Recently in Ruby On Rails Category

Scottish Ruby Conference follow-up - 2 - Securing your app.

By Rory2 on April 1, 2010 8:05 PM | No Comments | No TrackBacks

Most of the questions I got after my talk were around how people can look to secure their application. I mentioned a couple of sites and it's probably worth expanding on the points made.

Web Application Security

For people looking to understand how to secure their web applications, in my opinion the best source of free information is the OWASP project . It's an umbrella for a number of web application security efforts.

They've got a wide variety of projects which target management, security testers and developers, but some of the best places to start for developers are the Owasp developers Guide which covers a wide range of topics about secure development in a fairly generic way, and there's also the Ruby on Rails Security Guide here or here which covers rails specific topics.

Both of those documents are relatively large but well worth delving into. For a quick few of the "most serious" web application security issues, OWASP also has the Top Ten project. The latest version, current in RC1 has some good summaries of the top risks, and is a good place to start getting an idea of the areas to be addressed...


There's also a newish book dedicated to the topic of security on rails. I picked up a copy at the conference (I'm a sucker for the O'Reilly stand!), so I've not had time to get all the way through it, but first impressions are that it'll be very good, with concrete examples of broken rails applications and how to fix them.

Scotland on Rails Videos online

By Rory2 on May 27, 2009 7:48 PM | No Comments | No TrackBacks

All the Scotland on Rails videos are now online here courtesy of the nice folks at Engine Yard.

The video for my presentation is here , slides are on slideshare over here

Scotland on Rails - Web Application Security

By Rory2 on March 31, 2009 8:12 PM | 1 Comment | No TrackBacks

It was the Scotland on Rails 2009 conference on Friday/Saturday of last week. A great couple of days with loads of interesting Ruby and Rails talks (I'm planning more of a recap once the videos are out)

I presented on Web Application Security (slides here), which seemed to go down reasonably well.

One of the main themes of my presentation was that, whilst Rails provides a variety of mechanisms to help developers to create secure applications, it still leaves a lot to the individual to think about, and relies on implementation of the protection that it provides.

One major example of this it Rails default protection mechanism from XSS which is the h() function. This HTML encodes the contents of the argument passed to it. This is an effective defense against XSS but relies on developers to use it consistently, which can be tricky to remember.

There's a couple of potential ways for improving this situation with plugins.

The Safe ERB plugin is designed to help developers by raising an exception when information pulled from an ActiveRecord model is displayed in a view without h() being used.

The other way to approach the problem of XSS is to validate input when it's passed to the application. There are a number of Rails plugins which take this approach including Sanitize Params and XSS Terminate

XSS in Rails Applications

By Rory2 on March 8, 2009 9:18 PM | No Comments | No TrackBacks

I'm doing some research at the moment for a presentation I'm doing for the Scotland on Rails conference, later this month. As part of that I've been downloading some sample Rails applications to get an idea of common security issues that I can discuss.

Interestingly on popular applications that I've downloaded so far, I'm 2 for 2 on the exact same problem.

Both of them have XSS vulnerabilities from the user-->admin sides of the site. So the end-user pages have output encoding to restrict XSS but the admin sections don't consistently provide the same protection.

It's also interesting that both applications seem to be relying on output encoding as a defence as opposed to input validation. In my experience the best defence is a combination of the two...

Of course that leads to some potentially nasty exploits around stealing admin credentials from the site in question. Hey looks like I'll have some stuff to talk about anyway :)

Ruby on Rails Search Engine with Google Coop

By Rory2 on October 24, 2006 2:59 PM | 1 Comment | No TrackBacks

Ever gone looking for some insight into your latest rails conundrum and ended up finding answers for the wrong language that mention ruby elsewhere in the page? I know I have.

Here's an interesting new beta project from google launched today, which allows you to create custom search engines which focus on a given topic area by customising which sites are indexed as part of the search.

I think that this could be really useful for targeted searches as it can cut out a lot of the "spam" and other less relevant sites from the search results. Also while you can get the same effect by using the site: parameter, doing that about 20 or 30 times per search doesn't really appeal.

So here's a Ruby on rails Search. At the moment it's based on some sites which I use (list below), but if there are other ones that anyone would like to see include just leave a comment, or volunteer to help out on the search engine front page.

edit: Looks like quite a few people in the RoR community had this idea.... so rather than have lots of different searches doing the same thing I've removed my one.

But if you're looking for a RoR search engine head over here to the Ruby Inside Search Engine


Site Listing


http://www.rubyforge.org/
http://www.ryandaigle.com/
http://weblog.rubyonrails.com/
http://www.loudthinking.com/
http://www.slash7.com/
http://www.oreillynet.com/ruby/
http://www.rubyonrailsforum.com/
http://www.ruby-forum.com/
http://www.bigbold.com/snippets/tags/rails
http://wiki.rubyonrails.com/
http://dev.rubyonrails.org/
http://www.ruby-lang.org/en/
http://www.37signals.com/
http://www.rubyonrails.com/
http://blog.t0fuu.com/
http://weblog.jamisbuck.org/
http://www.railtie.net/
http://www.rubyonrailsblog.com/
http://cardboardrocket.com/
http://www.danwebb.net/
http://mephistoblog.com/
http://curthibbs.wordpress.com/
http://www.softiesonrails.com/
http://nubyonrails.com/
http://www.rubyinside.com/
http://www.height1percent.com/
http://www.straw-dogs.co.uk/blog/

Handy Ruby Framework for scripting

By Rory2 on October 21, 2006 7:33 PM | No Comments

SimpleConsole - Building Console Apps

Interesting looking idea. I know that a lot of the work I do tends to revolve around writing little command-line scripts so anything that helps with that can only be a good thing

Learn something new... every 30 minutes

By Rory2 on September 28, 2006 7:32 PM | No Comments

Re: (newbie) Why doesn't this line work?

Every time I work on my app. I feel like I learn something new about every 30 minutes...

this time it was that the :confirm parameter on :link_to (which pops up a confirmation box when you click a link), is an HTML option and thus needs syntax like

<%= link_to "delete", {:action => delete, :id => @item.id}, {:confirm => 'Are you sure?'} %>

« Regulatory | Main Index | Archives | Security Books »

Categories

Monthly Archives

Pages

Powered by Movable Type 4.32-en

Search

About this Archive

This page is an archive of recent entries in the Ruby On Rails category.

Regulatory is the previous category.

Security Books is the next category.

Find recent content on the main index or look in the archives to find all content.