SlideShare a Scribd company logo

Rails is Secure

Franck Verrot, profile picture
Franck Verrot

The document discusses security issues with Rails applications. It notes that while Rails can be secure, much depends on the architecture and practices used. Poor architecture like tight coupling and lack of testing expose applications to exploits. The document recommends following SOLID principles for better architecture, using ActiveModel for parameters instead of directly accessing databases, and implementing layered architectures for improved security.

TechnologyEducation
1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Rails is Secure but YMMV Franck Verrot, Lyon.rb, March 2012
Me! • Franck Verrot • http://twitter.com/cesariogw • http://github.com/cesario • Co-Founder of evome • Currently awesoming at shazino
@hamakov
@hamakov • Hacked GitHub
@hamakov • Hacked GitHub • Exploited bad architecture
@hamakov • Hacked GitHub • Exploited bad architecture • Exploited current Rails worst practices
Software Architecture 101
SOLID principles • Single Responsibility • Open/Close • Liskov Substitution • Interface Segregation • Dependency Inversion
Current practices
What’s the problem? Rails + ActionPack 1 class PostsController < ApplicationController 2 respond_to :html, :json 3 def index 4 respond_with(@posts = Post.all) 5 end 6 end
What’s the problem? Rails + ActionPack 1 class PostsController < ApplicationController 2 respond_to :html, :json 3 def index 4 respond_with(@posts = Post.all) 5 end 6 end
Architecture at risk (scary title I know)
Issues • Tight coupling: referencing a constant • Hard to test: referencing a constant • AR pattern FTL: DB table in a form!?
Refactor!
(Wrong) Solutions • Think attr_accessible is the way to go • config.active_record.whitelist_attributes = true
Rails is Secure
(Better) Solutions (YMMV) • Ban “params” (Rails #2510 “request.params”) • Use an ActiveModel object for validating parameters
(Other) Solutions (WIP) • https://github.com/technoweenie/ tainted_hash • https://github.com/rails/strong_parameters
Layered Architectures!
Thanks for listening! Q&A

More Related Content

KEY
MVC Gems
Kir Shatrov
 
PDF
Java EE 7 meets Java 8
Roberto Cortez
 
PDF
Can you TDD Rails?
Andrzej Krzywda
 
PDF
Testing Alfresco extensions
ITD Systems
 
KEY
Erlang - Dive Right In
vorn
 
PPTX
Rails automatic test driven development
tyler4long
 
PDF
Software Design Patterns in Laravel by Phill Sparks
Phill Sparks
 
PDF
Maven - Taming the Beast
Roberto Cortez
 
MVC Gems
Kir Shatrov
 
Java EE 7 meets Java 8
Roberto Cortez
 
Can you TDD Rails?
Andrzej Krzywda
 
Testing Alfresco extensions
ITD Systems
 
Erlang - Dive Right In
vorn
 
Rails automatic test driven development
tyler4long
 
Software Design Patterns in Laravel by Phill Sparks
Phill Sparks
 
Maven - Taming the Beast
Roberto Cortez
 

What's hot (20)

PDF
How I did create Telegram bot - Roman Senin
Elixir Club
 
PDF
External Master Data in Alfresco: Integrating and Keeping Metadata Consistent...
ITD Systems
 
PPTX
Saving Time By Testing With Jest
Ben McCormick
 
PPTX
Actors Set the Stage for Project Orleans
cjmyers
 
PDF
ELK Stack
Eberhard Wolff
 
PPTX
Test-Driven Sitecore
Caitlin Portrie
 
PDF
4Developers 2015: Lessons for Erlang VM - Michał Ślaski
PROIDEA
 
PDF
Symfony Live San Francisco 2017 - Symfony @ OpenSky
Pablo Godel
 
PDF
Selenium Best Practices with Jason Huggins
Sauce Labs
 
PPTX
Austin Elixir: Slack Bots With Hedwig
edebill
 
PPTX
Releasing High Quality Packages - Longhorn PHP 2021
Colin O'Dell
 
PDF
Symfony Live San Franciso 2017 - BDD API Development with Symfony and Behat
Adam Englander
 
