7 January 2022

Beyond the usual Rails : security checks

Thomas Riboulet

Lead consultant

This article is aimed at software engineers working with RubyOnRails applications. You don’t have to be a senior to make use of this.

What ever the service one thing we don’t want to see is a security issue with our code. The RoR ecosystem has a few good ways to help us avoid that.

Just like the coding style this should not be checked by hand, instead the CI pipeline should tell you how things are doing and raise warning or block itself if something is wrong.

First : the dependencies

Dependencies are a kind of hell on their own : it’s easy to overlook them but they tend to come hit us in the back when we don’t expect.

As Bundler is handling our dependencies we can actually use it to tell us if there are dependencies that need updating. Running `bundle outdated` in a RoR code base will tell us if there are gems that need updating.

This is really something that should be done by any team for any Ruby application. There are also commercial solutions out there (dependabot for one).

Second : the rails application itself

The logical next step is to check what we are doing wrong in our application. RoR applications can be analyzed to find flaws in them. A tool to do that is Brakeman (https://brakemanscanner.org). Specialised in RoR applications it allows to find and flag vulnerabilities in any of them.

It can be used by hand in a terminal or through a CI pipeline with a report generated in HTML.

That is an easy way to prevent many issues within any RoR application. While it is not perfect it’s a great start and allows to keep your team directly aware of the quality of their work on the security level.

And there is also a great guide among the official Rails' guides about security in a Rails app. Packed with a lot of great information on different parts of a Rails app it's a must read.

Fourth : bug bounties and challenges

Several companies out there allow you to setup bug bounties (private and public ones) and hacking challenges to have specific researcher test the security of your application and provide you with a report of their findings.

This is a great way to go to complement the use of Brakeman for example, when you have the money for it and when the stakes are getting big for your product.

Let us help

We have helped several teams on those aspects : improving their CI pipeline to include security checks and go through bug bounty programs with companies such as HackerOne and Yogosha. We can help your team organise the bug bounty, review the reports, triage the work and then implement any change required with your team.

Contact us, let’s see what we can do together.

A RubyOnRails consultancy based in the EU, we build your applications and services all over the world !

Contact

contact+rails@imfiny.com

© 2021. All rights reserved.