Security Risks On Rails: Misconfiguration and Unsafe Integrations

This page summarizes the projects mentioned and recommended in the original post on dev.to
#Ruby #Security #Rails #security-audit #Static Analysis

Our great sponsors
  • InfluxDB - Build time-series-based applications quickly and at scale.
  • SonarQube - Static code analysis for 29 languages.
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • railsgoat

    A vulnerable version of Rails that follows the OWASP Top 10

    As with the other articles, RailsGoat will be used to explore some aspects of these threats in practice. If you're new here, please refer to the previous two articles to get the app set up and get acquainted with what we’ve explored so far. Let's jump right in!

  • protected_attributes

    Protect attributes from mass-assignment in ActiveRecord models.

    If you’re migrating from Rails 3 to a newer version and still don’t want to deal with that specific part, Rails still allows the use of the protected_attributes gem for a smoother upgrade path, but be mindful that this is just until version 5. From there on, no more support will be provided.

  • InfluxDB

    Build time-series-based applications quickly and at scale.. InfluxDB is the Time Series Platform where developers build real-time applications for analytics, IoT and cloud-native services. Easy to start, it is available in the cloud or on-premises.

  • Ruby on Rails

    Ruby on Rails

    This allows Rails to escape any HTML content in JSON responses, which is great. Make sure to always double-check whether the value is set to true since there’s some controversy about the default value, depending on the version of Rails.

  • Reek

    Code smell detector for Ruby

    Other useful gems you may take a look at are dawnscanner, reek, and hakiri_toolbelt.

  • bundler-audit

    Patch-level verification for Bundler

    Let’s take the super famous gem bundler-audit, for instance. It works closely with bundler to provide patch-level verification for your project gems, such as vulnerability checks, insecure gem sources, etc.

  • Brakeman

    A static analysis security vulnerability scanner for Ruby on Rails applications

    Another great lib for this is Brakeman, which can be installed in a very similar process and gives you even more detailed reports:

  • dawnscanner

    Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.

    Other useful gems you may take a look at are dawnscanner, reek, and hakiri_toolbelt.

  • SonarQube

    Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.

  • Hakiri

    Secure Ruby apps with Hakiri

    Other useful gems you may take a look at are dawnscanner, reek, and hakiri_toolbelt.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts