In today’s world, it's easier than ever to innovate and create great web applications. You release often, but let’s be honest, if you're like most developers out there, you don't spend your days worrying about security. You know it’s important, but you aren’t security savvy. So ask yourself, is your Ruby application secure? Come learn some of the different ways a hacker (cracker) can attack your code, and some of the best practices out there. In the end, your security is your users’ security.

1. Is your Ruby application secure?
Frédéric Harper
@fharper
http://immun.io
Sr. Technical Evangelist @ IMMUNIO
Montreal.rb – 2015-12-15
CreativeCommons:https://flic.kr/p/jtwBJU

2. is security important?
Creative Commons: https://flic.kr/p/s8hvJo

3. do you have time?
CreativeCommons:https://flic.kr/p/b7wRTX

4. do you have the expertise?
Creative Commons: https://flic.kr/p/n7qDvJ

5. do you have the money?
Creative Commons: https://flic.kr/p/rAG5dm

6. is your app that secure?
CreativeCommons:https://flic.kr/p/bY6uU7

7. what about legacy apps?
Creative Commons: https://flic.kr/p/7fFQug

8. it’s probably happening, now
Creative Commons: https://flic.kr/p/acnkbU

9. ...

10. I succeed if…
Creative Commons: https://flic.kr/p/ehZRGj

11. warning
Creative Commons: https://flic.kr/p/oosB

12. mess
with the best
die like the rest

13. OWASP/railsgoat
railsgoat

14. SQL injection vulnerabilities allow attackers to modify the structure of SQL
queries in ways that allow for data exfiltration or manipulation of existing data.
SQL Injection (SQLi)

15. Creative Commons: https://flic.kr/p/62a8aT
no password
required

16. Creative Commons: https://flic.kr/p/62a8aT
proxy
interception

17. Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on
your pages in your customers' browsers.
§ Hijack of legitimate user sessions
§ Disclosure of sensitive information
§ Access to privileged services and functionality
§ Delivery of malware and browser exploits from our trusted domain
Cross-Site Scripting

18. Creative Commons: https://flic.kr/p/62a8aT
what’s your
name?

19. Remote Command Execution vulnerabilities allow attackers to run arbitrary code
on your servers.
There are two classes of Remote Command Execution:
1. Shell Command Execution
2. Eval Execution.
Remote Command Execution

20. • Brute force
• Common username
• Cookie tampering
• CSRF tampering
• Excessive 4XX & 5XX
• HTTP method tampering
• HTTP response splitting
• Redirect
• Session farming
• Session hijack
• Stolen account
• Shellshock
• Suspicious Exception
• Suspicious HTTP header
• Unauthorized file access
• Username hijack
…

21. follow
the
white rabbit

22. anything from users is unsafe
Creative Commons: https://flic.kr/p/m2BKPn

23. # unsafe
Project.where("login='#{params[:name]}' AND password='#{params[:password]}'").first
# safe - array or hash w/ ActiveRecord
Project.where("login = ? AND password = ?", name, password).first
Project.where(login: name, password: password).first
no strings attached

24. jeremyevans/sequel rom-rb/rom jgaskins/perpetuity
Object Relational Mapper

25. # Clean up an HTML fragment & CSS in <style> elements or style attributes
Sanitize.fragment(html, Sanitize::Config::RELAXED)
html = '<b><script>alert(“Most terrible XSS ever”)</script></b>'
Sanitize.fragment(html, Sanitize::Config::RELAXED)
# => '<b>alert(“Most terrible XSS ever”)</b>’
html = '<b><a href="http://foo.com/">foo</a></b><img src="bar.jpg">'
Sanitize.fragment(html)
# => 'foo’
rgrove/sanitize
whitelist

26. flavorjones/loofah rubyworks/htmlfilter
other sanitization librairies

27. rubysec/bundler-audit using rubysec/ruby-advisory-db/
audit your gems

28. Creative Commons: https://flic.kr/p/62a8aT
bundle-audit

29. other audit tools

30. Developers
§ Use a cryptographically slow hash function
(bcrypt & PBKDF2) to store password
§ Avoid eval() & friends
§ Stored procedures if possible
§ Up-to-date frameworks & libraries
Devops
§ HTTPS
§ Web Application Firewall (WAF)
§ Intrusion prevention systems (IPS)
§ Up-to-date platform & infrastructure
truist… or not

31. learn how

32. inform yourself

33. OWASP XSS Cheat Sheet

34. Strengths
• Scales Well
• Find issues like buffer overflows, SQL Injection Flaws with high confidence
Weaknesses
• Many types of security vulnerabilities are very difficult to find automatically, such as
authentication problems, access control issues, insecure use of cryptography, etc.
• High numbers of false positives.
• Frequently can't find configuration issues, since they are not represented in the code.
• Difficulty analyzing code that can't be compiled (using librairies as an example).
static code analysis

35. Creative Commons: https://flic.kr/p/62a8aT
brakeman

36. thesp0nge/dawnscanner
other static code analysis

37. Runtime application self-protection (RASP) is a security technology that is built or
linked into an application or application runtime environment, and is capable of
controlling application execution and detecting and preventing real-time attacks.
RASP

38. Creative Commons: https://flic.kr/p/62a8aT
immunio

39. to infinity... and beyond!
Creative Commons: https://flic.kr/p/8Z1Cxm

40. thanks
but
no thanks

41. stop
Creative Commons: https://flic.kr/p/gpVdD

42. I’m serious!
CreativeCommons:https://flic.kr/p/9CG51N

43. plan for it
Creative Commons: https://flic.kr/p/5bn2nD

44. now.
Creative Commons: https://flic.kr/p/fA6vnM

45. nothing is 100% bulletproof
Creative Commons: https://flic.kr/p/hpE97

46. IMMUNIO – Real-time web application security - https://www.immun.io/
OWASP Ruby on Rails Cheat Sheet - http://j.mp/1Osv95f
Bobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/
XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsW
Brakeman - http://brakemanscanner.org/
CVE (Common Vulnerabilities and Exposures) Details Ruby on Rails - http://j.mp/1OsguHn
Ruby Security - https://www.ruby-lang.org/en/security/
Rails SQL Injection - http://rails-sqli.org/
www

47. Frédéric Harper
fharper@immun.io
@fharper
http://outofcomfortzone.net
http://immun.io