Saturday, February 16, 2013

Staying on top of Ruby on Rails security


Maintaining a Ruby on Rails application and keeping it secure might feel like a challenge with all the security attention that the framework has received recently. Here are my suggestions for staying ahead of the curve.

Read the Ruby on Rails Security guide - This guide discusses security best practices when writing Ruby on Rails code.

Join the Ruby on Rails Security Google group - Every patched Ruby on Rails vulnerability gets announced in this group.

Familiarise yourself with common web application security risks - The OWASP Top Ten is a great source for this: site and document.

Keep an eye on your popular gems for security patches - Devise, Rack and JSON recently had vulnerability patches.

Have an automated security scan as part of your build pipeline - Automated scans can not give you 100% confidence in your security status but it will highlight the most obvious flaws to you. Brakeman is a popular security scanner for Ruby on Rails that is easy to integrate with Jenkins.

Be ready to patch and deploy quickly - Be prepared to update and go to production at any point, be this on an application or infrastructure level. Adopting a Continues Delivery model will empower you to do this very easily.

Understand your application security threats and objectives - Threat modeling is a popular exercise to achieve this. It can be a formal process or a less formal process - the important thing is that you understand your application's security threats and objectives.

Have a security evangelist in your team - Give someone in your team the responsibility to take ownership of promoting security in your projects.

Other useful resources - Ruby Security, OWASP Ruby on Rails Cheatsheet

No comments: