DEV Community: YevhenKuzminov

How to Ensure RoR-based App Security Using Best Coding Practices

YevhenKuzminov — Mon, 07 Aug 2023 14:08:28 +0000

As you plan the roadmap for your web project, resistance to security threats should be at the top of your priorities. Whether you’re upgrading your existing Ruby on Rails app or creating a new one, your motivations are guided by customer trust and government regulations.

Here, I want to delve into the best coding practices that can help you protect your app from an ever-growing list of threats.

Built-in Security Features of Ruby on Rails

It’s important to know your enemy, but it’s just as important to know yourself and your own capabilities. There are a number of built-in security features of Ruby on Rails that can help you mitigate those threats and protect your web applications.

Let’s dive deeper into the key built-in security features of Ruby on Rails.

Protection Against Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is an attack vector where a malicious actor can inject scripts into web pages viewed by other users. To protect against XSS, Ruby on Rails automatically escapes user-generated content. When data is rendered in views, Ruby on Rails encodes it to ensure that potentially malicious scripts are displayed as plain text, preventing the attack from doing any harm.
Prevention of Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is a technique where an attacker exploits the trust between a web application and its users. To do this, the attacker tricks users into performing unintended actions on their behalf.To mitigate CSRF, Ruby on Rails generates authenticity tokens. These tokens are included in forms and AJAX requests. As a result, Ruby on Rails verifies the authenticity of a form submission or AJAX request using the token. This allows the framework to prevent unauthorized actions that could be exploited by attackers.
Guarding Against SQL Injection Attacks

An SQL injection attack puts your application’s database at risk. Attackers achieve this by inserting malicious SQL statements into input fields, allowing them to manipulate and access the database. To prevent these attacks, Ruby on Rails utilizes parameterized queries. This passes the parameters provided by the user separately from the SQL statement and ensures that the user input is treated as data rather than executable code.
Secure Session Management & Cookie Handling

To better secure user sessions by default, Ruby on Rails maintains the session's data within Encrypted Cookie, so no one from the client side can read session data. As additional security measures, it is easy to use Signed Cookies to store non-secret, but tamper-proof data on the client. Another way that Ruby on Rails achieves this is by enabling the httponly flag. This prevents client-side scripts from accessing the cookies, protecting them against theft through XSS attacks.
Password Encryptio

Ruby on Rails also encrypts passwords using bcrypt, a widely recognized and robust encryption algorithm. To better protect user passwords, bcrypt utilizes a salting and hashing technique that makes it much more expensive and time-consuming for attackers to crack.
HTTP Security Headers

Ruby on Rails provides reasonable default values for response security headers that are consumed by browsers to limit possible injections and malicious use of your website. For example, disallowing iframe embed. Additionally, restrictive Content-Security-Policy headers can be conveniently configured to prevent almost all possibilities of XSS attacks.
Encrypted credentials

While modern web applications contain a lot of external integrations - most of them require secret credentials, access keys, crypto keys etc. Ruby on Rails provides a built-in mechanism to manage these keys in encrypted files that is easily accessible by app during the runtime. It reduces the risk of key leaks in case of plain text transfer and storage. Also, it makes it easier to synchronize this sensitive data between all project developers.

Secure Coding Practices in Ruby on Rails

Although Ruby on Rails has a number of built-in security technologies, it’s still the responsibility of developers to understand and address additional security concerns. These may be specific to your application or beyond the scope of the default security tools provided in RoR. To protect your application, your business, and your customers, secure coding practices are needed.

I recommend following official Ruby on Rails security guidelines. At the company I work for, we combine these guidelines with our own experience to solve complex security problems more efficiently. Let’s go over some secure coding practices in more detail.

Input Validation and Sanitation

Although Ruby on Rails has built-in protections against XSS attacks and SQL injection, proper input validation at the development level is still important. You should validate and sanitize all user-provided data. This may include form inputs, query parameters, and URL components. This will protect your application from data and input manipulation.

