Tweet
Tweet

Slide 1

Slide 1 text

Staying Secure on Rails Bradley Grzesiak, partner at Bendyworks (twitter|github).com/listrophy

Slide 2

Slide 2 text

Staying Secure on Rails • Organizational • Vendor Code • Your Code

Slide 3

Slide 3 text

Organizational Security

Slide 4

Slide 4 text

Organizational Security • Trust no one • Trust nothing • You’ve already been hacked • You will continue to be hacked

Slide 5

Slide 5 text

Trust

Slide 6

Slide 6 text

Know who you trust

Slide 7

Slide 7 text

Who do I trust? • Intel, Samsung, etc & Factory Workers • Apple • GCC & LLVM Teams • Ruby Core Team • Rails Core Team • Authors of Every Gem You Use • GitHub & Rubygems.org • Google or Mozilla • OpenSSH Team • Linus Torvalds & GNU Team • Ubuntu Team • Apache or nginx Team • Heroku, Linode, Engine Yard, Blue Box • Amazon

Slide 8

Slide 8 text

It’s not just trust in “Good Intentions...”

Slide 9

Slide 9 text

It’s not just trust in “Good Intentions...” It’s also trust in “Competence.”

Slide 10

Slide 10 text

Disaster Preparation

Slide 11

Slide 11 text

Disaster Preparation • Up-to-date List of Apps & Servers • Effective Code & Data Backups • Insta-Maintenance Pages • Fast Re-Deployment, Provisioning Process • Status Pages • “Phone” Tree

Slide 12

Slide 12 text

Staying Secure on Rails • Organizational • Vendor Code • Your Code

Slide 13

Slide 13 text

Vendor Code

Slide 14

Slide 14 text

Vendor Code • Operating System • User-Level Server Software • Ruby (patch levels) • Gems • Plugins, Submodules, etc

Slide 15

Slide 15 text

Keep Current • ruby-lang.org/en/security • groups.google.com/group/rubyonrails-security • Gemnasium • Twitter

Slide 16

Slide 16 text

Staying Secure on Rails • Organizational • Vendor Code • Your Code

Slide 17

Slide 17 text

Your Code

Slide 18

Slide 18 text

Your Code • Never trust params • If you recurse/loop on params, set limits • Don’t call .to_sym on params • Use attr_accessible • Actually, use strong_parameters • Filter Parameters: password, cc info, etc • Bcrypt your passwords • Actually, don’t roll your own auth • Don’t store credit card info • Better yet, never touch credit card info • Judiciously trust DB field values • Never use eval; Judiciously use .raw • Avoid SQL injection • Don’t use cookie session store

Slide 19

Slide 19 text

Your Code • Don’t put arbitrary restrictions on passwords, other than maybe length • Authenticating? Force SSL everywhere • Auth or “mark-as-skipped” every action • Know how much information you leak • Don’t rely on obscurity • Use a load balancer • If you use OAuth, learn it • Assume hackers are smarter than you and have your code • Git-ignore secrets (eg: secret_token.rb) • Use JSON if you must serialize • Don’t disable CSRF tokens • Email is insecure • Read guides.rubyonrails.org/security.html

Slide 20

Slide 20 text

Assumption: I’m a moron

Slide 21

Slide 21 text

Thank You! speakerdeck.com/listrophy/staying-secure-on-rails