These are few steps that I usually take to make sure Ruby on Rails applications are secured and all the gems that it uses have no known security vulnerabilities. If you want learn about how to avoid common security problems, Securing Rails Applications guide is a good start.
Just writing a secure application is not going to guarantee your application is going to stay secured. New security vulnerabilities gets discovered, stale gems or new dependencies could introduce new vulnerabilities, also each new bugfix or feature could potentially introduce a vulnerability. There are few steps that you could take to stay sane and have a little bit of assurance that your application is secure.
Add a gem trust policy
Adding a gem trust policy with
MediumSecurity is a good way to stop malicious
gems getting installed on the server.
||All dependent gems must be signed and verified.|
||All signed dependent gems must be verified.|
bundle --trust-policy MediumSecurity
Running above command will create a
.bundle/config file with
MediumSecurity trust policy and it will stop bundler from installing any gems
that signature can not to be verified. Make sure that you commit
this configuration file to your code repository.
HighSecurity is very desirable, if you can manage that. But it might not be
very practical, because there are quite a few well know gems that not signed.
For more information read RubyGems signing document. Keep in mind that just because a certain gem is cryptographically signed, doesn’t mean it’s not a malicious gem and vice versa. Try to avoid installing unnecessary gems and do your research before introducing new gems to your application.
Add bundler audit test
Run following command as a daily security job and make sure you get proper notifications if this job fails.
bundle audit check --update
Above command gets updates from
ruby-advisory-db and checks your
Gemfile.lock. There is also a rails security mailing list,
if you want to keep update with rails related vulnerabilities.
Static analysis with Brakeman
Brakeman is a static analysis security tool for Ruby on Rails. You can configure your code repository server to run this before any pull request and add passing this as a merge requirement. Or you could setup a daily job that runs this on your production or development branches.
Above command will run all the checks. You must run that on your project root. It is possible that brakeman will complain about false positives. But it provides nice way to ignore them. Read Brakemanscanner documentation for more information.