MountainWest RubyConf 2011

Summarized using AI

Securing Your Rails App

Jim Weirich and Matt Yoho • February 18, 2015 • Earth

In the video titled "Securing Your Rails App," presented by Jim Weirich and Matt Yoho at the MountainWest RubyConf 2011, the importance of web application security, specifically within the context of Ruby on Rails, is thoroughly discussed. The talk addresses common security vulnerabilities that developers may overlook, emphasizing the necessity for intentional security practices to protect Rails applications from potential attacks.

Key Points Discussed:
- Understanding Security in Web Development: The presenters highlight that despite built-in security features in Rails, developers must remain vigilant and proactive in implementing security measures.
- Experience with Security: Matt shares his experience with security flaws found in the Diaspora source code, underscoring that even well-intentioned projects can be vulnerable if security is not prioritized.
- Common Vulnerabilities: The talk delves into several critical security threats, including:

- SQL Injection: Emphasizes the risk of directly inserting user input into SQL queries and advocates for the use of parameterized queries to avoid such vulnerabilities.
- Mass Assignment: Discusses how users can inadvertently update sensitive fields and stresses the use of Strong Parameters to whitelist acceptable attributes for modification.
- Cross-Site Scripting (XSS): Warns against allowing unvalidated HTML inputs, which could lead to script injections, and advises using Rails helpers to sanitize user data.
- Cross-Site Request Forgery (CSRF): Explains how CSRF attacks occur and stresses the importance of using authenticity tokens to protect user sessions.
- Session Management: The importance of secure cookies and HTTPS for preventing session hijacking is highlighted.
- Staying Informed: Developers are encouraged to keep abreast of security patches and updates in the Rails framework to guard against newly discovered vulnerabilities.
- Proactive Security Approach: The talk concludes with a call for developers to think like attackers and anticipate potential exploitation paths in their applications.

Overall, Weirich and Yoho stress that while Rails provides foundational security features, developers hold the responsibility to actively enhance their application's defenses against the variety of threats present in web environments today. Developers must consider application-specific vulnerabilities and implement robust security practices to minimize risks effectively.

In summary, this talk serves as a crucial reminder that security should be integrated into the development process, encouraging thoughtful, informed decision-making in the creation of Rails applications.

Securing Your Rails App
Jim Weirich and Matt Yoho • February 18, 2015 • Earth

By, Jim Weirich & Matt Yoho
Then it starts to scan the computer and transmit bits of information every time he clicks the mouse while he's surfing. After a while, [...] we've accumulated a complete mirror image of the content of his hard drive [...]. And then it's time for the hostile takeover. -- Lisbeth Salander in Stieg Larsson's "The Girl with the Dragon Tattoo" Hacker dramas like the Stieg Larrson book make for good fiction, but we know that real life rarely matches drama. And with all the security features that Rails 3 has added, surely it is difficult to hack a typical Rails web site. Right? Wrong! Without deliberate attention to the details of security, it almost certain that your site has flaws that a knowledgeable hacker can exploit. This talk will cover the ins and outs of web security and help you build a site that is protected from the real Lisbeth Salanders of the world.

Help us caption & translate this video!

