WEBVTT 1 00:00:04.639 --> 00:00:07.599 Hey everybody, Welcome back to another episode of the Ruby 2 00:00:07.679 --> 00:00:11.560 Rogues podcast. This week, on our panel we have Valentino Stole. 3 00:00:12.480 --> 00:00:16.440 They know. I'm Charles Maxwood from Top Endevs. We have 4 00:00:16.480 --> 00:00:19.440 a special guest this week. It is Greg Monar. Greg, 5 00:00:20.320 --> 00:00:23.039 we've had you on before. But how are things in 6 00:00:23.079 --> 00:00:24.000 the middle of the Atlantic? 7 00:00:25.519 --> 00:00:28.760 Hi, guys. Yeah, all is good. Still, We're still alive 8 00:00:28.960 --> 00:00:30.039 in the middle of the ocean. 9 00:00:33.280 --> 00:00:36.159 The island's still upright, so things are good. 10 00:00:36.320 --> 00:00:39.560 Yes, yes, shitty leather sometimes, but yeah. It's been that time. 11 00:00:41.079 --> 00:00:43.840 I heard a clip not that long ago. It's an 12 00:00:43.840 --> 00:00:47.479 older clip, but it was a US congressman that he 13 00:00:47.640 --> 00:00:52.920 was interviewing a general or an admiral or something, and 14 00:00:53.359 --> 00:00:55.880 basically he was talking about Guam and he said, well, 15 00:00:56.439 --> 00:00:59.359 are you worried that the island is going to capsize? 16 00:01:00.399 --> 00:01:04.120 And the general with the straight face, right, because they 17 00:01:04.159 --> 00:01:05.959 have to have some decorum in there and they don't 18 00:01:05.959 --> 00:01:08.120 want to tick off the congressman. He looks at him 19 00:01:08.159 --> 00:01:10.920 and he goes he goes, no, no, we don't anticipate 20 00:01:10.959 --> 00:01:17.040 that didn't capsize. 21 00:01:17.400 --> 00:01:20.000 No, no, And the math it's supposed to be done 22 00:01:20.000 --> 00:01:21.959 for a few years now and it's still there, right, 23 00:01:22.040 --> 00:01:24.640 So I don't know what are these forecasts about. 24 00:01:24.959 --> 00:01:28.120 Yeah, all right, well we brought you on to talk 25 00:01:28.159 --> 00:01:33.480 about security in Rails eight. I don't even know where 26 00:01:33.480 --> 00:01:36.480 to start. Did a whole lot change or is it 27 00:01:36.560 --> 00:01:38.640 mostly the same as seven point two? 28 00:01:40.079 --> 00:01:42.680 Well, yeah, there are a bunch of things which are 29 00:01:42.760 --> 00:01:46.040 seven point two. But I think the imitation was triggered 30 00:01:46.079 --> 00:01:49.359 by my talk at Rails fird Yes, which was tied 31 00:01:49.439 --> 00:01:52.000 to the state of security in Rails eight. But some 32 00:01:52.040 --> 00:01:54.680 of the things I mentioned were actually Rail seven point two. 33 00:01:55.400 --> 00:01:58.359 But I think it was still worth mentioning those because 34 00:01:59.040 --> 00:02:01.000 a lot of people don't even know about those new 35 00:02:01.040 --> 00:02:06.519 features which were three years old back then, and Rail 36 00:02:06.599 --> 00:02:09.120 say it wasn't even know it really is at the conference. 37 00:02:09.159 --> 00:02:12.759 So it was a bit of a ah a pre 38 00:02:12.759 --> 00:02:14.159 planned talk. 39 00:02:15.680 --> 00:02:17.759 So so yeah, so where do we start then? 40 00:02:19.120 --> 00:02:20.960 Well, I can just list out the things which I 41 00:02:21.039 --> 00:02:23.319 was talking about. If you guys are that, you can 42 00:02:23.479 --> 00:02:25.319 go through all of those and you can ask questions 43 00:02:25.319 --> 00:02:30.120 and we can sound So one of the first things 44 00:02:30.120 --> 00:02:34.000 I mentioned during the talk was every new rails app 45 00:02:34.360 --> 00:02:37.319 this is a seven point two feature. Every newly generated 46 00:02:37.400 --> 00:02:42.120 Rails application has a default depend about GitLab CI file, 47 00:02:42.360 --> 00:02:46.159 which means if you are using not gitlabs for GitHub, 48 00:02:46.280 --> 00:02:49.840 if you're using GitHub, then on your CI automatically runs 49 00:02:49.840 --> 00:02:56.199 depend about, which is a dependent vulnerable dependency checks. So 50 00:02:56.319 --> 00:02:58.840 if any of the gems you are using has a 51 00:02:58.919 --> 00:03:02.000 vulnerability public, then you are getting alerted and then you 52 00:03:02.000 --> 00:03:07.199 can just upgrade and save yourselves from any hustles and 53 00:03:07.639 --> 00:03:08.159 so good. 54 00:03:08.759 --> 00:03:12.599 Yeah, I think yep, Well, I was just gonna say 55 00:03:12.599 --> 00:03:14.840 some people. I think most people know what depend about 56 00:03:14.840 --> 00:03:18.039 it is. But effectively you get poor requests if you 57 00:03:18.159 --> 00:03:21.879 have vulnerable versions of your dependencies. 