Security Risks On Rails: Misconfiguration and Unsafe Integrations

This page summarizes the projects mentioned and recommended in the original post on dev.to

Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
  • railsgoat

    A vulnerable version of Rails that follows the OWASP Top 10

  • As with the other articles, RailsGoat will be used to explore some aspects of these threats in practice. If you're new here, please refer to the previous two articles to get the app set up and get acquainted with what we’ve explored so far. Let's jump right in!

  • protected_attributes

    Protect attributes from mass-assignment in ActiveRecord models.

  • If you’re migrating from Rails 3 to a newer version and still don’t want to deal with that specific part, Rails still allows the use of the protected_attributes gem for a smoother upgrade path, but be mindful that this is just until version 5. From there on, no more support will be provided.

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo
  • Ruby on Rails

    Ruby on Rails

  • This allows Rails to escape any HTML content in JSON responses, which is great. Make sure to always double-check whether the value is set to true since there’s some controversy about the default value, depending on the version of Rails.

  • Reek

    Code smell detector for Ruby

  • Other useful gems you may take a look at are dawnscanner, reek, and hakiri_toolbelt.

  • bundler-audit

    Patch-level verification for Bundler

  • Let’s take the super famous gem bundler-audit, for instance. It works closely with bundler to provide patch-level verification for your project gems, such as vulnerability checks, insecure gem sources, etc.

  • Brakeman

    A static analysis security vulnerability scanner for Ruby on Rails applications

  • Another great lib for this is Brakeman, which can be installed in a very similar process and gives you even more detailed reports:

  • dawnscanner

    Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.

  • Other useful gems you may take a look at are dawnscanner, reek, and hakiri_toolbelt.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
  • Hakiri

    Secure Ruby apps with Hakiri

  • Other useful gems you may take a look at are dawnscanner, reek, and hakiri_toolbelt.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts