In today’s world, it's easier than ever to innovate and create great web applications. You release often, but let’s be honest, if you're like most developers out there, you don't spend your days worrying about security. You know it’s important, but you aren’t security savvy. So ask yourself, is your Ruby application secure? Come learn some of the different ways a hacker (cracker) can attack your code, and some of the best practices out there. In the end, your security is your users’ security.
14. SQL injection vulnerabilities allow attackers to modify the structure of SQL
queries in ways that allow for data exfiltration or manipulation of existing data.
SQL Injection (SQLi)
17. Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on
your pages in your customers' browsers.
§ Hijack of legitimate user sessions
§ Disclosure of sensitive information
§ Access to privileged services and functionality
§ Delivery of malware and browser exploits from our trusted domain
Cross-Site Scripting
19. Remote Command Execution vulnerabilities allow attackers to run arbitrary code
on your servers.
There are two classes of Remote Command Execution:
1. Shell Command Execution
2. Eval Execution.
Remote Command Execution
25. # Clean up an HTML fragment & CSS in <style> elements or style attributes
Sanitize.fragment(html, Sanitize::Config::RELAXED)
html = '<b><script>alert(“Most terrible XSS ever”)</script></b>'
Sanitize.fragment(html, Sanitize::Config::RELAXED)
# => '<b>alert(“Most terrible XSS ever”)</b>’
html = '<b><a href="http://foo.com/">foo</a></b><img src="bar.jpg">'
Sanitize.fragment(html)
# => 'foo’
rgrove/sanitize
whitelist
30. Developers
§ Use a cryptographically slow hash function
(bcrypt & PBKDF2) to store password
§ Avoid eval() & friends
§ Stored procedures if possible
§ Up-to-date frameworks & libraries
Devops
§ HTTPS
§ Web Application Firewall (WAF)
§ Intrusion prevention systems (IPS)
§ Up-to-date platform & infrastructure
truist… or not
34. Strengths
• Scales Well
• Find issues like buffer overflows, SQL Injection Flaws with high confidence
Weaknesses
• Many types of security vulnerabilities are very difficult to find automatically, such as
authentication problems, access control issues, insecure use of cryptography, etc.
• High numbers of false positives.
• Frequently can't find configuration issues, since they are not represented in the code.
• Difficulty analyzing code that can't be compiled (using librairies as an example).
static code analysis
37. Runtime application self-protection (RASP) is a security technology that is built or
linked into an application or application runtime environment, and is capable of
controlling application execution and detecting and preventing real-time attacks.
RASP