Security Checklist of Ruby on Rails - Pre and Post Project Delivery

This manual describes common security problems in web applications and how to avoid them with Rails.

Secure coding checklist: Ruby on Rails

Attack Vector/Vulnerability	Solution
input/output validation	white-list filtering as early as possible use safeERB, XSSshield, etc. use `.find(params[:id])` only with additional parameters or `@user.order.find(id)` SQL injections use bind variables and an array for SQL queries using `.find` use `sanitize_sql()` or prepared statement for remote SQL queries use `protect_from_forgery` (CSRF) use escape methods for Shell LDAP ... Mass Assignment use `attr_accessible` don't pass user-data to `.new` or `.create` take care with `redirect_to`
session handling	use SSL use strong passwords only 6 characters numbers and letters verify with cracklib-ruby use password salt use key derivation function for further processing (RFC 2898) use a random+changing `:secret` for the Cookies all controller actions are public reset_session at login limit admin interface to sub-net or localhost ActionController::Base.session_options[:session_secure] = true Cookie life-time has to be enforced on server-site do NOT store secret information in a Cookie (only base64 encoded) use CAPTCHAs to stop scripted attacks bind IP address to Session-ID re-authenticate before executing security- relevant actions changing password changing email address changing repo URL ...
very dangerous methods/functions	system() popen() `` (backticks) eval() deserialize()
information leak	short error message no full back-trace! filter_parameter_logging remove backup files periodically use `.find(params[:id])` only with additional parameters or `@user.order.find(id)` use bind variables or alike for SQL queries using `.find`
file uploads and downloads	use hash of filename instead of real name put them in a DB and use an ID deny direct download of files put them outside of DocumentRoot deny suffixes like: rb, cgi, php, erb, html, .. deny `../` and `/` in name always set correct Content-Type
sensitive information	standards and acts: PCI DSS, HIPAA, SOX, ... encrypt keep them in memory as short as possible create audit records for access do not log the data itself to avoid leaking
cryptography	use OpenSSL no hard-coded algorithms etc. use only AES with 256 bit key SHA-2 with 512 bit RSA, DSA, DH with 2048 bit key CTR or CBC mode fresh random numbers from `/dev/random` or `/dev/urandom` avoid stream ciphers References :: http://guides.rubyonrails.org/security.html http://en.opensuse.org/SDB:Secure_coding_checklist:_Ruby_on_Rails

Comments

World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining

World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining Data Sets available for different sectors as follows: Science & Technology - World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining Agricultural Experiments: agridat {agridat} (R) Climate data: Temperature data (HadCRUT4) and ftp://ftp.cmdl.noaa.go v/ Gene Expression Omnibus: Home - GEO - NCBI Geo Spatial Data: Data | GeoDa Center Human Microbiome Project: Microbial Reference Genomes MIT Cancer Genomics Data: Page on broadinstitute.org NASA: Obtaining Data From the NSSDC NIH Microarray data: ftp://ftp.ncbi.nih.gov/pu b/geo/D... (R) Protein structure: PSP benchmark Public Gene Data: Browse literature or sequence neighbours Stanford Microarray Data: Page on stanford.edu Social Sciences - World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining General S

Simple way 2 secure ur Privacy

Essential Checks Before Launching Your Website As ‘digital professionals’ – Web Designers , Developers and Marketers – launching a new website is a daunting task, no matter how often you do it (like B.A.S.E. jumping). There’s lots that can go wrong, and the list of ‘ gotchas ‘ scales to the size and complexity of the project. This article is a checklist of common tasks that need to be completed before you hit the “GO” button. A little preparation goes a long way and could save you time and avoid unnecessary costs after you release your website. Upload a Favicon The ‘favicon’ appears to the left of the page title in the web browser, and your users will notice if your website doesn’t have one. They give your website credibility and help users navigate to your site when it’s open amongst their other tabs and bookmarks. Ensuring that your website has a favicon is probably the most basic of any task known to humanity, and yet it’s so frequently overlooked. STEP ONE: CRE

AWS Cloud Architecture for Web Hosting | Key Components of an AWS Web Hosting Architecture

Security Architecture of AWS | Amazon Web Server Working of AWS Architecture. Content Delivery Edge caching is still relevant in the Amazon Web Service cloud computing infrastructure. Any existing solutions in your web application infrastructure should work just fine in the AWS cloud. One additional option, however, is made available when using AWS, which is to utilize the Amazon CloudFront service1 for edge caching your website Like other Amazon Web Services, there are no contracts or monthly commitments for using Amazon CloudFront – you pay only for as much or as little content as you actually deliver through the service. Managing Public DNS Moving a web application to the AWS cloud requires some DNS changes to take advantage of the multiple availability zones that AWS provides. To help you manage DNS routing, AWS provides Amazon Route 534 , a highly available and scalable DNS web service. Queries for your domain are automatically routed to the nearest DNS server and th

Ram Sharma Cyber Alerts

Search This Blog