The Ruby on Rails framework offers simplicity that streamlines web application development. Developers who use it appreciate its flexibility and scalability. But, as with anything on the Internet, attackers are continually seeking new opportunities to infiltrate. Vulnerabilities include malicious Ruby Gems, injections, XSS, among others. These modules outline the most common vulnerabilities and how to code defensively.
We created this Green Belt path for developers coding in the Ruby on Rails framework. It includes our standard 13 Green Belt Secure Development modules with the addition of 12 new Secure Coding with Ruby lesson. Each of our lessons are short and conclude with a brief ten question assessment. The learning module length is purposeful – they are perfect for filling gaps in a developer’s day while code is deploying.
The definition of secure development and it’s pieces. Each developer has secure development responsibilities. Secure development starts and ends with the developer. Your software, hardware, and infrastructure are only as safe as you make them. Developers are the first line of defense.
The need for secure coding, what are secure coding standards and how does a developer use them, and the potential dangers of Stack Overflow. Languages are complex. Secure coding is about creating code that is correct and secure.
Explore the OWASP Proactive Controls, including Define Security Requirements, Leverage Security Frameworks and Libraries, Secure Database Access, Encode and Escape Data, and Validate All Inputs. OWASP Proactive Controls is security information written for developers, by developers.
Explore the OWASP Proactive Controls, including Enforce Access Control, Protect Data Everywhere, Implement Security Logging and Monitoring, and Handle All Errors and Exceptions. OWASP Proactive Controls is security information written for developers, by developers.
In this module, we explain how a languages type system is categorized and what the main categories are. We discuss the difference between static and dynamic languages as well as weak and strongly typed languages.
The threats that your development environment faces, how to reduce development environment risk, and the ten tips to secure your development environment. Development environment threats are real and following simple tips to secure your development environment can significantly reduce your exposure.
Why you need to protect your code repository, the security challenges in choosing a repository, the impact of not protecting access credentials and separating secrets in the source code. Your code is your product or application. If it is left unsecured, it could fall into the hands of a competitor.
The sources of complexity in software that led to security vulnerabilities and the twelve laws that act as the foundation for a clean, maintainable, and secure code culture. Developers must strive for secure code. Secure code is both clean and maintainable.
Potential security threats are impacting your release and deployment process and ways to improve the security of your release and deployment process. The release and deployment process is how our code gets delivered to our customers. The introduction of an unauthorized piece of code by an attacker could be devastating.
The four pillars of a secure application or product, secure application or product decisions, and the categories of the design of a secure application or product. A new application or product deserves a secure design. Security becomes a reality through careful design choices.
The tools and methodologies to help a developer think like a penetration tester, how penetration testers use browsers and intercepting proxies, testing, fuzzing, and reverse engineering, and applying the knowledge of these topics to your world as a developer. Developers generally focus on the build; to better secure your applications, products, and systems, think like one who breaks.
The economy of mechanism, secure the weakest link, establish trust boundaries, defense in-depth, don’t reinvent the wheel, usable security and default deny. Secure design principles require action to achieve “secure by design.”
In this module, we explore secure design principles such as minimizing the attack surface, fail securely, least privileged, separation of duties, do not trust services/ infrastructure, and secure defaults. Employing a common understanding of secure design principles encourages secure design, and secure design equals fewer vulnerabilities.
Discuss the importance of security in the Ruby ecosystem, how modern Ruby on Rails applications are structured, the threats that exist with Ruby and Rails applications, and how security practices can protect your applications.
Describe the different types of threats that impact Ruby and the consequences of a successful attack scenario for each specific threat.
Define how to secure the software supply chain for Ruby applications. We also, list the classes of Ruby supply chain threats, Describe the different types of attacks against the Ruby supply chain, and explain the different ways to mitigate supply chain attacks.
Explain the importance of validating input from untrusted resources. We also describe the role of Active Record in validation within Ruby on Rails and list the different methods that can be used to validate untrusted input.
Discuss defensive programming, secure coding, and the five failures of defensive programming. We introduce the Zen of Ruby, the Ruby Style Guide, style automation, RBS, line-of-sight functions, and self-documenting code.
Continue the exploration of safe coding tips for Ruby, including using proper operators, exception pitfalls, dangerous functions, and immortal symbols.
Continue the exploration of safe coding tips for Ruby, exploring deserialization of untrusted data, proper use of Regex, and how to securely use Distributed Ruby.
Built-in security features of Ruby on Rails. We list common attacks and mitigations for Rails applications, describe how to implement Argon2 for password hashing, and explain the importance of properly managing sensitive files in our repositories.
Explore how the OWASP Top 10 applies to Ruby on Rails applications. We explain how to prevent injection attacks, use proper authentication techniques, and how to handle sensitive data.
Explore how the OWASP Top 10 applies to Ruby on Rails applications. We explain how attackers use XML files to attack applications, proper mitigations for Broken Access Control, and how to avoid security misconfigurations.
In this module, we explore how the OWASP Top 10 applies to Ruby on Rails applications. We explain how to prevent writing code vulnerably to XSS attacks, how to safely deserialize objects in Rails, how to mitigate using components with known vulnerabilities, and ways to avoid insufficient logging and monitoring.
List which Static Application Security Testing (SAST) tools to use for Ruby applications. We also describe how SAST tools fit into a proper development tool-chain and explain the use cases and advantages of modern SAST tools.