Want to see the full-length video right now for free?
Sign In with GitHub for Free AccessOn this week's video, Chris is joined by Derek to discuss web security. Tune in to learn about the available resources and tools, and some specific issues to watch out for in Rails apps.
One of the best starting points for learning more about web security is the OWASP Top 10 list. OWASP is an organization focused on helping developers build and maintain safe, secure web applications. They produce an array of documentation, but the Top 10 list is a great starting point. The 2013 version of the list is the most recent.
The top 10 list covers the 10 most common vulnerabilities found in web applications. These include topics like Injection (command or SQL injection like Little Bobby Tables on XKCD), Broken Authentication and Session Management, Cross Site Scripting, and more.
The list provides a concise introduction and overview of these common vulnerabilities, and we highly recommend you review the whole list from time to time. Alternately, you can watch Derek's Lightning Talk on the OWASP Top 10 for a more detailed dive into the specific items on the list.
In addition to the Top 10, OWASP also provides a Ruby on Rails Cheatsheet. While the Top 10 speaks generally about the types of vulnerabilities common to web applications, the Rails cheatsheet goes into specifics providing example Rails code (and fixes) for these vulnerabilities.
The Ruby on Rails Security Guide is another great resource for Rails specific security info. It is maintained by the Rails core team and is continually updated with fresh information. This is another resource that we recommend all Rails devs review from time to time.
Specific to SQL injection in Rails (number 1 on the Top 10!), Rails SQLi is a page that collects a list of the ActiveRecord methods that are unsafe for user input as they do not sanitize.
bundler-audit is a gem that allows us to scan the list of gems being used in our Rails app (as listed in the Gemfile.lock), and compare them against a repository of know security issues.
It can be configured to run as part of our default rake
task and continuous
integration build for our app, ensuring that we'll catch any issues early.
# ./lib/tasks/bundler-audit.rake task definition
if Rails.env.development? || Rails.env.test?
require "bundler/audit/cli"
namespace :bundler do
desc "Updates the ruby-advisory-db and runs audit"
task :audit do
Bundler::Audit::CLI.start ["update"]
Bundler::Audit::CLI.start ["check"]
end
end
end
# Rakefile for Upcase, configured to run both rspec, and bundler-audit
require File.expand_path('../config/application', __FILE__)
Upcase::Application.load_tasks
if defined? RSpec
task(:spec).clear
RSpec::Core::RakeTask.new(:spec) do |t|
t.verbose = false
end
end
task default: ['spec', 'bundler:audit']
A great compliment to running bundler-audit
on your app is to sign up for the
RubySec Mailing List. This is a very low volume list that sends out
messages when there are new vulnerabilities discovered in gems or Ruby.
In addition, if there is ever a case where there is a particular gem with a
known security issue, but you need to defer updating until a patched version
of the gem is released (and you are confident your app is not vulnerable!),
then you can use the ignored_vulnerabilities
time-boxed exclusions list
below to get your build back to green.
# update the bundler-audit task to temporarily ignore specific vulnerabilities
if Rails.env.development? || Rails.env.test?
require "bundler/audit/cli"
namespace :bundler do
desc "Updates the ruby-advisory-db and runs audit"
task :audit do
Bundler::Audit::CLI.start ["update"]
- Bundler::Audit::CLI.start ["check"]
+ Bundler::Audit::CLI.start ["check"] + ignored_vulnerabilities
end
end
+ def ignored_vulnerabilities
+ if Date.today < Date.parse("2015-03-09")
+ ["--ignore", "OSVDB-117461"]
+ else
+ []
+ end
+ end
end
Brakeman is a static analysis tool you can run on your application to scan
for common issues such as SQL injection and XSS. You can include it as a gem
in your app's Gemfile
and then from time to time run the brakeman
command
to produce a report of any vulnerabilities it detects. Brakeman is also used
as the engine behind Code Climate's security analysis feature.
There is also a great Ruby rogues Episode with the author of brakeman there covers the tool itself, as well as many general security concepts.
Security is a shared responsibility and something we should all be familiar with when writing web applications. Throughout this episode we've provided a collection of resources and tools to help with your security work, but in the end it often comes back to the golden rule: never trust user input. Although most of your users are great, it only takes one bad egg and a single crack in the foundation to ruin your day.