Web Security

On this week's video, Chris is joined by Derek to discuss web security. Tune in to learn about the available resources and tools, and some specific issues to watch out for in Rails apps.

OWASP Top 10

One of the best starting points for learning more about web security is the OWASP Top 10 list. OWASP is an organization focused on helping developers build and maintain safe, secure web applications. They produce an array of documentation, but the Top 10 list is a great starting point. The 2013 version of the list is the most recent.

The top 10 list covers the 10 most common vulnerabilities found in web applications. These include topics like Injection (command or SQL injection like Little Bobby Tables on XKCD), Broken Authentication and Session Management, Cross Site Scripting, and more.

The list provides a concise introduction and overview of these common vulnerabilities, and we highly recommend you review the whole list from time to time. Alternately, you can watch Derek's Lightning Talk on the OWASP Top 10 for a more detailed dive into the specific items on the list.

Rails Specific Resources

OWASP Ruby on Rails Cheatsheet

In addition to the Top 10, OWASP also provides a Ruby on Rails Cheatsheet. While the Top 10 speaks generally about the types of vulnerabilities common to web applications, the Rails cheatsheet goes into specifics providing example Rails code (and fixes) for these vulnerabilities.

Ruby on Rails Security Guide

The Ruby on Rails Security Guide is another great resource for Rails specific security info. It is maintained by the Rails core team and is continually updated with fresh information. This is another resource that we recommend all Rails devs review from time to time.

Rails SQLi Site

Specific to SQL injection in Rails (number 1 on the Top 10!), Rails SQLi is a page that collects a list of the ActiveRecord methods that are unsafe for user input as they do not sanitize.

Bundler Audit

[bundler-audit][] is a gem that allows us to scan the list of gems being used in our Rails app (as listed in the Gemfile.lock), and compare them against a repository of know security issues.

It can be configured to run as part of our default rake task and continuous integration build for our app, ensuring that we'll catch any issues early.

# ./lib/tasks/bundler-audit.rake task definition
if Rails.env.development? || Rails.env.test?
  require "bundler/audit/cli"

  namespace :bundler do
    desc "Updates the ruby-advisory-db and runs audit"
    task :audit do
      Bundler::Audit::CLI.start ["update"]
      Bundler::Audit::CLI.start ["check"]
    end
  end
end

# Rakefile for Upcase, configured to run both rspec, and bundler-audit
require File.expand_path('../config/application', __FILE__)

Upcase::Application.load_tasks

if defined? RSpec
  task(:spec).clear
  RSpec::Core::RakeTask.new(:spec) do |t|
    t.verbose = false
  end
end

task default: ['spec', 'bundler:audit']

Ruby Security Mailing List

A great compliment to running bundler-audit on your app is to sign up for the [RubySec Mailing List][]. This is a very low volume list that sends out messages when there are new vulnerabilities discovered in gems or Ruby.

[RubySec Mailing List]: http://rubysec.com/

Temporarily Silencing Bundler Audit Warnings

In addition, if there is ever a case where there is a particular gem with a known security issue, but you need to defer updating until a patched version of the gem is released (and you are confident your app is not vulnerable!), then you can use the ignored_vulnerabilities time-boxed exclusions list below to get your build back to green.

# update the bundler-audit task to temporarily ignore specific vulnerabilities
 if Rails.env.development? || Rails.env.test?
   require "bundler/audit/cli"

   namespace :bundler do
     desc "Updates the ruby-advisory-db and runs audit"
     task :audit do
       Bundler::Audit::CLI.start ["update"]
-      Bundler::Audit::CLI.start ["check"]
+      Bundler::Audit::CLI.start ["check"] + ignored_vulnerabilities
     end
   end

+  def ignored_vulnerabilities
+    if Date.today < Date.parse("2015-03-09")
+      ["--ignore", "OSVDB-117461"]
+    else
+      []
+    end
+  end
 end

[bundler-audit]: https://github.com/rubysec/bundler-audit

Brakeman Security Scanner

[Brakeman][] is a static analysis tool you can run on your application to scan for common issues such as SQL injection and XSS. You can include it as a gem in your app's Gemfile and then from time to time run the brakeman command to produce a report of any vulnerabilities it detects. Brakeman is also used as the engine behind [Code Climate's security analysis feature][].

There is also a great [Ruby rogues Episode][] with the author of brakeman there covers the tool itself, as well as many general security concepts.

[Brakeman]: http://brakemanscanner.org/ [Code Climate's security analysis feature]: http://docs.codeclimate.com/article/174-the-security-page [Ruby rogues Episode]: https://devchat.tv/ruby-rogues/219-rr-brakeman-and-rails-security-with-justin-collins

Conclusion

Security is a shared responsibility and something we should all be familiar with when writing web applications. Throughout this episode we've provided a collection of resources and tools to help with your security work, but in the end it often comes back to the golden rule: never trust user input. Although most of your users are great, it only takes one bad egg and a single crack in the foundation to ruin your day.