http://amara.org/v/GIoN/

MountainWest RubyConf 2011

00:00:18.029 Hello everyone, my name is Matt. I'm here with my colleague, and together we're going to talk about securing your Rails applications. How many people here feel that their Rails applications are one hundred percent secure?
00:00:38.110 I got really interested in security in Rails last fall when I read an article by Patrick McKenzie. He examined the Diaspora source code, which is intended to be a Facebook replacement, addressing various privacy concerns. It was fascinating to see what he uncovered in terms of security.
00:01:02.200 He discovered numerous security issues in the Diaspora codebase, revealing that there was hardly anything preventing a hacker from exploiting it. This prompted me to consider the security of my own Rails applications. I've completed all the usual security training that many web developers go through. How many people here have had any security training at all?
00:01:34.900 That's interesting; it seems that some of you have not had any security training. It's crucial to understand that hackers think differently than we do. We have to recognize that the security features built into Rails are essential, but they are not foolproof.
00:02:01.450 Now, let’s look at a graphic from a master's thesis project that I found intriguing. The program monitors the power usage of a chip and attempts to deduce the password based on that data. This approach is fascinating because it underlines how meticulous security work can be.
00:02:10.769 In the process, we can see how much power a device consumes to flip bits, which helps in cracking passwords. For example, our hacker has discovered that the password is encoded as 'deadbeef'. This technique reveals the kind of thought processes that real hackers have and why we should be concerned.
00:02:35.680 Unfortunately, many developers, like myself, might assume that Rails is secure enough. My research led me to realize that while Rails has built-in security features, we still need to take additional steps to ensure our applications are robust against attacks. It's essential to stay informed about the common security vulnerabilities highlighted by resources such as the OWASP (Open Web Application Security Project). If you haven’t read about it already, I highly recommend you do.
00:03:22.000 Today, we’ll discuss some basic security practices that every Rails developer should be aware of. We'll cover both foundational concepts and advanced topics that are prevalent in the real world, emphasizing that all applications have their unique vulnerabilities. Therefore, safeguarding our applications becomes our responsibility.
00:03:49.410 Let’s start with the web application architecture. Typically, you'll have a browser, a web app, and a Rails server. For this presentation, we’ll focus on application security rather than issues related to system administration. We’ll examine aspects on how trust is established, particularly about the browser and server interactions.
00:04:31.800 One of the fundamental security threats that we will discuss is SQL Injection. If you're writing a query like this, it's crucial to ensure that it is properly sanitized. SQL Injection can occur when user input is inserted directly into a query without sufficient validation.
00:05:08.640 For example, if we allow someone to input their name directly into a query condition without sanitizing it, we open ourselves to significant risk. Let me demonstrate what could happen if we neglect to secure our application against SQL Injection.
00:05:56.900 Imagine a scenario where an attacker is able to inject SQL directly into our query. By doing so, they could manipulate the database in unforeseen ways, accessing sensitive data or even modifying records. This emphasizes the importance of using parameterized queries rather than interpolating user input directly into the SQL string.
00:06:30.120 This example drives home the message that developers must always sanitize input. Using Rails built-in parameter binding and prepared statements is an effective way to thwart SQL Injection attempts. Never assume user input is safe.
00:07:16.100 Next, let’s talk about mass assignment vulnerabilities. This occurs when an application allows users to pass in parameters that it shouldn’t. For instance, if you simply let users input data without filtering what they can change, they could potentially update sensitive fields.
00:08:06.900 To secure mass assignment, you need to clearly define which attributes are accessible for update. You can use Strong Parameters to control this and ensure that only the intended attributes can be modified, following a whitelist approach instead of a blacklist.
00:08:59.000 Another issue we need to be aware of is Cross-Site Scripting (XSS), where an attacker can inject scripts into web pages viewed by users. This allows the attacker to execute code in the browser context of an unsuspecting user. It's vital that you validate and sanitize all user inputs that may end up being rendered in a browser.
00:09:46.000 For example, if an application permits HTML and doesn't sanitize it properly, someone could inject malicious scripts. This could be as simple as embedding a JavaScript request that sends cookies to the attacker, allowing them to hijack user sessions.
00:11:04.800 To combat XSS vulnerabilities, you should implement output encoding to make sure that user input is treated only as data, not executable code. Rails provides helpers to assist in sanitizing HTML, ensuring that harmful scripts are not executed.
00:12:00.000 Next, let’s discuss Cross-Site Request Forgery (CSRF) attacks. These attacks can occur when a user is tricked into submitting a request to a different site without their knowledge. For example, while logged into your web application, an unsuspecting user could be redirected to a malicious page that sends requests to your application account.
00:12:41.500 To prevent CSRF attacks, Rails has built-in protections that rely on authenticity tokens. This token must be included in the forms rendered by your web application. If a request lacks the correct token, Rails will reject it.
00:13:30.300 It is crucial to generate these tokens with the Rails helper methods so they’re uniquely tied to your session. If an attacker tries to forge requests, they will not possess the valid token, and thus their efforts will be thwarted.
00:14:09.000 Session management is another critical aspect of security. It's vital to ensure your web application uses secure cookies to prevent session hijacking. This includes using HTTPS and setting the secure flag on cookies to ensure they are transmitted only over secure connections.
00:14:44.000 For those building web applications, prototyping enables you to identify security issues quickly. Tools like browser inspectors can help you inspect how your application's interactions work, and they should be part of your standard security checks.
00:15:22.000 It's essential to stay updated on security patches for Rails. The framework itself regularly receives updates that fix vulnerabilities, so ensure your project adheres to the latest security practices recommended by the Rails community.
00:15:58.000 We hope that today’s talk has highlighted the importance of security awareness among developers. It is not enough to rely solely on the built-in protections Rails offers. Developers must actively consider potential vulnerabilities and how to mitigate them effectively.
00:16:45.000 Always think like an attacker. Anticipate the ways in which your application can be exploited and take proactive measures to secure it. Thank you all for your time and attention, and I’d be happy to take any questions now.
00:17:21.000 If you have any questions about what we covered today or need further clarification on specific points, please feel free to ask.
Explore all talks recorded at MountainWest RubyConf 2011
+13