Ruby on Rails Secure Development Guidelines
What Is Ruby?
Ruby is an object-oriented programming language. Ruby was first developed in the mid-1990s by Yukihiro "Matz" Matsumoto. Ruby supports multiple programming paradigms, including functional, object oriented, imperative and reflective. Ruby also has a dynamic type system and automatic memory management. Ruby on Rails is an open source web application framework for the Ruby programming language. Ruby is known for Convention over Configuration, Don't repeat yourself and Restful Web Services.
Ruby on Rails Security Overview
Web application frameworks like Ruby help developers to build web applications. Just like security applications with other frameworks, securing Ruby apps requires a mix of utilizing best practices in coding along with correctly using helper methods that are provided to help protect against certain types of attacks. Threats against Ruby web applications include user account hijacking, bypass of access control, reading or modifying sensitive data or presenting fraudulent content.
Key Ruby Security Features
This section lists common Ruby security issues. Building secure Ruby on Rails applications should be no different than building secure applications in any other language. Ruby developers should use different security techniques such as:
- Code review
- Penetration testing
- Static analysis
- Security as part of the SDLC
Ruby on Rails apps are vulnerable to the same issues as other programming languages. Rails has built-in support to help developers avoid common security issues like XSS and SQL injection, but it is still possible to introduce these vulnerabilities into Ruby on Rails apps. In addition to common security vulnerabilities, there are other vulnerabilities more commonly associated with Rails, e.g., mass assignment.
Ruby on Rails Security Video
Ruby Security Best Practices
Ruby developers should follow a Secure Development Lifecycle (SDLC). The SDLC is a software development security assurance process consisting of security practices grouped by six phases: training, requirements & design, construction, testing, release and response.
Like any other framework, the Rails app needs to be kept up to date. From time to time, security issues are reported in the Rails app. Developers of Ruby applications should keep the OWASP Top 10 in mind. Ruby on Rails developers should test for:
- Cross-Site Scripting (XSS)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross-Site Request Forgery (CSRF)
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
Preventing SQLi in Ruby
Ruby on Rails has a built-in filter for special SQL characters, which will escape ’ , " , NULL character and line breaks. Using Model.find(id) or Model.find_by_some thing(something) automatically applies this countermeasure.
- Adopt an input validation technique whereby user input is checked against business rules and a set of defined rules for length, type and syntax.
- Ensure that users with permission to access the database have the least privileges.
- Do not use system administrator accounts like “sa” for Web applications.
- Create application-specific database user accounts.
- Remove all stored procedures.
- Use strongly typed parameterized query APIs with placeholder substitution markers, even when calling stored procedures.
Make it a habit to think about the security consequences when using an external string in SQL.
Preventing XSS in Ruby
Rails provides helper methods to fend off XSS attacks.
- HTML encode all user input returned as part of HTML.
- URL encode all user input returned as part of URLs (convert ?, &, /, <, >, and spaces to their respective URL encoded equivalents).
- Convert all user input to a single character encoding before parsing.
Preventing Ruby Logging Vulnerabilities
Rails logs all requests being made to the web application. Log files can be a huge security issue and should not contain sensitive information such as login credentials and credit card numbers. Ruby allows you to filter certain request parameters from your log files by appending them to config.filter_parameters in the application configuration. These parameters will be marked [FILTERED] in the log.
How to Test the Security of Ruby Applications
Veracode can test the security of Ruby on Rails applications. The Veracode platform requires that you run a special packaging gem prior to uploading your Ruby on Rails code to the Veracode platform. The gem uses features to translate your application to an archive format that can be analyzed by Veracode. The archive contains the following information:
- Information about Modules and Classes, including disassembled instruction sequences for all Ruby methods (disassembly is not available for methods implemented in C)
- A log of errors generated by the Veracode gem or other code in your application's environment during disassembly
- Configuration files for Rails, Bundler, or other common gems
- Ruby source and template files
- A list of files included in the archive
- A recursive list of all files in the application directory (including those not contained in the archive)
Written by: Neil DuPaul