Application Security for Rails Engineers

Oleksii Vasyliev

• Web and Mobile Developer, DevOps. BTW, I am NOT security specialist
• Open-Source libs: Certonid, Storybook Addon Root Attribute, PGTune, SQL Joins Visualizer, etc
• Open-Source books: Setting up and scaling of PostgreSQL (Russian), Cooking Infrastructure by Chef
• Leading RWpod podcast about Ruby and JavaScript

Company security areas

• Application security: the app sec team is responsible for handling everything from project inception to release from a security standpoint
• Incident response and monitoring: they are in charge of monitoring the production systems and kicking off the response process for any incidents that arise
• Corporate and IT security: they often manage internal security (employees directory, asset management, devices monitoring, etc.)
• Governance Risk and Compliance (GRC): this area is about managing certifications like SOC2, Fedramp, etc

Web Application Security Basics

• Use HTTPS
• Avoid Injections - Never Trust User Input! Never!
• Sensitive Data Exposure (logs, analytics, etc)
• Broken Access Control (SSH, administrative panel, database, etc)
• Security Misconfigurations (unpatched flaws, default configuration, unnecessary services, etc)
• Keep secrets out of your code

Content Security Policy (CSP)

    Content-Security-Policy: default-src 'self';
      img-src * data: blob:;
      media-src media1.com media2.com;
      script-src userscripts.example.com
            

Content Security Policy (CSP)

Rails.application.config.content_security_policy do |policy|
  policy.default_src :self
  policy.script_src :self, 'js.example.com'
  policy.style_src :self, :unsafe_inline
  policy.report_uri "/csp-violation-report-endpoint"
end
        

Content Security Policy (CSP)

content_security_policy do |policy|
  policy.default_src :self
  policy.img_src '*', :data, :blob
  policy.script_src :self, 'js.example.com'
  policy.frame_src :self, 'widget.example.com'
  policy.media_src :self, 'media.example.com'
end
        

UNSAFE-INLINE and UNSAFE-EVAL

Content Security Policy Report Only

Content-Security-Policy-Report-Only: default-src *;
  img-src * data: blob:;
  report-uri /csp-violation-report-endpoint/
        

Strict-Transport-Security

Strict-Transport-Security:
  max-age=31536000 ; includeSubDomains; preload

X-Frame-Options

X-Frame-Options: deny | sameorigin | allow-from: DOMAIN

More headers...

• X-XSS-Protection
• X-Content-Type-Options
• X-Permitted-Cross-Domain-Policies
• Referrer-Policy
• Expect-CT
• Feature-Policy
• Cache-Control
• Pragma
• Expires

Cache-Control, Pragma and Expires

Ask the browser not to cache pages with sensitive information

response.headers['Cache-Control'] =
  'private, no-cache, no-store, max-age=0'
response.headers['Pragma'] = 'no-cache'
response.headers['Expires'] = '0'

Rails Default Headers

Basics

• No inline scripts due to CSP (if you realy need them: use hash algorithm or cryptographic nonce)
• autocomplete="off" for sensitive form fields
• Use json_escape when passing variables to JavaScript
• Don't use assets from a public CDN, as this creates unnecessary availability and security risk

Subresource Integrity

Subresource Integrity

javascript_include_tag :application,
  integrity: true, crossorigin: 'anonymous'

<script src="/assets/application.js"
integrity="sha-256-TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs="
crossorigin="anonymous"></script>
        

Registration form under attack!

Cross-Site Request Forgery (CSRF)

protect_from_forgery with: :exception

ActiveSupport::SecurityUtils against timing attacks

ActiveSupport::SecurityUtils.secure_compare(a, b)

Backdoor code in gems (source)

• rest-client: 1.6.10-1.6.13
• bitcoin_vanity: 4.3.3
• lita_coin: 0.0.3
• coming-soon: 0.2.8
• omniauth_amazon: 1.0.1
• cron_parser: 0.1.4, 1.0.12-1.0.13
• coin_base: 4.2.1
• blockchain_wallet: 0.0.6
• awesome-bot: 1.18.0
• doge-coin: 1.0.2
• capistrano-colors: 0.5.5

Gems sandbox checking

• Virtual machine with linux (snapshots to restore states, tcpdump, netstat, nethogs, iftop, iotop)

• $ gem unpack rest-client
  Fetching rest-client-2.1.0.gem
  Unpacked gem: '/tmp/rest-client-2.1.0'
  
  $ git clone https://github.com/rest-client/rest-client
  $ git checkout 2.1.0
  $ cp -r /tmp/rest-client-2.1.0 ./rest-client
  $ cd rest-client && git diff
            

Tools

• Brakeman
• Bundler-audit
• npm audit
• Github security alerts for vulnerable dependencies
• AuthTrail
• Rack::Attack
• Attr_encrypted, Lockbox, Symmetric Encryption, etc

Secret Datastores

SSH access

Building a healthy security culture

• Instill the concept that security belongs to everyone
• Concentrate on the basics
• Do things that scale (automate security approaches)
• Improving security culture requires clarity and commitment
• Adopt data security strategies: Zero Trust Architecture, etc
• Be enablers rather than gatekeepers
• Make security fun and engaging

<Thank You!> Questions?