Skip to main content

Security Checklist of Ruby on Rails - Pre and Post Project Delivery

This manual describes common security problems in web applications and how to avoid them with Rails.

Secure coding checklist: Ruby on Rails

Session fixation :
Attack Vector/Vulnerability
Solution
input/output validation
  • white-list filtering as early as possible
  • use safeERBXSSshield, etc.
  • use .find(params[:id]) only with additional parameters or @user.order.find(id)
  • SQL injections
    • use bind variables and an array for SQL queries using .find
    • use sanitize_sql() or prepared statement for remote SQL queries
  • use protect_from_forgery (CSRF)
  • use escape methods for
    • Shell
    • LDAP
    • ...
  • Mass Assignment
    • use attr_accessible
    • don't pass user-data to .new or .create
  • take care with redirect_to
session handling
  • use SSL
  • use strong passwords only
    • 6 characters
    • numbers and letters
    • verify with cracklib-ruby
  • use password salt
  • use key derivation function for further processing (RFC 2898)
  • use a random+changing :secret for the Cookies
  • all controller actions are public
  • reset_session at login
  • limit admin interface to sub-net or localhost
  • ActionController::Base.session_options[:session_secure] = true
  • Cookie life-time has to be enforced on server-site
  • do NOT store secret information in a Cookie (only base64 encoded)
  • use CAPTCHAs to stop scripted attacks
  • bind IP address to Session-ID
  • re-authenticate before executing security- relevant actions
    • changing password
    • changing email address
    • changing repo URL
    • ...
very dangerous methods/functions
  • system()
  • popen()
  • `` (backticks)
  • eval()
  • deserialize()
information leak
  • short error message no full back-trace!
  • filter_parameter_logging
  • remove backup files periodically
  • use .find(params[:id]) only with additional parameters or @user.order.find(id)
  • use bind variables or alike for SQL queries using .find
file uploads and downloads
  • use hash of filename instead of real name
  • put them in a DB and use an ID
  • deny direct download of files
    • put them outside of DocumentRoot
  • deny suffixes like: rb, cgi, php, erb, html, ..
  • deny ../ and / in name
  • always set correct Content-Type
sensitive information
  • standards and acts: PCI DSS, HIPAA, SOX, ...
  • encrypt
  • keep them in memory as short as possible
  • create audit records for access
  • do not log the data itself to avoid leaking
cryptography
  • use OpenSSL
  • no hard-coded algorithms etc.
  • use only
    • AES with 256 bit key
    • SHA-2 with 512 bit
    • RSA, DSA, DH with 2048 bit key
    • CTR or CBC mode
  • fresh random numbers from /dev/random or /dev/urandom
  • avoid stream ciphers


References :: 
http://guides.rubyonrails.org/security.html              http://en.opensuse.org/SDB:Secure_coding_checklist:_Ruby_on_Rails

Comments

Post a Comment

Popular posts from this blog

World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining

World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining Data Sets available for different sectors as follows: Science & Technology    - World largest data sets open to the public | Business Intelligence | Data Warehouse | Data Mining Agricultural Experiments:  agridat {agridat}  (R) Climate data:  Temperature data (HadCRUT4)  and ftp://ftp.cmdl.noaa.go v/ Gene Expression Omnibus:  Home - GEO - NCBI Geo Spatial Data:  Data | GeoDa Center Human Microbiome Project:  Microbial Reference Genomes MIT Cancer Genomics Data:  Page on broadinstitute.org NASA:  Obtaining Data From the NSSDC NIH Microarray data:    ftp://ftp.ncbi.nih.gov/pu b/geo/D...  (R) Protein structure:  PSP benchmark Public Gene Data:  Browse literature or sequence neighbours Stanford Microarray Data:  Page on stanford.edu Social Sciences   - ...
Post a Comment
Read more

AWS Cloud Architecture for Web Hosting | Key Components of an AWS Web Hosting Architecture

Security Architecture of AWS | Amazon Web Server Working of AWS Architecture. Content Delivery Edge caching is still relevant in the Amazon Web Service cloud computing infrastructure. Any existing solutions in your web application infrastructure should work just fine in the AWS cloud. One additional option, however, is made available when using AWS, which is to utilize the Amazon CloudFront service1 for edge caching your website Like other Amazon Web Services, there are no contracts or monthly commitments for using Amazon CloudFront – you pay only for as much or as little content as you actually deliver through the service. Managing Public DNS  Moving a web application to the AWS cloud requires some DNS changes to take advantage of the multiple availability zones that AWS provides. To help you manage DNS routing, AWS provides Amazon Route 534 , a highly available and scalable DNS web service. Queries for your domain are automatically routed to the nearest DNS server an...
1 comment
Read more

In year 2020 - steps to save eCommerce website from hackers.

Steps to save eCommerce website from hackers These are seven of the most prevalent security threats for eCommerce sites: Malware infection. Distributed denial of service (DDoS) attacks. Brute force attacks. Injections. Cross-site scripting (XSS). Zero-day exploits. Customer-end vulnerabilities. And here are the steps you can take to protect your eCommerce website from one or more of those cyberthreats Choose the right eCommerce website platform. Use SSL encryption. Collect customer information selectively (and don’t store it onsite). Use a malware scanner regularly (and get automatic alerts). Require your customers to follow best practices for eCommerce security. Require your employees to follow best practices for eCommerce security. Proactively monitor your website activity. Keep your systems patched and updated. Back up your data regularly. Pay attention to what you download and integrate.
Post a Comment
Read more