Authentication and Authorization

As in all applications, authentication and authorization are essential for controlling access to sensitive resources within your application. Devise is a comprehensive authentication framework for Ruby on Rails that simplifies the implementation of user authentication features. With Devise, your projects can have secure password storage, password reset functionality, and account lockouts to protect against brute-force attacks.

In addition to authentication, you should pay attention to proper authorization mechanisms. For example, role-based access control (RBAC) or attribute-based access control (ABAC) ensure that users have the appropriate permissions to access specific resources and actions.

Regular Updates and Patching

Ruby on Rails is regularly being patched and updated. If your application falls behind on these updates, you may be putting your application at risk. It’s important to regularly update the framework and its dependencies to ensure security for RoR applications. This includes updating Ruby on Rails, as well as other gems and libraries used within the application.

Session Management and Cookie Security

By default, Ruby on Rails already provides session management functionality. However, you should ensure that sessions data is stored securely on the server-side instead of being stored in client-side cookies. This will reduce the risk of user data exposure and tampering.

Secure Password Handling

When storing user passwords, you must ensure the passwords are salted and hashed using bcrypt with a unique salt for each user. This makes it far more difficult for hackers to crack hashed passwords, even if the hashed password database. Even if they manage to crack one password, the unique salt makes it much harder for them to perform the task at scale.

Secure Data Handling

Personally Identifiable Information (PII), financial information, and other sensitive data must be handled with care. Encrypting the transit and storage of this information is a great first step to implement into your application. This includes using HTTPS for secure communication and Encrypt data on the database level via built-in Active Record Encryption functionality. Encryption keys should be securely managed, and access to sensitive data should be restricted to authorized personnel.

Protection Against Cross-Site Scripting

Although Ruby on Rails already protects against XSS attacks by automatically escaping user-generated content, developers still need to be on their toes. Understand the different types of XSS attacks and apply appropriate countermeasures. You should be aware of the contexts where user input is displayed and use proper sanitation techniques to prevent unintended script execution.

Security Testing

One of the best ways to test your application’s security is to employ security assessments, penetration testing, and vulnerability scanning. By identifying potential weaknesses early on, you can better safeguard your application against threat actors. Automated testing with tools such as Brakeman can be used to perform static code analysis and detect common security vulnerabilities.

Often when we modernize applications or make significant changes, these changes can introduce new vulnerabilities that bad actors can exploit. Because of this, it’s always advisable to conduct security assessments during development and after these changes are implemented.

Additionally, practicing thorough code reviews and security audits throughout the development process will identify security flaws that may have otherwise been missed by developers or automated tools.

Wrapping Up

Although Ruby on Rails has a robust framework with security-focused features, developers still need to be on their toes and leverage secure coding practices to best protect your product. This includes leveraging security-focused gems, securing APIs, and following other best approaches for deployment and maintenance. By doing so, you can better protect their applications and valuable data, improving trust with customers and shareholders.

Feel free to contact me if you have any questions or drop a comment below.

Cryptocurrency Exchange & Trading Platform Development Guide

YevhenKuzminov — Mon, 07 Nov 2022 22:00:00 +0000

While all other industries witnessed a severe slowdown in their growth, the fintech sector experienced a boom during the pandemic, enjoying massive investment and increasing adoption of its services. However, not all fintech businesses survive — while there are already 473 fintech unicorns globally, according to ABN Amro Ventures, many promising startups are doomed to failure. How to make a cryptocurrency exchange app that will have the edge over competitors and meet the needs of clients? For many business founders, it might be challenging to create a universal step-by-step plan and start their own crypto development journey.

Having vast experience with creating fintech software solutions, MobiDev team has prepared this ultimate guide to help fintech enthusiasts avoid common pitfalls when creating their own cryptocurrency exchange platform.

Cryptocurrency Exchange Trends and Statistics

Before diving into the amazing world of crypto trading and answering the question of how to create a crypto trading platform, let’s check some crypto market statistics.

How to Build a Cryptocurrency Exchange Platform

Creating a cryptocurrency platform or crypto app can be a challenging but rewarding task. Considering the key aspects needed within a crypto platform, you can ensure that your product is a convinient and seamless waypoint for your customers to access cryptocurrency.

