Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
Rails makes it very easy to rapidly develop web applications, but doesn't always make it so simple to deploy or secure them. This talk is going to focus on best practices to secure your rails application, learnt through multiple high profile projects and penetration tests. The talk will be practical and show that this isn't necessarily hard if thought about from the start. We'll also touch on getting the right balance of security without it getting in the way of the users. Help us caption & translate this video! http://amara.org/v/FGis/
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
The video titled 'Securing Your Site', presented by Thomas Pomfret at Rails Conf 2012, addresses best practices for securing Ruby on Rails applications, drawing from experiences gained through high-profile projects and penetration tests. The key points covered include: - **Understanding Security Needs**: It's essential to assess how secure your site needs to be, as different applications have varying levels of security requirements. - **Common Vulnerabilities**: - **SQL Injection**: Highlighted as a major risk, particularly evident from the Open Web Application Security Project (OWASP). The importance of using Rails' built-in protections against SQL injection, such as escaping user inputs, is emphasized. - **Cross-Site Scripting (XSS)**: Risks of users injecting scripts into applications are discussed, along with measures to secure cookies and escape user input in Rails applications, especially from version 3 and onwards. - **Session Management**: The talk underscores the significance of secure session practices, suggesting: - Using secure cookies to avoid JavaScript access. - Implementing session timeouts. - Setting unique secret tokens for cookie stores to enhance security. - **Mass Assignment Vulnerability**: Discussed is the need to implement strong protections against mass assignment attacks, recommending the use of whitelisted attributes instead of blacklists. - **CSRF Protection**: Strategies to prevent Cross-Site Request Forgery by using unique tokens for non-GET requests are outlined, utilizing Rails' built-in capabilities. - **File Uploads and Redirection Risks**: Best practices for handling user uploads and redirections to ensure security and validate user input against malicious actions. - **SSL and Deployment Practices**: Advocated the use of SSL across websites and advised proper server configuration to prevent disclosing software version information that could be exploited by attackers. - **Admin Area Security**: Discussed the criticality of securing admin sections, applying standard security principles but with heightened vigilance given the access privileges typically associated with such areas. In conclusion, Pomfret stresses that while security may seem complex, adopting best practices early in the development process can significantly mitigate risks. The overarching takeaway is to integrate security mindfulness throughout the development lifecycle, applying specific mitigation strategies based on the unique risk profile of each application.
Suggest modifications
Cancel
