DEV Community

loading...

Discussion on: I'm a Rubyist for ~15 years and CTO of a Rails consultancy, Ask Me Anything!

Collapse
ben profile image
Ben Halpern

What are the biggest security concerns in a typical Rails app?

Collapse
citizen428 profile image
Michael Kohl Ask Me Anything • Edited

Overall Rails has a really decent security story nowadays. If you follow the guide and use bundler-audit to verify your bundle against a CVE database you're off to a great start.

Apart from that, the OWASP Top 10 are not specific to a particular framework, so you should always keep an eye out for them. While it's a bit outdated in parts there's an OWASP Ruby on Rails Cheatsheet which I recommend reading.

We have a Rails template we start all our client work from, so I use that to enforce certain things so people can't just forget about them. For example ApplicationController has before_action :authenticate_user! to enforce Pundit, so people need to explicitly opt out for the actions where they really don't need it. At least it makes them stop and think for a bit ("Do I really NOT need to authenticate this?") which IMHO is good.

I also encourage to make Brakeman a part of your Rails development workflow, either via CI or locally. Static security analysis is not the easiest in a language as dynamic as Ruby, but Brakeman does a good job.