Step 1. Choose a Platform Type

There are various types of crypto trading and exchange platforms to meet customers’ demands.

TYPES OF CRYPTO TRADING APPS

The main types of crypto trading apps are the following:

Crypto apps that offer customers an opportunity to buy, sell or exchange cryptocurrency in a few clicks. The rates are fixed, and can’t be changed or chosen by customers. An example of such a crypto app is Coinbase.
Crypto apps and platforms that focus on crypto trading per se, in the sense of taking financial profits on the price fluctuations of cryptocurrencies against the dollar (in crypto/dollar pairs) or against another crypto, or via crypto-to-crypto pairs. Such crypto trading is available, for example, on Binance.
Platforms that offer mixed assets (stocks and crypto) and allow the creation of new trading pairs, like eToro.
Investment apps and platforms that are focused on investment purposes usually mean getting larger returns over an extended period through buying and holding assets.

As the crypto app and platform market continues to develop and customers’ demands continue to increase, most crypto software combines various types to satisfy the clients.

TYPES OF CRYPTOCURRENCY EXCHANGES

In principle, cryptocurrency exchanges are broadly distinguished as either centralized exchanges (CEXes) or decentralized exchanges (DEXes).

Centralized cryptocurrency exchanges work similarly to stock exchanges. The buyers and sellers are brought together while the platform plays the role of a middle-man. In other words, “centralized” means that someone has the authority to manage a network of transactions.

Decentralized cryptocurrency exchanges aim to follow the fundamental principle behind the cryptocurrency industry. A DEX does not rely on a middleman to operate and manage transactions. It works as a marketplace where buyers and sellers come together and trade crypto directly with one another.

Before deciding to create a cryptocurrency trading platform, here is a quick comparison of the following types.

The main advantages of centralized platforms are the availability of fiat currencies and the lack of liquidity problems. It is the most common and popular type of crypto platform, so we will focus on crypto trading app development, in general, and take a look at creating a CEX exchange in detail.

Step 2. Build Essential Crypto Trading App Features

Cryptocurrency exchange app development is a complex thing, however, from the very beginning, you need to start thinking about how the crypto trading experience of your future customers will be improved. Once you decide to build a crypto trading platform, define how exactly it will attract clients. While it’s always a good idea to add any nice-to-have features, some key features are must-haves.

1. USER AUTHORIZATION AND VERIFICATION

User authorization and verification are where everything starts. The main factors that determine the quality of this feature are simplicity, reliability, and security.

It’s possible to build multi-factor authentication from scratch or use third-party services to ensure high standards of security for customer. Both options have their advantages and disadvantages. Building the authentication module for a crypto exchange app from scratch allows you to utilize unique authentication schemas, control all the functionality and roll out authentication features gradually. Choosing a third-party service can be much simpler, as those solutions are already feature-packed, tested, and robust. However, this approach is expensive — such services are usually billed on a per-user basis, meaning the cost will rise significantly once the product has more active users.

Adopting a third-party solution seems to be a good option for the first stages of cryptocurrency app development. When the number of users isn’t very great, this approach could be still affordable, at the same time, you get best-in-class authentication service from the very beginning. One example of third-party solutions is Auth0. This service offers a full suite of features including two-factor authentication, passwordless authentication, social network authentication, and advanced session control, while each of these components alone typically takes at least a couple of weeks to develop, test, and roll out into production.

When it comes to verification, you need to ensure the reliability of your cryptocurrency platform with a well-designed KYC (Know Your Customer) procedure. While it could be against the original principle of anonymity in cryptocurrency transactions, most crypto apps use KYC to guarantee trustworthiness and attract more customers. It’s possible to verify the documents submitted by the new users manually or you can use third-party services (for example, Sumsub, Trulioo, or Veriff for KYC). However, a more advanced option like building a verification module from scratch with an identification procedure using databases (PEP, sanction lists, etc.) is also available.