58 00:03:22.199 --> 00:03:24.680 Yeah, or even for outdated bones. That's why I don't 59 00:03:24.759 --> 00:03:28.800 like dependabo. Actually I prefer bundle oud it, but it's 60 00:03:28.800 --> 00:03:31.919 basically it's very similar thing. But bundleoud it only alerts 61 00:03:32.000 --> 00:03:36.159 you about security issues, whereas depend about I think you 62 00:03:36.199 --> 00:03:38.719 can configure it depends a but also alerts you're about 63 00:03:38.800 --> 00:03:42.840 outdated ones. Where usually my way of when I work 64 00:03:42.840 --> 00:03:45.039 on the rest, my way of handling upgrades is it's 65 00:03:45.080 --> 00:03:47.479 like on a regular basis, like every three months. That 66 00:03:47.639 --> 00:03:51.479 is like a spike update all the dependencies. But secretary 67 00:03:51.479 --> 00:03:54.280 dependency is a different. Secrety issues are different. Obviously, you 68 00:03:54.319 --> 00:03:56.919 want to upgrade them immediately. But the rest I don't 69 00:03:56.960 --> 00:03:59.639 really care when a new GEM comes out. If it's 70 00:03:59.680 --> 00:04:02.759 just a non security issue, I will update it when 71 00:04:02.759 --> 00:04:05.479 I do my regular upgrade upgrades. 72 00:04:06.280 --> 00:04:09.199 Right, that makes sense. I do the same thing because 73 00:04:09.240 --> 00:04:12.240 a lot of times you're you're upgrades. If it's a 74 00:04:12.560 --> 00:04:16.639 major even sometimes a minor version, you know, it changes 75 00:04:16.639 --> 00:04:20.199 the API. Right, It's not just oh, hey, you're going 76 00:04:20.279 --> 00:04:22.199 to upgrade this and you're going to get security goodies 77 00:04:22.480 --> 00:04:25.959 right now. You may have to pull a major minor 78 00:04:26.040 --> 00:04:29.759 upgrade version because because there is a security issue and 79 00:04:30.160 --> 00:04:32.279 they didn't fix it in the version you're using, in 80 00:04:32.319 --> 00:04:34.680 which case, yeah, you have to go through the upgrade 81 00:04:34.720 --> 00:04:38.759 rigmarole and update your code as well as the gem. 82 00:04:39.319 --> 00:04:42.240 But yeah, I'm with you. I tend to tackle those 83 00:04:42.279 --> 00:04:47.800 things when I feel the need, right. So sometimes legitimately 84 00:04:47.800 --> 00:04:49.319 it's like, hey, there's a new feature in this that 85 00:04:49.360 --> 00:04:54.800 I need yep, But if it's the older version, how 86 00:04:54.800 --> 00:04:57.079 do I put this? I've been having conversations with people 87 00:04:57.079 --> 00:05:00.000 about like AI in programming, and it's like, hey, look, 88 00:05:00.360 --> 00:05:02.439 it makes you more effective in all of these different ways, 89 00:05:02.959 --> 00:05:05.079 and a lot of people are asking, is that going 90 00:05:05.120 --> 00:05:07.399 to replace programmers and I'm like, have you ever met 91 00:05:07.399 --> 00:05:09.480 a have you ever worked on a project that ran 92 00:05:09.480 --> 00:05:11.839 out of things for you to work on? And the 93 00:05:11.920 --> 00:05:14.120 answer is you might have had a side project that 94 00:05:14.160 --> 00:05:17.560 you decided was done right, And so with this, it's 95 00:05:17.560 --> 00:05:21.399 the same thing. It's like, okay, until it's a real 96 00:05:21.480 --> 00:05:23.879 high priority, there's just no reason to do it. And 97 00:05:23.920 --> 00:05:24.800 so I'm with you on that. 98 00:05:25.639 --> 00:05:27.000 Yeah, Yeah, it's funny. 