Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
RailsConf 2018: The Evolution of Rails Security by Justin Collins Rails has a reputation for being secure by default, but how deserved is that reputation? Let's take a look back at some of the low points in Rails security history: from the first Rails CVE, to the controversial GitHub mass assignment, the 2013 Rails apocalypse, and more recent remote code execution issues. Then we'll cheer ourselves up with the many cool security features Rails has added over the years! We'll cover auto-escaping, strong parameters, default security headers, secret storage, and less well-known features like per-form CSRF tokens and upcoming Content Security Policy support.
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In this presentation titled "The Evolution of Rails Security" at RailsConf 2018, Justin Collins, an expert in application security and the creator of the Breakman security tool, discusses the development and improvements in security features for Ruby on Rails. The talk is divided into two parts: an overview of past security vulnerabilities and an examination of the modern security measures implemented in Rails. ### Key Points Discussed: - **Historical Context:** - Rails, since its inception in 2004, has had various security issues, starting from its first CVEs shortly after its initial release which highlighted how vulnerabilities were often handled poorly back then compared to today. - Key vulnerabilities included remote code execution due to file loading issues and concerns around mass assignment security flaws which became a significant topic of discussion and led to critical changes in Rails framework. - **Significant Vulnerabilities:** - Major security incidents were discussed, including the 2013 Rails apocalypse involving YAML deserialization vulnerabilities that could allow attackers to execute code on the server. - The talk also addressed cross-site request forgery (CSRF) and how Rails updated its protection measures to combat such attacks. - **Security Features Evolved:** - Collins outlines essential security features introduced over the years, such as auto-escaping of outputs, introduction of strong parameters for better attribute whitelisting, and the introduction of session security headers. - Newer features mentioned include per-form CSRF tokens, default security headers in Rails, encrypted session cookies, and content security policy support to prevent XSS attacks. - **Continuous Improvement:** - The presentation emphasizes the ongoing evolution of Rails concerning security practices and features, encouraging developers to stay informed and utilize resources like the Rails security guide. ### Conclusions and Takeaways: - The overall security landscape of Rails has changed dramatically since its early days, with learned lessons leading to a more robust framework. - Developers are advised to be proactive about security, utilize the available tools such as Breakman, and follow best practices outlined in the Rails security guide. - The speaker expresses optimism for the future of Rails security, highlighting that despite the past challenges, the framework continues to add important safety features to protect developers and users alike. This session underlines a crucial aspect of web development: the importance of security, demonstrating that as frameworks evolve, so must our understanding and implementations of security features.
Suggest modifications
Cancel
