Skip to content

A curated list of security resources for a Ruby on Rails application

License

Notifications You must be signed in to change notification settings

0xedward/awesome-rails-security

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Awesome Rails Security

Awesome

A curated list of security resources for a Ruby on Rails application

Table of Contents

Gems

Authentication and OAuth

  • Devise - Flexible authentication solution for Rails with Warden
  • Devise Security - A Devise extension to add additional security features required by modern web applications
  • Warden - General Rack Authentication Framework
  • AuthLogic - An unobtrusive ruby authentication library based on ActiveRecord
  • OmniAuth - A library that standardizes multi-provider authentication for web applications
  • JWT - A ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard
  • Knock - Seamless JWT authentication for Rails API

Authorization

  • CanCanCan - An authorization library for Ruby and Ruby on Rails which restricts what resources a given user is allowed to access.
  • Pundit - Pundit provides a set of helpers which guide you in leveraging regular Ruby classes and object oriented design patterns to build a simple, robust and scaleable authorization system

Rate Limiting

  • ReCaptcha - A plugin that adds helpers for the reCAPTCHA API

Request Management

  • Secure Headers - Manages application of security headers with many safe defaults
  • Rack::Attack - Rack middleware for blocking & throttling
  • ssrf_filter - A ruby gem for defending against Server Side Request Forgery (SSRF) attacks

Static Code Analysis

  • Brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications
  • bundler-audit - Patch-level verification for Bundler
  • Ruby Advisory Database - A database of vulnerable Ruby Gems. You can check your own Gemfile.locks against this database by using bundler-audit.
  • RoboCop - A Ruby static code analyzer and formatter, based on the community Ruby style guide
  • dawnscanner - A source code scanner designed to review your ruby code for security issues

File Upload

  • CarrierWave - A gem that provides a simple and extremely flexible way to upload files from Ruby applications

Logging and Monitoring

  • Exception Notification - A gem that provides a set of notifiers for sending notifications when errors occur in a Rack/Rails application

Password Strength

  • zxcvbn-ruby - Ruby port of zxcvbn.js (Low-Budget Password Strength Estimation)

Tools

Static Code Analysis

  • rails_best_practices - A code metric tool to check the quality of Rails code
  • Hawkeye scanner-cli - A project security, vulnerability and general risk highlighting tool
  • git-secrets - Prevents you from committing passwords and other sensitive information to a git repository
  • Snyk - A developer-first solution that automates finding & fixing vulnerabilities in your dependencies
  • GuardRails - Continuous security feedback for your GitHub repositories
  • Hakiri - Hakiri monitors Ruby apps for dependency and code security vulnerabilities

Logging and Monitoring

  • Sqreen - Unified security monitoring and protection for modern cloud & on-prem environments
  • Report URI

Security Vulnerability Advisories

Resources

Official Resources

Labs - Vulnerable Applications

  • OWASP RailsGoat - A vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
  • DeleteMe - Educational insecure Rails application
  • Checkmarx - Codebashing - Lessons on common vulnerabilities implemented in Rails. Lessons on SQL Injection, XXE and Stored XSS are free.
  • PentesterLab - Provides some vulnerable Rails environments to learn about security vulnerabilities, such as CVE-2019-5420

Best Practices

Anti-Patterns

Additional Reading

Reporting Bugs