99 00:05:27.040 --> 00:05:29.480 I've been trying to push people to just like bundle 100 00:05:29.560 --> 00:05:34.279 update patch on like every deploy because like the chances 101 00:05:34.319 --> 00:05:36.800 of something going wrong in a patch release is like 102 00:05:37.000 --> 00:05:40.800 so low that like you've gained so much more by 103 00:05:40.879 --> 00:05:44.360 like all of those security enhancements and like fixes in 104 00:05:44.399 --> 00:05:47.120 a patch little version that it's almost worth just like 105 00:05:47.680 --> 00:05:51.279 doing it if the test pass right, Like, yeah. 106 00:05:50.560 --> 00:05:52.920 So what does bundle update patch do Because I've used 107 00:05:52.959 --> 00:05:56.680 like the pessimized gem that locks in your version right 108 00:05:56.920 --> 00:05:58.360 and let's you upgrade from there. 109 00:05:58.680 --> 00:06:02.360 Yeah, so bundle bundle update tool it has like a 110 00:06:02.399 --> 00:06:05.120 way to give it different flags of like, so it's 111 00:06:05.120 --> 00:06:07.680 a canonical version to all the Ruby gems typically are, 112 00:06:08.360 --> 00:06:11.319 so as long as the gems in dependency's using our canonicals, 113 00:06:11.360 --> 00:06:14.040 meaning there's like a patch level a minor and a 114 00:06:14.079 --> 00:06:17.079 major version to it, then you could just say, okay, 115 00:06:17.120 --> 00:06:22.920 give me only the latest you know, patch updates. And 116 00:06:23.040 --> 00:06:26.839 like people I feel like as at least for like 117 00:06:26.920 --> 00:06:30.279 everything that reels would touch, Like the gem maintainers of 118 00:06:30.279 --> 00:06:32.800 those are very careful about what to release in a 119 00:06:32.839 --> 00:06:35.399 patch version and not like cause any issues because like 120 00:06:35.600 --> 00:06:37.279 they don't want to deal with all the issues that 121 00:06:37.319 --> 00:06:39.839 come from that, right, Like I'm not being like, oh, hey, 122 00:06:39.920 --> 00:06:42.319 like I have like this new like obscure thing, like 123 00:06:42.600 --> 00:06:44.879 they would rather just like, okay, let's make it minimal 124 00:06:44.920 --> 00:06:47.360 and then you know, in a minor major version, like 125 00:06:47.879 --> 00:06:50.199 it's to be expected, right, We've outlined these things that's 126 00:06:50.240 --> 00:06:53.519 gone through the process. But a patch version like it's like, hey, 127 00:06:53.560 --> 00:06:56.079 we fix this thing as serious, Like you should really 128 00:06:56.879 --> 00:06:57.519 integrate this. 129 00:06:58.879 --> 00:07:01.240 Right. So if I have in my gem file just 130 00:07:01.720 --> 00:07:05.079 sidekick and I didn't specify a version and there's a 131 00:07:05.079 --> 00:07:09.079 major version update, I can do bundle update with patch 132 00:07:09.120 --> 00:07:13.160 flag and it'll just update it to the highest patch 133 00:07:13.240 --> 00:07:15.639 version and it won't do a major update. 134 00:07:15.639 --> 00:07:17.279 It won't do it won't even do the minor right, 135 00:07:17.319 --> 00:07:17.959 so it will keep it. 136 00:07:18.000 --> 00:07:20.000 If it's like three point two, it'll do that and 137 00:07:20.040 --> 00:07:21.920 then just like pump it to the latest one, which, 138 00:07:22.319 --> 00:07:22.600 to be. 139 00:07:22.560 --> 00:07:26.240 Honest, doing that with Rails maybe a little trickier because. 140 00:07:26.000 --> 00:07:27.800 It does like, yeah, Rails is fine. 141 00:07:27.879 --> 00:07:30.199 You know, it has so many patches that get released, 142 00:07:30.240 --> 00:07:32.040 so if you like fall behind, but like that's why 143 00:07:32.079 --> 00:07:34.879 you're like, if you're deploying a lot anyway, right, Like 144 00:07:35.040 --> 00:07:38.720 then like getting Rails to update itself incrementally as it 145 00:07:38.759 --> 00:07:41.279 gets updated at a patch level is not going to 146 00:07:41.319 --> 00:07:44.079 be so bad. And a lot of times, you know, 147 00:07:44.160 --> 00:07:46.279 if you have a good test case, which you know, 148 00:07:46.360 --> 00:07:49.439 let's hope everybody does, but like if you don't, like 149 00:07:49.639 --> 00:07:51.680 obviously maybe you don't want to build this into your 150 00:07:51.720 --> 00:07:54.680 deployee process. But like, if you have a good like 151 00:07:54.839 --> 00:07:58.720 test infrastructure, like doing a patch update, like it's gonna 152 00:07:58.920 --> 00:08:01.480 be almost nothing and you'll catch most of the issues 153 00:08:01.800 --> 00:08:06.480 in any of the test files applications. 154 00:08:06.519 --> 00:08:09.519 What if they deplicate things in a I know it's 155 00:08:09.519 --> 00:08:11.759 shit they shouldn't, but sometimes they do, and then your 156 00:08:11.800 --> 00:08:15.360 logs are littered with all of the deplication warnings, right, 157 00:08:15.480 --> 00:08:16.279 and then you're. 158 00:08:16.079 --> 00:08:22.959 Like, I mean, personally, I would rather have it be 159 00:08:23.279 --> 00:08:27.920 secure than like, uh, you know, worry about all the 160 00:08:27.959 --> 00:08:32.320 proposity of the outputs, right, Like I feel like, you know, yeah, 161 00:08:32.799 --> 00:08:35.360 littered logs is not great to deal with, but like 162 00:08:35.799 --> 00:08:38.720 it's honestly better than the alternative of having like a 163 00:08:38.720 --> 00:08:42.720 security hole and then like getting like you know, page 164 00:08:42.720 --> 00:08:44.639 your duty in the middle of the night, like, hey, 165 00:08:44.759 --> 00:08:47.159 somebody took advantage of this. We need to like start 166 00:08:47.200 --> 00:08:49.919 an incident response, right Like, yeah. 167 00:08:49.720 --> 00:08:53.080 But that's why you should use bundle audit or depend 168 00:08:53.120 --> 00:08:55.960 on what we the security updates, because then even though 169 00:08:55.960 --> 00:08:58.240 it's a patrities, you will notified that this is an 170 00:08:58.240 --> 00:09:02.159 important paturities you need to do this upgrade. 171 00:09:02.519 --> 00:09:04.200 Yeah, So I'm curious what your thoughts are there, Like 172 00:09:05.440 --> 00:09:08.519 is that the best like approach still today is like 173 00:09:08.679 --> 00:09:12.879 using the audit feature, Like what is your workflow? 174 00:09:13.240 --> 00:09:15.000 Like, look like that's. 175 00:09:14.759 --> 00:09:17.120 What I use. It's running on CI and it's running 176 00:09:17.120 --> 00:09:21.279 also in development in a git hook and then it's 177 00:09:21.360 --> 00:09:24.240 just you not divide imitated also on cil of people. 178 00:09:24.279 --> 00:09:26.480 What they forget is they sell it up to run 179 00:09:26.519 --> 00:09:31.559 on the Magic Quest or Poor Requests, whichever geitos they use, 180 00:09:32.240 --> 00:09:35.440 but they don't run it daily on the master or 181 00:09:35.519 --> 00:09:37.879 main branch, which is if you don't deplay every day. 182 00:09:37.919 --> 00:09:41.159 If you don't match requests every day, then you might 183 00:09:41.240 --> 00:09:44.080 not be notified about an important secretaries. So it's a 184 00:09:44.080 --> 00:09:46.159 good idea to actually the way I sell it up, 185 00:09:46.200 --> 00:09:48.679 if I have the chance to set up anywhere, run 186 00:09:48.720 --> 00:09:51.159 it twice a day on the master branch, and run 187 00:09:51.200 --> 00:09:55.279 it on every poor quest MARGC quest M because then 188 00:09:55.320 --> 00:09:58.559 you all anyways also like weekends, so if it's on 189 00:09:58.600 --> 00:10:01.480 a weekend, really something on a Saturday, you don't getting 190 00:10:01.480 --> 00:10:03.159 notified if you. 191 00:10:05.039 --> 00:10:10.240 Right, and it'll it'll fail the build if if it 192 00:10:10.279 --> 00:10:11.600 doesn't pass the audit right. 193 00:10:12.320 --> 00:10:14.799 Yeah, and if it fails a musta but you are 194 00:10:14.799 --> 00:10:17.519 don't expect the old day, we'll get an need imlification 195 00:10:17.600 --> 00:10:20.240 or whatever you set up and then you know that, 196 00:10:20.320 --> 00:10:23.279 oh I need to look into this because something is up. 197 00:10:24.480 --> 00:10:25.000 Makes sense. 198 00:10:26.000 --> 00:10:28.240 Yeah, I'm just waiting for the day to have like 199 00:10:28.440 --> 00:10:32.240 you know, reels autopilot just automatic like if you have 200 00:10:32.320 --> 00:10:34.559 like a bunch of hobby projects that you're just like, oh, 201 00:10:34.639 --> 00:10:36.039 like I'm not going to spend any time on this 202 00:10:36.120 --> 00:10:39.360 for six months, like just like automatically merge any updates 203 00:10:39.360 --> 00:10:41.759 as it comes and like resolve itself, Like oh I 204 00:10:41.759 --> 00:10:43.399 would love that and then just come back and then 205 00:10:43.440 --> 00:10:45.720 you know, if when I'm ready to work on it again, 206 00:10:45.840 --> 00:10:47.519 at least it's up to date and I can like 207 00:10:47.639 --> 00:10:50.480 resolve any issues that there are. Right, But you know, 208 00:10:50.559 --> 00:10:53.320 every single time I go back to a hobby project 209 00:10:53.320 --> 00:10:55.799 and I'm like, shit, I can't spend any time on 210 00:10:55.799 --> 00:10:57.840 this because I gotta spend the time update again, and 211 00:10:57.840 --> 00:10:58.720 then I lose that. 212 00:10:58.879 --> 00:11:02.960 Like you know, uh, you should very depend I think 213 00:11:03.000 --> 00:11:06.320 dependab What doesn't You can set it automatic? Yeah you can. 214 00:11:06.399 --> 00:11:09.840 You can, yeah, yeah, for for a patch level, and 215 00:11:10.159 --> 00:11:11.679 maybe you can do it for mine, and maybe you 216 00:11:11.720 --> 00:11:13.159 can do it for every level. I don't know, but 217 00:11:13.240 --> 00:11:16.000 you can do it for sure, and then yeah it 218 00:11:16.360 --> 00:11:21.080 is everything. Things might break because you might not get 219 00:11:21.120 --> 00:11:24.159 it with the test, but there is you never know. 220 00:11:24.360 --> 00:11:26.559 I don't, right, I don't. Maybe it's just me that 221 00:11:26.600 --> 00:11:29.519 this is why I also don't trust AI. It's I 222 00:11:29.600 --> 00:11:33.000 just I trust humans more for some reason, there's some 223 00:11:33.200 --> 00:11:36.720 human oversight. I trust that process like an order of 224 00:11:36.799 --> 00:11:39.759 magnitude more than if it's just something wholly automated. 225 00:11:41.080 --> 00:11:44.360 Yeah. I think it's getting better, but I don't blame 226 00:11:44.399 --> 00:11:44.799 you there. 227 00:11:45.799 --> 00:11:50.120 Yeah, yeah, I've been liking the review process so like automate, 228 00:11:50.159 --> 00:11:53.159 but review, so like you know, well, all just like 229 00:11:53.200 --> 00:11:55.519 set out a plan and then like the okay, I 230 00:11:55.559 --> 00:11:58.720 executed all the plan and then notify you okay, review this. 231 00:11:59.480 --> 00:12:02.200 I did the things right right, and then if you do, 232 00:12:02.320 --> 00:12:04.919 like decide not to review it, like okay, Well that's 233 00:12:05.080 --> 00:12:07.440 the same as like working with a coworker that did 234 00:12:07.480 --> 00:12:09.360 the same thing right and you didn't review it and 235 00:12:09.399 --> 00:12:10.559 they did it anyway right. 236 00:12:11.720 --> 00:12:16.480 Yeah, definitely, But also from a human I expect more 237 00:12:16.519 --> 00:12:19.799 than from a So with AI, my issue is that 238 00:12:19.919 --> 00:12:21.840 I write a piece of code, right, I asked him 239 00:12:21.879 --> 00:12:24.440 can you refractor this to me? It speeds back a 240 00:12:24.480 --> 00:12:28.720 bunch of changes which I need to review. And if 241 00:12:28.759 --> 00:12:31.480 I ask a junior developer can you work on this feature? 242 00:12:31.600 --> 00:12:34.000 They work, They submit to polly quest and if they 243 00:12:34.039 --> 00:12:36.639 are uncertain about some things which they did, they will 244 00:12:36.679 --> 00:12:39.360 highlight that here is my polly quest, but I'm not 245 00:12:39.399 --> 00:12:43.000 really sure about this part. Can you review that more totally? 246 00:12:44.000 --> 00:12:46.600 But yeah, doesn't do that. It's confidently saying this is 247 00:12:46.639 --> 00:12:50.080 the solution, and they are like, okay, it's like fifty 248 00:12:50.240 --> 00:12:53.360 lines of changes. Am I going to focus on each 249 00:12:53.360 --> 00:12:53.919 fifty line? 250 00:12:54.200 --> 00:12:56.679 You bring up a great point maybe what we're missing 251 00:12:56.919 --> 00:13:00.559 is a junior AI right, like that has it in 252 00:13:01.000 --> 00:13:03.679 I am not confident, I don't know what I'm doing. 253 00:13:04.039 --> 00:13:07.480 And then IT can, you know, be maybe a little 254 00:13:07.480 --> 00:13:08.159 more cautious. 255 00:13:08.799 --> 00:13:10.480 I think you're onto something there or. 256 00:13:10.600 --> 00:13:12.799 Vey or vade what it gives it, because it can 257 00:13:12.840 --> 00:13:15.919 be confident about some parts which are like basic or 258 00:13:16.360 --> 00:13:18.440 or it knows it too well. But if you are 259 00:13:18.480 --> 00:13:21.320 a little bit uncertain about something, highlight that, so I 260 00:13:21.399 --> 00:13:23.600 carry you that more. 261 00:13:24.279 --> 00:13:26.759 Yeah. The issue that I run into though, is that 262 00:13:26.840 --> 00:13:28.679 a lot of times what I get back from AI, 263 00:13:30.320 --> 00:13:32.399 I'm not confident that A it would flag the right 264 00:13:32.440 --> 00:13:35.600 things or B that a lot of times I get 265 00:13:35.639 --> 00:13:39.480 code back that it's like it's like, yeah, like the 266 00:13:39.559 --> 00:13:42.080 general structure as far as like I have to loop 267 00:13:42.120 --> 00:13:44.120 over these things, or I have to make this kind 268 00:13:44.159 --> 00:13:47.039 of a request or you know, call into this API 269 00:13:47.679 --> 00:13:50.200 is generally correct, and then the rest of it it's 270 00:13:50.240 --> 00:13:53.879 it's it may as well have written pseudo code, right, 271 00:13:53.960 --> 00:13:57.960 And it's like it's like you guessed at the method 272 00:13:58.039 --> 00:14:01.000 name instead of looking it up what a human would do, 273 00:14:01.080 --> 00:14:05.080 they'd go look it up. How do I whatever? Anyway, 274 00:14:05.120 --> 00:14:06.759 we're off on a tangent I want to get back 275 00:14:06.799 --> 00:14:13.120 to security. So so the catabot is in there by default. 276 00:14:14.240 --> 00:14:17.559 You can use bundle audit if you want instead and 277 00:14:17.559 --> 00:14:18.559 put that into your CI. 278 00:14:19.200 --> 00:14:22.799 What else do we get on the change is really 279 00:14:22.799 --> 00:14:26.720 similar is Brakeman. It's also got a default CI file. 280 00:14:26.960 --> 00:14:30.519 So Breakman is a static code analyzer for security issues. 281 00:14:31.039 --> 00:14:34.080 It basically highlights code spots where you might do something 282 00:14:34.080 --> 00:14:38.000 which is insecure. I think that's also a great addition. 283 00:14:38.240 --> 00:14:40.879 It gives you false positives, you can ignore those, but 284 00:14:40.919 --> 00:14:43.879 it at least makes you aver of certain things. That 285 00:14:43.960 --> 00:14:46.080 saves you from sidy mistakes. It's so easy to make 286 00:14:46.120 --> 00:14:49.039 a silly mistake which you don't realize you use an 287 00:14:49.039 --> 00:14:52.600 insect an API and insecure way because you just forget 288 00:14:52.639 --> 00:14:55.919 about something, and it just saves you from those issues. 289 00:14:56.600 --> 00:14:59.320 I think that's also a great change or great addition. 290 00:15:00.840 --> 00:15:03.320 The thing I like about Breakman is that, yeah, it 291 00:15:03.320 --> 00:15:07.440 gives you false positives, but like all of the commonly 292 00:15:07.519 --> 00:15:11.200 understood bad things you can do, or the the traps 293 00:15:11.200 --> 00:15:13.639 that you more easily fall into, it's got all of 294 00:15:13.639 --> 00:15:15.679 that in there. And so yeah, I might give you 295 00:15:15.679 --> 00:15:17.720 a false positive and say this is insecure, and you 296 00:15:17.759 --> 00:15:19.279 look at it and you go, no, I'm not doing 297 00:15:19.320 --> 00:15:22.720 what you think I'm doing. But it catches the really 298 00:15:22.759 --> 00:15:23.799 easy dumb stuff. 299 00:15:24.360 --> 00:15:30.799 Yeah, yeah, definitely. And the next one is which is 300 00:15:30.840 --> 00:15:33.320 a new feature in this it's the rate limiting, the 301 00:15:33.399 --> 00:15:37.080 built in rate limiting. Sure you guys heard about that one. 302 00:15:37.480 --> 00:15:42.000 And I don't know how many times. 303 00:15:41.720 --> 00:15:44.039 But I don't know how many times I'm built rate limiting. 304 00:15:45.279 --> 00:15:49.440 I've got an app that I want to build to 305 00:15:49.600 --> 00:15:52.600 replace a process we went through last year. It's part 306 00:15:52.600 --> 00:15:55.679 of my political stuff, but letting people register for our 307 00:15:55.720 --> 00:15:58.840 caucus night in Utah, we get we having like nine 308 00:15:58.919 --> 00:16:03.159 hundred thousand party members that are eligible to attend our 309 00:16:03.159 --> 00:16:08.200 caucus meetings, and we got ddasked last year by somebody 310 00:16:08.200 --> 00:16:11.559 who doesn't like the party. And so I'm wondering if 311 00:16:11.600 --> 00:16:12.559 something like this will help. 312 00:16:14.159 --> 00:16:17.000 It could help, but it might not have for a 313 00:16:17.080 --> 00:16:20.159 DDA setech. I think it's a you would need something 314 00:16:20.240 --> 00:16:21.639 like cloud fare, which. 315 00:16:21.559 --> 00:16:23.679 That's what That's what I'm seriously looking at. 316 00:16:23.679 --> 00:16:26.600 But yeah, so for what this one is good for. 317 00:16:27.000 --> 00:16:29.120 The thing this one is good for eight limiting is 318 00:16:29.320 --> 00:16:32.399 save you from creditial stuff in attacks. For instance, you 319 00:16:32.440 --> 00:16:35.360 know when there is a league password database, and then 320 00:16:35.399 --> 00:16:38.759 a malicious ouctors will try to use all of those 321 00:16:38.840 --> 00:16:41.279 logging details on your side to see if the same 322 00:16:41.320 --> 00:16:44.240 person has an account with the same credentials and then 323 00:16:44.240 --> 00:16:46.720 they oh, I gotcha, and then they can take over 324 00:16:46.799 --> 00:16:50.320 doct and do whatever malicius things. And in my talk 325 00:16:50.399 --> 00:16:53.480 I highlighted a few examples from it's actually now the 326 00:16:53.639 --> 00:16:56.799 three years ago from twenty to twenty three, it was 327 00:16:56.840 --> 00:16:59.799 the year before, like twenty three, and Meter the DNA 328 00:17:00.600 --> 00:17:05.720 they analyze this side, they had an issue with this. Also, 329 00:17:06.039 --> 00:17:08.519 General Motors had a big issue. They had a bunch 330 00:17:08.519 --> 00:17:11.960 of account taken over and like Credit partially credit card 331 00:17:11.960 --> 00:17:16.599 details leaked, and Roku the streaming platform also had like 332 00:17:16.680 --> 00:17:20.559 half a million of their users access details were leaked 333 00:17:20.880 --> 00:17:25.720 because of our credentials stuff creditial stuff in attack. So 334 00:17:25.759 --> 00:17:27.960 I think there's a very good addition trails to prevent 335 00:17:28.000 --> 00:17:31.119 all of these issues. We already had wreck attack, which 336 00:17:31.160 --> 00:17:33.920 is a jam. It's a very old jam, but a 337 00:17:33.920 --> 00:17:36.440 lot of people don't know about that. And this is 338 00:17:36.440 --> 00:17:38.599 why I really like these changes in rails because once 339 00:17:38.640 --> 00:17:42.400 it's in rail score, a lot of people are becoming 340 00:17:42.480 --> 00:17:45.640 aware of these issues, which they these too solve and 341 00:17:45.720 --> 00:17:47.960 it might not be the best for that team or 342 00:17:47.960 --> 00:17:49.960 that person, but at least now they are oh, I 343 00:17:50.000 --> 00:17:53.599 need to think about credential stuffing, and then they find 344 00:17:53.640 --> 00:17:55.880 out a solution which works for them. 345 00:17:56.319 --> 00:17:59.039 So is this in RAILS seven to or is this 346 00:17:59.119 --> 00:17:59.799 in Rails eight. 