Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

Staying Secure on Rails

listrophy
February 25, 2013

Staying Secure on Rails

A (necessarily) incomplete list of things you should consider when it comes to security on Rails.

listrophy

February 25, 2013
Tweet

More Decks by listrophy

Other Decks in Programming

Transcript

  1. Organizational Security • Trust no one • Trust nothing •

    You’ve already been hacked • You will continue to be hacked
  2. Who do I trust? • Intel, Samsung, etc & Factory

    Workers • Apple • GCC & LLVM Teams • Ruby Core Team • Rails Core Team • Authors of Every Gem You Use • GitHub & Rubygems.org • Google or Mozilla • OpenSSH Team • Linus Torvalds & GNU Team • Ubuntu Team • Apache or nginx Team • Heroku, Linode, Engine Yard, Blue Box • Amazon
  3. Disaster Preparation • Up-to-date List of Apps & Servers •

    Effective Code & Data Backups • Insta-Maintenance Pages • Fast Re-Deployment, Provisioning Process • Status Pages • “Phone” Tree
  4. Vendor Code • Operating System • User-Level Server Software •

    Ruby (patch levels) • Gems • Plugins, Submodules, etc
  5. Your Code • Never trust params • If you recurse/loop

    on params, set limits • Don’t call .to_sym on params • Use attr_accessible • Actually, use strong_parameters • Filter Parameters: password, cc info, etc • Bcrypt your passwords • Actually, don’t roll your own auth • Don’t store credit card info • Better yet, never touch credit card info • Judiciously trust DB field values • Never use eval; Judiciously use .raw • Avoid SQL injection • Don’t use cookie session store
  6. Your Code • Don’t put arbitrary restrictions on passwords, other

    than maybe length • Authenticating? Force SSL everywhere • Auth or “mark-as-skipped” every action • Know how much information you leak • Don’t rely on obscurity • Use a load balancer • If you use OAuth, learn it • Assume hackers are smarter than you and have your code • Git-ignore secrets (eg: secret_token.rb) • Use JSON if you must serialize • Don’t disable CSRF tokens • Email is insecure • Read guides.rubyonrails.org/security.html