At Route Vu, we are building a mobile application that also requires backend server and web server support. In this app, we have a number of unique privacy issues (for a social application) we wish to address, so security becomes even more critical for us. Personally, I'm new to Rails. Why should you trust three blog posts about securing a Ruby on Rails application? Fair question. In a prior life I worked for the world's second largest software company securing their database and applications, helping secure their on-line applications and crafting their security response team.
The following three blog posts cover separate topics:
- Overall Web Application Security
- Authentication and Authorization
- Two Security Vulnerabilities Development Must Fix
Honestly, I consider item 3, the two vulnerabilities, the most important post you should read - way to bury the lead, huh? The other two are almost no-brainers in terms of what you should do. Don't get me wrong, you must make plenty of decisions and do a lot of work satisfying the security issues in items 1 & 2. However, after perusing the common Rails programming idioms and finding the Primary Key vulnerability, I felt compelled to write these blog posts (if for no one other than me and my development team).
I hope you find them useful. If you see any complete and utter Ruby or Rails programming Fails, please drop me a line or make comment to correct.