Ruby is an object-oriented programming language (OOPL) that was developed by Japanese developer Yukihiro “Matz” Matsumoto. Ruby is influenced by several other OOPLs including Perl, Lisp, Eiffel, Smalltalk and Ada. It is reflective and dynamic, with automatic memory management. It also supports a variety of programming paradigms such as imperative, functional, and of course, object-oriented.
Ruby on Rails, sometimes simply called Rails, is a powerful, full-stack, open-source web application framework designed to run using the Ruby language. The routing system is completely independent of the web server. It allows the creation of applications and pages that can communicate and gather information from the web server and database, as well as the rendering of templates. Rails is compatible with the most popular engineering protocols including Model–View–Controller (MVC), active record pattern, Don’t Repeat Yourself (DRY) and Convention over Configuration (CoC).
Securing Ruby applications requires a variety of applied techniques, there is no single tool or process that can effectively defend against all vulnerabilities and threats to Ruby security. The most common threats to Ruby security include accessing/modifying sensitive company data, account compromisation, Bypassing authentication and access control and the presentation of fraudulent content.
There are numerous techniques used by security professionals in order to properly secure Ruby on Rails applications. Since Ruby us similar to other object-oriented programming languages, the same security techniques that apply to them will also apply to Ruby security. Some of the most common security techniques include static analysis, code review, and penetration (pen) tests. Ruby on Rails does have some integrated security processes that help prevent some of the most devastating attacks such as SQL and XSS injection attacks. However, there are ways to bypass these security implementations, and a skilled attacker will almost certainly be able to avoid the security checks.
Ruby on Rails security testing
The Open Web Application Security Project (OWASP) is an organization dedicated to the improvement of software security. They have released a top 10 list of web threats and vulnerabilities that developers should test Ruby on Rails for.
- Failure to Restrict URL Access
- Preventing SQLi in Ruby
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Insecure Cryptographic Storage
- Broken Authentication and Session Management
- Invalidated Redirects and Forwards
- Insecure Direct Object References
- Insufficient Transport Layer Protection
- Security Misconfiguration
Today’s leading Static Code Analysis (SCA) solutions test Ruby on Rails applications for these vulnerabilities and more. It provides a list of all files included in the app, Ruby source files, template files, configuration files, error log files, disassembly information, and more. This data can then be analyzed and tested for web threats and vulnerabilities.