347 00:18:00.559 --> 00:18:03.440 It's in Rael seven too. It got some improvements which 348 00:18:03.480 --> 00:18:08.720 only landed in Rals eight. And it's really simple. You 349 00:18:08.799 --> 00:18:12.119 add a single line to your controller and you just 350 00:18:12.200 --> 00:18:16.160 set the You set that the two parameter, which is 351 00:18:16.200 --> 00:18:18.720 how many requests you want to allow, and you set 352 00:18:18.799 --> 00:18:21.359 the wedding, which is like the timeframe. Let's say you 353 00:18:21.440 --> 00:18:24.599 want to allow ten requests within ten within three minutes 354 00:18:24.640 --> 00:18:28.000 from the same user, and then that's it, and then 355 00:18:28.039 --> 00:18:32.000 you have great limiting. You can also configure which actions 356 00:18:32.039 --> 00:18:34.359 you want it to be called on. It's like a 357 00:18:34.359 --> 00:18:37.440 before filter in the control aft. You can set if 358 00:18:37.440 --> 00:18:40.200 you want to exclude any actions or if you want 359 00:18:40.240 --> 00:18:44.440 to include only set in actions. You can also configure 360 00:18:44.559 --> 00:18:48.759 a custom response because by default it raised a four 361 00:18:48.839 --> 00:18:53.359 to nine header, and then you can change that and 362 00:18:53.519 --> 00:18:57.279 just redirect to a page, display a message or whatever 363 00:18:57.359 --> 00:19:02.960 you want to do. Also another important thing to mention initially, 364 00:19:03.119 --> 00:19:06.519 but the first implementation used reddis but then it's been 365 00:19:06.559 --> 00:19:10.640 rewritten and now this storage the back end is any 366 00:19:11.200 --> 00:19:15.400 rare cash compatible storage can work, so you can use 367 00:19:15.440 --> 00:19:20.000 the solid cash or whatever you want and you don't 368 00:19:20.039 --> 00:19:23.000 need to you don't need to have reddie as a dependency. 369 00:19:25.279 --> 00:19:27.759 I love that move away from reddis. 370 00:19:28.240 --> 00:19:31.519 The storage patterns across the border just really great to 371 00:19:31.519 --> 00:19:37.039 see it become more cohesive. I really like this byeline 372 00:19:37.079 --> 00:19:40.039 to give it a product and say like, hey, you 373 00:19:40.079 --> 00:19:43.480 know rate limited, biop or whatever you want to filter 374 00:19:43.799 --> 00:19:44.200 scope to. 375 00:19:45.839 --> 00:19:49.240 Yeah, if you would want to have something like cloud flare, 376 00:19:49.400 --> 00:19:52.119 you could achieve that using that parameter. So you would 377 00:19:52.119 --> 00:19:54.720 set a cookie and then you would rately meet by 378 00:19:54.759 --> 00:19:58.920 that cookie, and then you can handle more propell adidos 379 00:19:58.960 --> 00:20:01.200 attack as well. Otherwise, if you do it by the 380 00:20:01.240 --> 00:20:05.200 ip adidos is usually they use a whole range of ideas. 381 00:20:05.799 --> 00:20:07.799 It's one client, so if you set a cookie on 382 00:20:07.880 --> 00:20:10.960 that client, then you can identify the same client from 383 00:20:11.039 --> 00:20:11.880 a different idea. 384 00:20:13.799 --> 00:20:17.519 Yeah, I'm liking where this is going for sure. I 385 00:20:17.519 --> 00:20:20.039 think cloud flare is probably the best answer for what 386 00:20:20.039 --> 00:20:23.880 I'm looking for, but I like this to manage your 387 00:20:23.920 --> 00:20:26.079 credential stuffing and things like that. 388 00:20:27.119 --> 00:20:29.880 Yeah, my only problem with cloud Flare. I love them. 389 00:20:30.039 --> 00:20:34.279 They're really cool. It's very cheap, but I think now 390 00:20:34.279 --> 00:20:37.279 they are swallowing a big part of the Internet and 391 00:20:37.400 --> 00:20:39.599 maybe one day they will say, Okay, now we are 392 00:20:39.640 --> 00:20:45.440 greedy and now start an extortion amount on everybody. Let's 393 00:20:45.480 --> 00:20:49.680 hope they never do this, but it happened before, and 394 00:20:49.720 --> 00:20:52.000 they might say, yeah, now we want all the money 395 00:20:52.079 --> 00:20:54.839 and now you rely on us. There is nowhere else 396 00:20:54.920 --> 00:20:58.680 to go, or the small competitors are gone and I 397 00:20:58.799 --> 00:21:02.440 need to pay us a lot. But let's hope they 398 00:21:02.440 --> 00:21:03.319 are not going to do that. 399 00:21:04.240 --> 00:21:04.440 Yeah. 400 00:21:07.440 --> 00:21:09.839 Cool. And so the next thing I mentioned in the 401 00:21:09.920 --> 00:21:14.039