00:00:18.029
Hello everyone, my name is Matt. I'm here with my colleague, and together we're going to talk about securing your Rails applications. How many people here feel that their Rails applications are one hundred percent secure?
00:00:38.110
I got really interested in security in Rails last fall when I read an article by Patrick McKenzie. He examined the Diaspora source code, which is intended to be a Facebook replacement, addressing various privacy concerns. It was fascinating to see what he uncovered in terms of security.
00:01:02.200
He discovered numerous security issues in the Diaspora codebase, revealing that there was hardly anything preventing a hacker from exploiting it. This prompted me to consider the security of my own Rails applications. I've completed all the usual security training that many web developers go through. How many people here have had any security training at all?
00:01:34.900
That's interesting; it seems that some of you have not had any security training. It's crucial to understand that hackers think differently than we do. We have to recognize that the security features built into Rails are essential, but they are not foolproof.
00:02:01.450
Now, let’s look at a graphic from a master's thesis project that I found intriguing. The program monitors the power usage of a chip and attempts to deduce the password based on that data. This approach is fascinating because it underlines how meticulous security work can be.
00:02:10.769
In the process, we can see how much power a device consumes to flip bits, which helps in cracking passwords. For example, our hacker has discovered that the password is encoded as 'deadbeef'. This technique reveals the kind of thought processes that real hackers have and why we should be concerned.
00:02:35.680
Unfortunately, many developers, like myself, might assume that Rails is secure enough. My research led me to realize that while Rails has built-in security features, we still need to take additional steps to ensure our applications are robust against attacks. It's essential to stay informed about the common security vulnerabilities highlighted by resources such as the OWASP (Open Web Application Security Project). If you haven’t read about it already, I highly recommend you do.
00:03:22.000
Today, we’ll discuss some basic security practices that every Rails developer should be aware of. We'll cover both foundational concepts and advanced topics that are prevalent in the real world, emphasizing that all applications have their unique vulnerabilities. Therefore, safeguarding our applications becomes our responsibility.
00:03:49.410
Let’s start with the web application architecture. Typically, you'll have a browser, a web app, and a Rails server. For this presentation, we’ll focus on application security rather than issues related to system administration. We’ll examine aspects on how trust is established, particularly about the browser and server interactions.
00:04:31.800
One of the fundamental security threats that we will discuss is SQL Injection. If you're writing a query like this, it's crucial to ensure that it is properly sanitized. SQL Injection can occur when user input is inserted directly into a query without sufficient validation.
00:05:08.640
For example, if we allow someone to input their name directly into a query condition without sanitizing it, we open ourselves to significant risk. Let me demonstrate what could happen if we neglect to secure our application against SQL Injection.
00:05:56.900
Imagine a scenario where an attacker is able to inject SQL directly into our query. By doing so, they could manipulate the database in unforeseen ways, accessing sensitive data or even modifying records. This emphasizes the importance of using parameterized queries rather than interpolating user input directly into the SQL string.
00:06:30.120
This example drives home the message that developers must always sanitize input. Using Rails built-in parameter binding and prepared statements is an effective way to thwart SQL Injection attempts. Never assume user input is safe.
00:07:16.100
Next, let’s talk about mass assignment vulnerabilities. This occurs when an application allows users to pass in parameters that it shouldn’t. For instance, if you simply let users input data without filtering what they can change, they could potentially update sensitive fields.
00:08:06.900
To secure mass assignment, you need to clearly define which attributes are accessible for update. You can use Strong Parameters to control this and ensure that only the intended attributes can be modified, following a whitelist approach instead of a blacklist.
00:08:59.000
Another issue we need to be aware of is Cross-Site Scripting (XSS), where an attacker can inject scripts into web pages viewed by users. This allows the attacker to execute code in the browser context of an unsuspecting user. It's vital that you validate and sanitize all user inputs that may end up being rendered in a browser.
00:09:46.000
For example, if an application permits HTML and doesn't sanitize it properly, someone could inject malicious scripts. This could be as simple as embedding a JavaScript request that sends cookies to the attacker, allowing them to hijack user sessions.
00:11:04.800
To combat XSS vulnerabilities, you should implement output encoding to make sure that user input is treated only as data, not executable code. Rails provides helpers to assist in sanitizing HTML, ensuring that harmful scripts are not executed.
00:12:00.000
Next, let’s discuss Cross-Site Request Forgery (CSRF) attacks. These attacks can occur when a user is tricked into submitting a request to a different site without their knowledge. For example, while logged into your web application, an unsuspecting user could be redirected to a malicious page that sends requests to your application account.
00:12:41.500
To prevent CSRF attacks, Rails has built-in protections that rely on authenticity tokens. This token must be included in the forms rendered by your web application. If a request lacks the correct token, Rails will reject it.
00:13:30.300
It is crucial to generate these tokens with the Rails helper methods so they’re uniquely tied to your session. If an attacker tries to forge requests, they will not possess the valid token, and thus their efforts will be thwarted.
00:14:09.000
Session management is another critical aspect of security. It's vital to ensure your web application uses secure cookies to prevent session hijacking. This includes using HTTPS and setting the secure flag on cookies to ensure they are transmitted only over secure connections.
00:14:44.000
For those building web applications, prototyping enables you to identify security issues quickly. Tools like browser inspectors can help you inspect how your application's interactions work, and they should be part of your standard security checks.
00:15:22.000
It's essential to stay updated on security patches for Rails. The framework itself regularly receives updates that fix vulnerabilities, so ensure your project adheres to the latest security practices recommended by the Rails community.
00:15:58.000
We hope that today’s talk has highlighted the importance of security awareness among developers. It is not enough to rely solely on the built-in protections Rails offers. Developers must actively consider potential vulnerabilities and how to mitigate them effectively.
00:16:45.000
Always think like an attacker. Anticipate the ways in which your application can be exploited and take proactive measures to secure it. Thank you all for your time and attention, and I’d be happy to take any questions now.
00:17:21.000
If you have any questions about what we covered today or need further clarification on specific points, please feel free to ask.