For early-stage startups with no validated business idea and a small team, it is better to automate routine processes as much as possible, so using third-party services for ID verification and screening can be the most suitable option. Creating a KYC system from scratch is reasonable only if you opt for manual verification, meaning you need to hire someone who will review the documents and photos and compare them to the information in databases.

Building an automated verification module requires developing complicated AI/ML systems, implementing international ID format support, and so on, which is not a budget and time-friendly option for a startup. Integrating a third-party solution can take only one or two weeks and the price could be affordable, especially for a startup with a small customer base. On the other hand, creating custom modules should be put into the roadmap as an option. This is all to say, any AI feature should be planned at early stages in terms of gathering relevant data.

2. MATCHING ENGINE

The trading engine is responsible for the main functionality of any crypto trading app. The main factors that determine the quality of this feature are reliability and speed. In a nutshell, the feature includes:

Managing the order book (the list of orders that a trading venue uses to record the interest of buyers and sellers)
Matching transactions
Executing exchange on account balances
Access to order history

From the development point of view, the matching engine is one the most complex components related to creating a trading platform for cryptocurrency and usually this is the place where most “know-how” secrets are kept. Just one example — a good trading engine should be capable of executing 100 000+ orders per second on average.

Depending on your goals, creating your own matching engine can be necessary (or not). If you consider the trading engine as your main system feature and want to stand out from the competitors by providing the fastest transactions, writing a matching engine from scratch is for you. At the same time, if it is not your most critical feature and the order execution speed can be compromised, some ready-to-use solutions, like OpenDAX can be used.

OpenDAX is a hybrid open-source software consisting of public and private libraries, designed to build a fully-featured exchange service. It’s one of the most sophisticated products that can be purchased as a feature-rich solution that offers different pluggable components, with basic and ultra-high performance, and various pricing options corresponding to your desired level of performance.

The complexity of the trading engine depends on the supported order types. Usually, there are at least two order types:

Market order (buy NOW with the lowest possible price/sell with the highest possible price at the moment, matching the closest corresponding order in the order book)
Limit order (buy/sell X amount of currency when the price crosses some threshold value Y, so execution is delayed in time until the requirements are met)

There are other order types, for example, Stop limit orders that allow users to buy/sell as much as possible when price crosses X, but stop when the price goes higher/lower Y. The more advanced the order types that are planned to be implemented, the more complex the trading engine will be.

3. CRYPTO WALLET

Another essential feature of your crypto exchange is a crypto wallet. You can create and customize this feature to offer the clients the best user experience including convenient payment gateways and multi-cryptocurrency functionality while maintaining high-security standards.

The process of withdrawing funds is risky as it is actually the way to get funds from your platform, and a lot of precautions and checks should be completed to prevent thefts. One of the ways to do this is to implement manual approval for withdrawals (at least to stop hackers from taking significant amounts of money quickly). Usually, a risk diversification approach is applied — a small amount of crypto can be withdrawn automatically, and fast, but larger amounts — require some automated reputation checks (success history/rating /KYC/KYT and others).

A crypto wallet is actually a crypto address that is assigned to a user, where deposits are made. Also while users interact with designated “per user” addresses — the whole exchange platform makes regular reconciliation to “one big platform’s wallet” — as it needs to operate with the whole amount of crypto deposited on the platform. These “big pots of crypto” are the biggest security risk.

In this regard, crypto wallets are a lucrative target for hackers: for example, in 2020, according to Atlasvpn, criminals launched 27 successful attacks aimed at crypto wallets, netting $3.03 billion or around $112.12 million per hack. That’s why different “staged” funds storage schemes are being invented here. It’s wise not to store all your funds in one wallet, but instead to use at least 3 storage types:

A hot wallet — a private key stored on the server, which is potentially vulnerable, but the wallet isn’t intended to keep many funds in it. All operations are fully automated, and on threshold reach (low/high), so it should be reconciled with “warm” wallets
A warm wallet — a private key stored in another server/system, secured separately (with a gap from the hot wallet system), and used to store more crypto. It isn’t used to interact with end users directly, but only to top up/reconcile crypto from a hot wallet (collect exceeded funds or add more fund if the hot wallet is almost empty)
A cold wallet — a private key is not stored on the server, but on a special computer that is not connected to the Internet. The majority of crypto on the platform is kept in this wallet. It is used only manually by authorized persons on “air-gapped/non-connected to the Internet” computers.

