...But Doesn't Rails Take Care of Security for Me?