Overall Rails has a really decent security story nowadays. If you follow the guide and use bundler-audit to verify your bundle against a CVE database you're off to a great start.
Apart from that, the OWASP Top 10 are not specific to a particular framework, so you should always keep an eye out for them. While it's a bit outdated in parts there's an OWASP Ruby on Rails Cheatsheet which I recommend reading.
We have a Rails template we start all our client work from, so I use that to enforce certain things so people can't just forget about them. For example ApplicationController has before_action :authenticate_user! to enforce Pundit, so people need to explicitly opt out for the actions where they really don't need it. At least it makes them stop and think for a bit ("Do I really NOT need to authenticate this?") which IMHO is good.
I also encourage to make Brakeman a part of your Rails development workflow, either via CI or locally. Static security analysis is not the easiest in a language as dynamic as Ruby, but Brakeman does a good job.
We're a place where coders share, stay up-to-date and grow their careers.
Overall Rails has a really decent security story nowadays. If you follow the guide and use bundler-audit to verify your bundle against a CVE database you're off to a great start.
Apart from that, the OWASP Top 10 are not specific to a particular framework, so you should always keep an eye out for them. While it's a bit outdated in parts there's an OWASP Ruby on Rails Cheatsheet which I recommend reading.
We have a Rails template we start all our client work from, so I use that to enforce certain things so people can't just forget about them. For example
ApplicationControllerhasbefore_action :authenticate_user!to enforce Pundit, so people need to explicitly opt out for the actions where they really don't need it. At least it makes them stop and think for a bit ("Do I really NOT need to authenticate this?") which IMHO is good.I also encourage to make Brakeman a part of your Rails development workflow, either via CI or locally. Static security analysis is not the easiest in a language as dynamic as Ruby, but Brakeman does a good job.