PDF
All Aboard for Laravel 5.1
Jason McCreary
 
PDF
Heroku
Eberhard Wolff
 
PDF
Rethinking the debugger
Iulian Dragos
 
PDF
10 Things you should know about Ruby
sikachu
 
PDF
All the Laravel things: up and running to making $$
Joe Ferguson
 
PPTX
Selenium
Bryan Mikaelian
 
PDF
Legacy Sins
Eberhard Wolff
 
PPTX
Стероиды для Дотнетчика
EatDog
 
How I did create Telegram bot - Roman Senin
Elixir Club
 
External Master Data in Alfresco: Integrating and Keeping Metadata Consistent...
ITD Systems
 
Saving Time By Testing With Jest
Ben McCormick
 
Actors Set the Stage for Project Orleans
cjmyers
 
ELK Stack
Eberhard Wolff
 
Test-Driven Sitecore
Caitlin Portrie
 
4Developers 2015: Lessons for Erlang VM - Michał Ślaski
PROIDEA
 
Symfony Live San Francisco 2017 - Symfony @ OpenSky
Pablo Godel
 
Selenium Best Practices with Jason Huggins
Sauce Labs
 
Austin Elixir: Slack Bots With Hedwig
edebill
 
Releasing High Quality Packages - Longhorn PHP 2021
Colin O'Dell
 
Symfony Live San Franciso 2017 - BDD API Development with Symfony and Behat
Adam Englander
 
All Aboard for Laravel 5.1
Jason McCreary
 
Heroku
Eberhard Wolff
 
Rethinking the debugger
Iulian Dragos
 
10 Things you should know about Ruby
sikachu
 
All the Laravel things: up and running to making $$
Joe Ferguson
 
Selenium
Bryan Mikaelian
 
Legacy Sins
Eberhard Wolff
 
Стероиды для Дотнетчика
EatDog
 
Ad

Viewers also liked (19)

DOC
Sharanraj QA _ Resume
Sharan Raj
 
PPT
Ruby in the Clouds
Franck Verrot
 
PDF
Landry byers maria cannistra production manager
Landry Byers
 
PDF
แนวข้อสอบวิศวโยธา กรุงเทพมหานคร (กทม)
kidsana pajjaika
 
PDF
PLoverview
Minh Van
 
PDF
Logos slideshow
Landry Byers
 
DOCX
Marcy's cover letter
ingrid alexander
 
PPSX
20160108 mailchimp
I Like Media
 
DOCX
Alkes baru
Hadi Gunawan
 
PPTX
20151028 sociale media in de kinderopvang
I Like Media
 
DOC
marcy's resume
ingrid alexander
 
PPTX
Umrah presentation by Qasim Ali
QasimAli1231
 
PPTX
Banners Broker Panel Training
debbik
 
PDF
NEBOSH-Management of International Health and Safety
Igor Kovalenko
 
PPTX
Mining Scientific Diagrams for facts
petermurrayrust
 
PDF
IOSH CERTIFICATE
Lee Davies
 
PPTX
Metaheuristics-based Optimal Reactive Power Management in Offshore Wind Farms...
Aimilia-Myrsini Theologi
 
PPTX
My personal approach to 21st century Leadership (DP)
Dainius Puodziunas, EMBA
 
