Ruby on Rails Security

What Is Ruby?

The Ruby object-oriented programming language is designed to support multiple programming paradigms with a dynamic type system and automatic memory management. Originally developed in the mid-1990s by Yukihiro "Matz" Masumoto, Ruby has developed growing popularity over the past few decades, especially in the form of Ruby on Rails. This open-source framework for web application development in Ruby has become a leading choice of developers building responsive, dynamic web applications, especially as many businesses shift more functions online.

Ruby on Rails is well-suited for RESTful web applications. With a simple syntax, the environment is accommodating and easily allows for teamwork in building projects. While it has faced security challenges in the past, today it features default protections against a variety of attacks, and the development environment is one of the safest available. Of course, for the best results in developing secure code on Ruby, developers must still build security into their code from the beginning.

Veracode Security Labs provides hands-on training that enables developers to write secure code in Ruby on Rails and many other languages. With a variety of real coding practices and tutorials, Security Labs teaches developers how to build security into their code from the first lines.

Secure Coding Handbook

Get the Handbook

Security on Ruby on Rails

Writing secure code on Ruby on Rails means using best practices for coding, as well as employing testing and review systems that can provide greater protection against various types of attacks. Since Ruby on Rails is used to create web apps, some of the major web app security concerns include cross-site request forgery (CSRF), SQL injection, command injection, cross-site scripting (XSS), and authentication vulnerabilities.

Some of the key techniques that can prevent flaws or vulnerabilities in Ruby on Rails code include:

  • Source code review - Developers should always review their code for security flaws from the first steps they take in programming.
  • Static analysis - Veracode Static Analysis goes beyond source code analysis to analyze binary code regardless of whether the source is visible. Thoroughly scanning along each step of the development process can ensure security is built on top of security.
  • Dynamic analysis – Veracode Dynamic Analysis finds runtime vulnerabilities in web applications and APIs. It helps developers discover configuration or deployment issues.
  • Penetration testing - Veracode Penetration Testing imitates real-life scenarios in which attackers attempt to compromise your Ruby app. Pen testing can highlight potential flaws and prevent serious problems later on.
  • Developer education - Developers need to learn how to write secure code and remediate vulnerabilities with code reviews.
software lifecycle diagram. arrows pointing left to right in the order of training, requirements & design, construction, testing, release, respond

Common Ruby on Rails Security Concerns

Any of the OWASP Top 10 may be a concern for Ruby developers, but certain vulnerabilities are more common in RoR (Ruby on Rails) apps.

Cross-Site Scripting (XSS)

XSS is the most common security breach for Ruby on Rails projects. An XSS vulnerability can undermine a web application, introducing malicious code that affects end users. XSS attacks can take advantage of comments, reviews, search result pages, and other interactive features to deliver malicious content to your users.

Ruby on Rails contains helper methods to help protect against these attacks, and standard best practices can provide further protection. All user input returned as part of HTML should be HTML-encoded by your functions, and all user input that can be returned in a URL should be URL-encoded. Ruby on Rails provides automatic screening of potentially dangerous components by marking each line with a special flag. Where this flag is not set, Rails filters it before variables are output.

Preventing SQL Injection in Ruby on Rails

SQL injection is used by attackers to pass unverified data or open access to the underlying database, gaining access to or changing confidential or personal data.

Ruby on Rails provides a built-in filter for special SQL characters in user input, escaping ",", NULL, and line breaks. By using the Ruby functions Model.find(id) or Model.find_by_something(something), developers can automatically apply this countermeasure.

However, building security into the software development lifecycle also means going beyond the built-in security measures of Ruby on Rails. Developers should always ensure that users with permissions to access the underlying database have the lowest level of privileges necessary for their work to function properly. The same is true for web administrators. All input taken in from users should be filtered, checked against business rules, and measured against length, type, and syntax regulations.

When developing web applications, avoid using your go-to usernames and passwords that may be used to breach authentication and remove stored procedures. When using any kind of external string in SQL or allowing such a string to be parsed, keep security in mind.

Veracode's dynamic analysis scans web applications and keeps your public-facing applications protected against XSS, SQL injection, and other security concerns.

Avoiding CSRF Vulnerabilities in Ruby

Ruby on Rails provides an important built-in protection mechanism against cross-site request forgery, or CSRF, token authentication. The gem Devise_token_auth can be used to implement token authentication.

However, many applications also use cookies for authentication, and here, further hardening against CSRF attacks may be necessary. The "protect_from_forgery" method in controllers takes care of validating anti-CSRF cookies. If a request fails verification, it prevents CSRF content from reaching end users.

Preventing Logging Vulnerabilities in Ruby on Rails

Ruby on Rails logs all requests made to the web application. In order to provide the greatest protection for sensitive personal or financial data, ensure that the log files you create do not retain login credentials, passwords, credit card numbers, or other data that could be vulnerable in a security breach. Ruby provides a mechanism to filter request parameters out of your log files by appending them to the "config.filter_parameters" when configuring your application.

This information will be marked "[FILTERED]" in your logs, providing greater protection for customers and users against any type of potential data leak, breach, or attack.

Protecting Your Ruby on Rails Code With Veracode

Veracode's static analysis and dynamic analysis tools can scan your Ruby binaries and public web applications, keeping a constant view of potential security flaws and pointing out fixes. We provide comprehensive solutions to build application security into your SDLC, including binary analysis, application security testing, and eLearning for an integrated approach to security. Visit our free guide on secure coding best practices and contact us today to learn more about our offerings or set up a demo of the Veracode platform.

Your Path to a Mature AppSec Program

Get Started