What’s happening here?
It’s about Ruby on Rails, it’s about the technologies around RoR and it’s
about its security. It might turn out to be about the fast growing role of
LARM. (Yes, I invented this term right now, it’s in the style of LAMP, which
stands for the architecure of Linux + Apache + MySQL + PHP. So cross out PHP,
put in RoR, stir it well and you get: Linux + Apache + Ruby on Rails + MySQL = LARM.
Of course Apache might require some extra modules and RoR has in fact two R’s,
but hey, sounds good.)
Security
Why is security so important, you might ask, when you’re only programming this little
web shop for your neighbour’s death-metal band? Well, it’s to make life harder
for crackers or script kiddies who can do a lot of nasty things with your web site. They could deface (i.e. change parts of your web site) to harm others (e.g. get hold of
the accounts of your customers, distribute worms and so on) or simply down your web site.
Don’t panic
But don’t worry, with a little more understanding and security advices you can
make your web site a secure zone. And that’s what we can learn here together.
I’m doing a several-months-every-day-research into security of Ruby on Rails.
And I thought the results might be not only interesting for me.
Let’s do it
I think many of us share the perception of Rails being a “secure” framework.
And that might well be true, because we need less code to get things done and less
code means a better overview of what’s happening.
But though Rails seems to be safer, doesn’t allow us to lean back. There has
been a security bug (more detailed) in Rails last year and even in Ruby.
In fact most of the security issues with web sites or web applications don’t
necessarily stem from the programming language or framework we use, but affect
web applications in general. It’s the way we config our servers and it’s the way
we program.
Starting point
As a good starting point, I’ve found a good Ruby on Rails example, which deliberately
includes several security vulnerabilities: The Hacme Casino. Especially reading the user guide gives you a good insight on what can go wrong.
Use these links to find out more on the terms used in the user guide:
Onwards
I will most likely categorize the posts according to the layer. There’s the layer
of the web server, the layer of the database server and there’s the RoR application
itself. I will most like start out at the bottom with the servers.
I strongly encourage you to give me feedback by comments.
