I read a post in another blog today about SQL Injection in Rails. The poster raised the specter of insecure code making the database vulnerable through the use of SQL Injection.
For those that don’t know, SQL Injection is where an attacker ‘injects’ code into a web response that makes the site return data that it was not designed to. SQL servers will try to parse any query that they receive, so it is up to the programmer to ensure that anything a hacker might throw at a database gets rejected before the query reaches the SQL Server. Sometimes, despite the best intentions of the coder, a vulnerability gets exposed in the Rails framework at which point it might might be necessary to do some urgent work to address the issue.
The post mentioned above did nothing to explain how to address the issue of SQL Injection in Rails; instead it was a hook to get the reader to attend a particular talk at an upcoming Rails conference. That’s not a lot of help if you can’t attend the event.
Giving thought to Security Vulnerabilities is something that doesn’t often come naturally to coders; especially self taught ones. A bit like Testing, it’s not at the glamorous end of development and too often gets overlooked. Now security issues have been around for as long as people have written code and others have tried to hack it, so addressing potential security vulnerabilities by using good coding practice must be part of the development process.
Many good people have already written much good stuff on this topic, so I’m not going to add to it. Instead, I’ll point you in the direction of a few sites that I consider will be of the best help to you and exhort you to take the issue of the security of your web site very seriously. There’s absolutely no point in producing a wonderful looking site that uses all sorts of gee-whiz effects if your client is going to find that their site or their database is going to be hacked.
The following links take you to existing sites that deal with Rails Security in an excellent manner:
- http://guides.rubyonrails.org/security.html – This is the Security page on the Rails site and these people know what they are talking. Read and re-read until you understand what the issues are and how to deal with them.
- http://railscasts.com/ – Ryan Bates’ Railscasts site contains a whole host of material pertaining to development in the Rails environment and some of it is devoted to security issues. The Pro subscription costs $9 a month but as a Rails developer you’ll never spend a better $9.
- http://rails-sqli.org/ – This site is devoted to what not to do when coding in Rails. It’s very well worth taking a look at this.
- https://groups.google.com/forum/#!forum/rubyonrails-security – This is the source that you need to subscribe to if you can’t find the help you need. Very friendly advice given from participants.
- http://brakemanscanner.org/ – This is a gem in the real sense of the word. An Open Source Rails Security Scanner that you can include in your gem list. See http://railscasts.com/episodes/358-brakeman for an excellent Railscast on how to use.
- https://isc.sans.edu – A bit over the top for this post perhaps; you’ll need to sign up for this (although it costs nothing) before you’ll be able to search for Rails specific issues.
I hope at least one of the above links helps!