Tool Development:** McCracken highlights the importance of implementing tools like RuboCop and custom bots (e.g., Caution Tape Bot) to automatically flag potential security issues in code.  
- **Safe Defaults:** Ensuring that security measures are 'safe by default' is crucial. An example includes modifying the usage of `html_safe` to prevent cross-site scripting vulnerabilities.  
- **Error Handling:** Instead of punitive measures for mistakes, a supportive environment should encourage learning from mistakes without compromising security. Implementing features like Firewald helps manage permissions effectively.  
- **Bug Bounty Programs:** These programs incentivize security researchers to discover vulnerabilities. McCracken shares examples of critical vulnerabilities uncovered through their bug bounty program that saved Shopify significant potential losses.  
- **Fun and Engaging Training:** To cultivate a security-conscious culture, Shopify organizes engaging training events (like hackfests) where developers can learn through hands-on experiences.  
  
The main takeaways encourage treating security as a shared responsibility among all developers, the importance of creating tools that support secure coding practices, and fostering an enjoyable learning environment to improve security awareness. McCracken concludes by inviting curious individuals to apply for open positions in Shopify’s application security team.

Cancel