On today's episode, Brian Hogan, David Kimura, and Charles Max Wood discuss web security. Security demands attention. Developers can't risk having their projects exploited by hackers and other such attackers. Tune in to learn about the different types and issues in security.
Security in Rails
Rails provides a good security and there are a lot of good conventions. However, it doesn't mean that if you write codes in Rails, you have nothing to worry about concerning security. There are still factors you need to consider to make sure that you have everything covered.
There are numerous ways to introduce cross-site scripting. One is you could use a vulnerable code and the other is a third party library. There also exists an issue on SQL injection where if you do not sanitize user input, you open the risk of SQL injection even though Rails inherently follows the standard procedures.
Classifications of Security Vulnerabilities
There are different levels of security and other factors you have to be aware of as you take each step in the process. It is very important to focus on your code vulnerability, which includes third party plug-ins, regardless whether you're using a Java library or a gem.
Maintaining good security measures includes reviewing the source code, tracing back old issues that have been posted for that gem, and looking up to resources or reading about best practices on performing queries or running code. If you are going to add a gem to your library, it is your responsibility to administer necessary safety actions to lessen future issues.
Tools for Vulnerability Identification
One way to mitigate vulnerability issues is to list down tools that would help us identify them up front. One of the gems commonly used is called Brakeman. It runs through the application and gives a report on the vulnerabilities it was able to catch.
Another tool is OWASP ZAP which basically sets up a proxy to a browser. The proxy serves as a mediator between your browser and application. It can pick up cross-site scripting issues or different kinds of vulnerabilities.
To hear Web Security, download and listen to the entire episode. Feel free to contact Charles if you want to know more about Ruby Rogues podcast. He would surely love to hear from you!
Charles' Twitter account
If you’re short on time, here are the highlights of Web Security:
Security in Rails? (3:29)
Different levels of security? (8:34)
Tools for identifying vulnerabilities? (14:16)
Zero day vulnerability? (22:30)
Automated testing? (26:18)
Other security resources? (31:02)
Recent security issues? (33:13)
Brian: PrivacyRights.org data breaches section
David: video on attr_encrypted
Charles: JSJ Episode with Kim Carter, Invisible Selling Machine by Ryan Deiss
OWASP ZAP, Brakeman, Metasploit, XSS (Cross site scripting), SQL injection, sanitizing on user input, COBOL, authenticity tokens, SSL, Brakeman Pro, Justin Collins episode, Cloudflare (proxy), Code Reviews, Rails Security mailing list, Heartbleed, OWASP Top 10, server hardening, server updates, GitLab data loss, DDOS