PDF
Learning and Development in Organizations
Robert A. Sedlák
 
Sharanraj QA _ Resume
Sharan Raj
 
Ruby in the Clouds
Franck Verrot
 
Landry byers maria cannistra production manager
Landry Byers
 
แนวข้อสอบวิศวโยธา กรุงเทพมหานคร (กทม)
kidsana pajjaika
 
PLoverview
Minh Van
 
Logos slideshow
Landry Byers
 
Marcy's cover letter
ingrid alexander
 
20160108 mailchimp
I Like Media
 
Alkes baru
Hadi Gunawan
 
20151028 sociale media in de kinderopvang
I Like Media
 
marcy's resume
ingrid alexander
 
Umrah presentation by Qasim Ali
QasimAli1231
 
Banners Broker Panel Training
debbik
 
NEBOSH-Management of International Health and Safety
Igor Kovalenko
 
Mining Scientific Diagrams for facts
petermurrayrust
 
IOSH CERTIFICATE
Lee Davies
 
Metaheuristics-based Optimal Reactive Power Management in Offshore Wind Farms...
Aimilia-Myrsini Theologi
 
My personal approach to 21st century Leadership (DP)
Dainius Puodziunas, EMBA
 
Learning and Development in Organizations
Robert A. Sedlák
 
Ad

Similar to Rails is Secure (20)

ZIP
Continuous Integration For Rails Project
Louie Zhao
 
PDF
Ractor's speed is not light-speed
SATOSHI TAGOMORI
 
PDF
Ruby on Rails : 簡介與入門
Wen-Tien Chang
 
PDF
Different Ways of Integrating React into Rails - Pros and Cons
Amoniac OÜ
 
PDF
Different ways of integrating React into Rails - Mikhail Bortnyk
Ruby Meditation
 
PPTX
GitHub Actions Security - DDOG
RobBos10
 
PDF
Brief Introduction to Concurrent Programming
Rob Keefer
 
KEY
Enterprise search in Plone using Solr
Calvin Hendryx-Parker
 
PDF
Zend Framework 2, What's new, Confoo 2011
Bachkoutou Toutou
 
PDF
遇見 Ruby on Rails
Wen-Tien Chang
 
KEY
Actors and Threads
mperham
 
PDF
2016-05-12 DCRUG React.rb
awwaiid
 
PDF
Upgrading to rails3
Yi-Ting Cheng
 
PDF
Beyond Fluffy Bunny. How I leveraged WebObjects in my lean startup.
WO Community
 
KEY
Polyglot Grails
Marcin Gryszko
 
PDF
pull requests I sent to scala/scala (ny-scala 2019)
Eugene Yokota
 
PDF
Vue.js + Vuexチーム開発実践の事例
treby
 
PDF
CSS 201
Jennifer Berk
 
PPT
Clojure's take on concurrency
yoavrubin
 
KEY
Rails traps
Reuven Lerner
 
Continuous Integration For Rails Project
Louie Zhao
 
Ractor's speed is not light-speed
SATOSHI TAGOMORI
 
Ruby on Rails : 簡介與入門
Wen-Tien Chang
 
Different Ways of Integrating React into Rails - Pros and Cons
Amoniac OÜ
 
Different ways of integrating React into Rails - Mikhail Bortnyk
Ruby Meditation
 
GitHub Actions Security - DDOG
RobBos10
 
Brief Introduction to Concurrent Programming
Rob Keefer
 
Enterprise search in Plone using Solr
Calvin Hendryx-Parker
 
Zend Framework 2, What's new, Confoo 2011
Bachkoutou Toutou
 
遇見 Ruby on Rails
Wen-Tien Chang
 
Actors and Threads
mperham
 
2016-05-12 DCRUG React.rb
awwaiid
 
Upgrading to rails3
Yi-Ting Cheng
 
Beyond Fluffy Bunny. How I leveraged WebObjects in my lean startup.
WO Community
 
Polyglot Grails
Marcin Gryszko
 
pull requests I sent to scala/scala (ny-scala 2019)
Eugene Yokota
 
Vue.js + Vuexチーム開発実践の事例
treby
 
CSS 201
Jennifer Berk
 
Clojure's take on concurrency
yoavrubin
 
Rails traps
Reuven Lerner
 

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Approach and Philosophy of On baking technology
30anthuong17
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Cloud computing and distributed systems.
kkkkkhan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Encapsulation theory and applications.pdf
gurumoop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 

Rails is Secure

Editor's Notes