1. 10

  2. 2

    Cute, but at least that page in particular is more of an intro to Ruby.

    Are there any more higher level resources for implementing security in Ruby/Rails/et al? I’m training my security consultant business partner in the ways of Rails, and resources on what people-consider-to-be-best-practices seem thin on the ground.

    1. 2

      Well, the hard part about security in Ruby is that the language is so flexible, if you’re not familiar with it, you can miss entire classes of vulnerabilities. Like “oh, I just monkeypatched #authorized? to always return true.” So it’s kinda necessary.

      We have a Rails Guide on security: http://guides.rubyonrails.org/security.html

      1. 2

        Well… that’s kind of irrelevant, no?

        It gets trickier if you want to load in plugins that other people wrote, sure, but… for the most part as a web developer I’m not thinking about that attack vector – I’m more concerned about people trying to break my app. If they’re eval'ing code the game is already over.

        I’m not a terribly big fan of that guide. That said, when I do have any idea on how to improve it, I will duly share it.

        1. 1

          Part of the guide is how you may not realize people may eval your code.

          For example, there’ve been a few DoS attacks against Rails where some_input.to_sym was getting called… not strictly an eval, but somewhere where you may not think of input being a problem.

          I know of Rails apps that actually have Ruby code in a field in the db that gets eval’d. ಠ_ಠ