Fortify Rails Webinar

Transcript

1. Fortify Rails Defending Your Ruby on Rails Applications from Bad

   Actors FastRuby.io & Wafris.org Rails Security Webinar, June 2023

2. Founder & CTO @FastRubyIO

3. 🇦🇷 Hi, I’m from Argentina

4. 🇦🇷 Hi, I’m from Argentina 🦅 I live in Philadelphia

5. 🇦🇷 Hi, I’m from Argentina 🦅 I live in Philadelphia

   👨💻 I love Ruby & Open Source!

6. 🇦🇷 Hi, I’m from Argentina 🦅 I live in Philadelphia

   👨💻 I love Ruby & Open Source! 🤓 My pronouns are he/him

7. FastRuby.io 1. Ruby/Rails Upgrade Services

8. FastRuby.io 1. Ruby/Rails Upgrade Services 2. Fixed-cost, Monthly Maintenance Services

9. FastRuby.io 1. Ruby/Rails Upgrade Services 2. Fixed-cost, Monthly Maintenance Services

   3. Ruby/Rails Performance Optimization

10. FastRuby.io 1. Ruby/Rails Upgrade Services 2. Fixed-cost, Monthly Maintenance Services

    3. Ruby/Rails Performance Optimization 4. Ruby/Rails Security Audits

11. I ❤ Ruby & Rails

12. Rails ❤ 1. Convention over Configuration

13. Rails ❤ 1. Convention over Configuration 2. Development Speed

14. Rails ❤ 1. Convention over Configuration 2. Development Speed 3.

    Security Goodies

15. Rails ❤ 1. Convention over Configuration 2. Development Speed 3.

    Security Goodies

16. Native Rails Security Countermeasures

17. Native Rails Security Countermeasures 1. Cross-Site Scripting (XSS)

18. Native Rails Security Countermeasures 1. Cross-Site Scripting (XSS) 2. SQL

    Injection

19. Native Rails Security Countermeasures 1. Cross-Site Scripting (XSS) 2. SQL

    Injection 3. CSRF

20. Native Rails Security Countermeasures 1. Cross-Site Scripting (XSS) 2. SQL

    Injection 3. CSRF 4. Content-Security-Policy Header 5. Encrypted Credentials 6. Unsafe Query Generation 7. CSS Injection 8. Session Hijacking 9. ...

21. Rails Security Policy

22. None
23. None
24. None
25. None
26. None

27. Ruby / Rails Security Risks

28. Attack Vectors 1. Vulnerable dependencies

29. Attack Vectors 1. Vulnerable dependencies 2. Exploitable application code

30. Attack Vectors 1. Vulnerable dependencies 2. Exploitable application code

31. Vulnerable Dependencies

32. Vulnerable Dependencies

33. Vulnerable Dependencies bundle update rails git commit -m “Patched version

    of Rails.” git push production master

34. Vulnerable Dependencies $ gem install bundler-stats $ bundle-stats .. ..

    .. .. .. .. .. .. .. | pg | 0 | 0 | | spring | 0 | 0 | | stripe | 0 | 0 | | timecop | 0 | 0 | | tzinfo-data | 0 | 0 | +------------------------------------|------------|----------------+ Declared Gems 62 Total Gems 218 Unpinned Versions 39 Github Refs 3

35. bundler-audit

36. None
37. None

38. Vulnerable Dependencies $ gem install bundler-audit $ bundle-audit No vulnerabilities

    found

39. Vulnerable Dependencies

40. None

41. For patch versions (e.g. 1.0.X): - Dependabot - Depfu

42. For minor/major versions (e.g. A.B.0): Fixed-cost Monthly Maintenance by FastRuby.io

43. Attack Vectors 1. Vulnerable dependencies 2. Exploitable application code

44. Exploitable Code 1. Poorly scoped queries 2. SQL-injectable code 3.

    Poorly filtered parameters 3. Too many un-rescued exceptions 4. Etc…

45. Sharp knives: - Ruby (e.g. monkey patches)

46. Sharp knives: - Ruby (e.g. monkey patches) - ActiveRecord

47. Sharp knives: - Ruby (e.g. monkey patches) - ActiveRecord -

    N+1 Performance Issues - Slow queries - SQL-injection, and more…

48. Example #1

49. ActiveRecord def find_estimate @estimate = Estimate.where(story_id: params[:story_id]).find(params[:id]) end

50. GET /stories/2/estimates/ 235/edit

51. None

52. ActiveRecord def find_estimate @estimate = current_user.estimates.where(story_id: params[:story_id]).find(params[:id]) end

53. Example #2

54. ActiveRecord def find_estimate @estimate = current_user.estimates.where("story_id = '#{params[:story_id]}'").find(params[:id]) end

55. GET /stories/`1'; DROP TABLE users; —`/ estimates/123/edit

56. None

57. ActiveRecord def find_estimate @estimate = current_user.estimates.where(story_id: params[:story_id]).find(params[:id]) end

58. Dozens of known Rails idioms are exploitable

59. brakeman

60. ActiveRecord def find_estimate @estimate = current_user.estimates.where("story_id = '#{params[:story_id]}'").find(params[:id]) end

61. Brakeman $ gem install brakeman $ brakeman .. .. ..

    .. .. .. .. == Warnings == Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: current_user.estimates.where("story_id = '#{params[:story_id]}'") File: app/controllers/estimates_controller.rb Line: 64

62. Brakeman $ gem install brakeman $ brakeman .. .. ..

    .. .. .. .. == Brakeman Report == Application Path: /Users/etagwerker/Projects/fastruby/points Rails Version: 7.0.4.3 Brakeman Version: 6.0.0 Scan Date: 2023-06-09 09:47:32 -0400 Duration: 0.961275 seconds Checks Run: BasicAuth, BasicAuthTimingAttack, CSRFTokenForgeryCVE, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EOLRails, EOLRuby, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONEntityEscape, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PageCachingCVE, Pathname, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeConfigCve, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TemplateInjection, TranslateBug, UnsafeReflection, UnsafeReflectionMethods, ValidationRegex, VerbConfusion, WeakRSAKey, WithoutProtection, XMLDoS, YAMLParsing

63. Brakeman 1. Static code analysis 2. Dozens of checks 3.

    Some false positives

64. Attack Vectors 1. Vulnerable dependencies 2. Exploitable application code

65. Rails Security Audit by FastRuby.io

66. FastRuby.IO/ security-audit

67. Rails Security Audit by FastRuby.io 👉 Email: [email protected]

68. TL;DR 1. Use `bundler-audit`

69. TL;DR 1. Use `bundler-audit` 2. Use `brakeman`

70. TL;DR 1. Use `bundler-audit` 2. Use `brakeman` 3. Don’t just

    use them, add them to your development workflow (e.g. CI)

71. Resources 1. https://guides.rubyonrails.org/security.html 2. https://rubyonrails.org/security 3. https://rubysec.com/ 4. https://brakemanscanner.org/ 5.

    https://www.fastruby.io/newsletter 6. https://www.fastruby.io/blog/rails/security/ruby-security-toolkit.html 7. https://www.fastruby.io/security-audit 8. https://audit.fastruby.io/ 9. https://bundler.io/v2.4/man/bundle-outdated.1.html