29 January 2015

5 Ways To Be a More Secure Rails Engineer

Mark Kuhr

Ruby on Rails is one of the most popular frameworks out there and makes building web applications a lot easier. It has a lot of built in support to help you avoid common security issues like Cross-site Scripting (XSS) or SQL injections, but there are things you as an Engineer can do to further prevent vulnerabilities in your Rails app. Here are some thoughts we share with new engineering hires at Synack to help them get into the mindset of locking things down:

1. Get your logs under control

All requests being made to your web application are being logged by Rails. This can get tricky when you have sensitive things come through like passwords or social security numbers. You should filter these sensitive request parameters from your log files by appending them to config.filter_parameters in the application config.

2. Don’t store your keys in your repo

Especially not if you are committing to a public repository on a service like GitHub. There are crawlers out there looking for public Github repos with Amazon creds that can be used to spin up creative things like a EC2 hosted botnet that will run up a nice bill for the AWS account owner. Best to use something like https://github.com/bkeepers/dotenv to load keys into environment vars and store the key file at a more secure place. With this, as with other things .gitignore is your friend here.

3. Keep Ruby, Gems and Rails updated

It sounds easy but most Ruby on Rails shops get so busy with other things that they forget to simply stay up to date with the latest Ruby and Rails versions. More times than not they will include patches for vulnerabilities. Making room in your dev cycle to upgrade the system is extremely crucial.

4. Don’t trust logged in users

A logged in user isn’t the same as an authorized user. Authorization to perform certain task should be something you manage via policies or at the very least by writing “user centric” code. For example if a user requests an article in the database via it’s ID, you should also verify that this user has the right to view this resource.

5. Don’t allow executable files to be uploaded

Always restrict the allowed file types a user can upload to your system. Ideally you also wanna run a virus/malware scan on the uploaded files and prevent bad stuff to spread through your network.

These five tips are by no means a complete list, but it should help you get started and into the right mindset.