For your crypto exchange app, you can build your own wallet from scratch or integrate third-party wallets.

Typically, hot and warm wallets are built by fintech startups on their own — the whole process takes from several weeks up to a couple of months. Still, the customized solution allows you to have full flexibility and control. From an engineering standpoint, it requires only general crypto app development knowledge (however, a lot depends on the number of cryptocurrencies you want to support from the very beginning).

Third-party wallet services have their advantages and disadvantages. On the one hand, such solutions can be integrated into your crypto trading app really quickly. They offer a high level of stability and reliability in the early stages (compared to homegrown solutions). On the other hand, they come with high fees (that can put the startup’s profitability in question), and can’t offer a predictable speed of processing. After all, relying on a third-party solution in your major business flow might not be the best option for you.

When it comes to cold wallets, cooperating with a third-party vendor can be more useful, as making really reliable and verifiable cold storage is a complicated task for an early-stage startup. Ideally, it requires multiple persons to be involved (to avoid the possibility of one of the stakeholders stealing all the funds), “air-gapped” infrastructure, reliable hardware, and actually safe physical storage to store that hardware. Examples of such products are solutions from Fireblocks, Knox, and BitGo. All these services are somewhat alike but provide feature sets that are more suitable for a particular case. Therefore, choosing a third-party cold wallet provider is always a matter of picky selection.

4. MARKET AND LIQUIDITY PROVIDERS INTEGRATION

The success of your cryptocurrency exchange platform will greatly depend on liquidity: how soon can an exchange happen. Customers will always choose an exchange with good liquidity that can offer a high speed of transactions.

There are several options you can choose from:

Using your own trading bots-market makers (when the exchange uses its own crypto and bots to set exchange orders, literally “imitating” that there are some “active trades”; these bots are inactive when there are enough real user’s orders)
Connecting to other large exchanges, getting their order books in real time and simulating a similar order book in your exchange (and adding a small “fee” to prices to make it profitable for you); on every trade in your exchange, you need to do a “buy out” of the same trade on the external exchange

As you are unlikely to have enough trading volume to provide instant sale/exchange of cryptocurrency, the second option which could be a smart move is to connect to an external liquidity pool to satisfy customers’ needs. There are existing crypto exchanges like Kraken, Binance, and Gemini that give access to their markets. For example, we chose to build an integration with Kraken playing the role of a liquidity provider for one of our projects due to the strict budget and timeline requirements.

The utilization of third-party liquidity providers allows fintech business founders to launch the product quickly and get trading pairs from the very beginning of the product’s life. New customers will have an engaging market and trading experience from the first second. However, in this case, your platform won’t make a lot of profit and you will offer prices that are a bit higher (or at least no less) than your competitors’ ones. As an alternative approach — you can opt for developing and utilizing the aforementioned market-making bots, but it’s a difficult process. It requires both specific development experience and business knowledge to create and arrange them correctly.

5. USER INTERFACE

People like apps that are simple to use and make their lives easier. Make sure your crypto trading application has a simple and attractive interface that helps to deal with the most difficult aspects of crypto trading. The main factors that determine the quality of this feature are simplicity, convenience, speed, and engagement. What does this mean in practice?

Your crypto trading app should have:

An interface that helps to execute the transactions efficiently, minimizing the trading time
A dashboard with quick access to the most important features
Seamless deposits and withdrawals
Technical support options in case of any problems

One of the crucial parts of a sufficient interface is visualization. Your customers will probably want to have data and convenient charts that show price fluctuations, various technical analysis indicators, and detailed stats about selected markets or assets.

