Securing Ruby on Rails Apps
DevSnack #42: We all know the benefits of Ruby on Rails applications, but what about their security? In this DevSnack we will cover different aspects of Ruby on Rails applications from a security standpoint. It doesn’t exist a simple guide to follow in order to make the “impenetrable” web application, but with the following articles you will be able to, at least, build more robust RoR applications.
In the following article, Gavin Miller will cover different options to keep yourself updated with the latest security alerts.
He will cover Mailing Lists, Common Vulnerability Exposures -CVE- reports, different tools to audit your application in terms of security.
Heiko Webers is the author of “Rails Security Guide” and “Rails Security Strategy”. He made a list of security issues to check when developing Rails Apps.
From the great old SQL Injection, to Cross-Site Request Forgery, he goes through 10 vulnerabilities, explaining them as well as how to avoid them.
In the following post, Hayley Anderson explains how to use the Rails gem “Rack::Attack” to test how secure your application is. Rack::Attack is a Rack middleware intended to make your Rails application more robust and secure – give it a try!
We all know that the simple combination of username and password doesn’t make a robust authentication method. Two-factor authentication helps to fight this issue. This is not the “one for all” solution, there is no such thing – but it definitely helps.
Phil Nash covers this topic by building a Rails 4 application with the “Authy” gem to protect puppy pictures.
#5 – More Useful Resources
- Ruby on Rails Security Project: This project indexes useful articles, tools and guides about Rails Security.
- Ruby on Rails Security Mailing List: This is the mailing list for all the security-related topics in Rails, a good place to search about the security state of releases.
- Breakman – Rails Security Scanner: This gem helps you scan your code statically to detect potentially unsafe code.
Sadly, there is no perfect application in terms of security, no magic solution. As a community, we all need to contribute!
“Security is sometimes a tough effort to justify because when it’s working you’ll rarely notice” – Gavin Miller
DevSnack by Moove-it is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.