I've been developing a small CRUDish Ruby on Rails application on my free time for a non-profit organization. The app is already running in a small scale in Heroku.
Lately I've been thinking about open sourcing the application. There are many pros for this, eg. I already know a couple of possible contributors, and even my employer has shown interest in supporting the project in a couple of ways if it would be open source.
Normally I wouldn't hesitate with this kind of possibility at all, but the problem here is that the application stores at least somewhat sensitive information about people using it. I have a fear that as the project is small, and after all will always have just a limited amount of developer time and resources, open sourcing it would attract more malicious hackers than actual contributors. I don't want to harm anyone, and especially not the targeted users of the app, so even the slight increase in propability of a data leak worries me.
When thinking sensibly, I understand that
- As the app is very small, there is a very limited possibility that someone would actually try to attack it
- RoR gives me quite good and real-life-tested environment to build on top of
- Security through obscurity is mostly regarded as non-sense
- IMHO pros of open sourcing overweight the cons
I don't want this to became another discussion about Open Source vs Closed Source Systems. However to relief my mind, I'd like to know what can I realisticly do to minimize the possibility of an attack. So far at least these things have wondered through my mind:
- Use the latest Rails version, and apply all security fixes as fast as possible
- Purchase an SSL certificate and enforce HTTPS connections so that all data that users enter will be transferred encrypted
- Encrypt data at the database with a key stored in Heroku config vars. However I'm not so sure about this one, because after all, I have to trust Heroku, and as far as I understand, this would help only in cases where the actual database would be compromised. Or am I mistaken here?
- Beg some security company to make an audit to the application for free (as there is no $$ involved)
What else could/should I do?