Step 3. Add Good-to-Have Crypto Exchange Features

In most cases, just basic features aren’t enough to create the perfect user experience. Here is a list of functions that can make your crypto trading app stand out among competitors or at least be on par with them. You might think about developing such features as:

User profile to give users the ability to manage their order data more effectively
Portfolio tracking to show portfolio performance and highlight which crypto assets are the most successful
Educational content to help users fill in knowledge gaps in the cryptocurrency experience
Referrals and bonuses to build customer loyalty and attract new users
Push notifications to notify users about price changes, app updates, and other important events

Step 4. Create Advanced Crypto Trading App Features

While creating your cryptocurrency app, think of some cherry-on-the-cake features that will turn a basic trading app into a scalable trading solution:

Recurring buys — to make the purchasing process more convenient and faster by automated strategies
NFT trading and inclusion of brand-new tokens — to offer customers more diversity and invite various types of clients
Data analytics — to allow customers to see the state of the crypto market and make better choices
AI chatbots — to help customers buy and sell cryptocurrencies at the correct time and provide them with FAQs and recommendations
“Follow the expert” feature — experts can share/we can analyze how they trade, and users can follow their path

For example, eToro has a feature called the CopyTrader™ system. It finds similarities in the trading habits of successful traders by analyzing their behavior on the platform and allows other users to copy their choices automatically and in real time.

Step 5. Meet Regulatory Compliance for Crypto Exchange Apps

While crypto might still have a ‘Wild West’ image, regulatory compliance is crucial for this industry. When developing your future cryptocurrency app, and depending on the jurisdiction where you’re going to work, keep in mind several regulatory principles and processes.

Implementing the KYT procedures into your app can be one of the most challenging parts of cryptocurrency app development. For fiat currencies, it means the possibility to block particular people, banks, or countries from participating in the transactions. For cryptocurrencies, it means the possibility to verify whether a particular crypto wallet is “clean” (not marked as potentially connected to the “dark market”, criminals, and so on) or not.

To track this on your own can be quite hard as it requires creating or having a huge manually reviewed database, collecting all “bad wallets” and tracking all transactions connected to them. In this case, third-party providers like Chainalysis KYT can help. It offers continuous transaction monitoring for all cryptocurrency assets to reduce manual workflows and detect suspicious activity.

As regulators all over the world navigate their way around the crypto world, it is obvious that their main aim is to create an accurate and strong regulatory system for this young industry. The rules might vary from one country to another, but most regulatory bodies highlight the importance of pillars such as KYC/AML/KYT procedures, improving security protocols, and also investor protection.

Step 6. Develop a Cryptocurrency Exchange Platform

Сrypto trading platform development is similar to any other application development, only with a focus on blockchain technology and extra security. All the common development steps are needed:

framing and planning
designing and prototyping
writing code and testing
public release
maintaining and improving

Whatever type of crypto trading application you are planning to create, the development of the front-end part will be almost the same. The main aim is to design a user-friendly and easy-to-navigate user interface with the help of experienced UX/UI designers and front-end developers.

Development of the server side of the application is a more complex task that can be solved using different approaches and tools. The back-end of the application must provide fast and efficient order processing and data security. Moreover, it needs to be scalable to support growing loads as your product gains popularity.

Architecture design is based on business requirements since each project is unique and there is no single multipurpose solution. At MobiDev, we suggest a development approach, a technical roadmap, and an architecture approach only after clarifying business goals and main requirements for crypto trading products.

For some of the products, we rely on an in-memory database approach for generating orders and processing them quickly. Unlike databases that store data on disks or SSDs, an in-memory database stores, and processes data exclusively in the computer’s main memory, ensuring minimal response time. This enables real-time bidding where an application can process bid requests from all buyers, select a winning bid based on multiple criteria and process it.
Yuriy Luchaninov - Javascript Group Leader at MobiDev

Thanks to this technology, the database can be accessed by different servers in different regions or can be used by a different number of users, which makes the solution efficient and scalable. You can find an illustration of such architecture below.

But this is just one example. Investigating in each specific case at the discovery stage, our experts consider different factors such as:

business location (helps to understand regulatory requirements)
business type and system load (allows to choose the type of scaling)
security protocols, and others.

This analysis lets us select a solution that will satisfy the client’s requirements and will allow them to have exactly those features that will help a product work smoothly and efficiently.