These are few steps that I usually take to make sure Ruby on Rails applications are secured and all the gems that it uses have no known security vulnerabilities. If you want learn about how to avoid common security problems, Securing Rails Applications guide is a good start.

Just writing a secure application is not going to guarantee your application is going to stay secured. New security vulnerabilities gets discovered, stale gems or new dependencies could introduce new vulnerabilities, also each new bugfix or feature could potentially introduce a vulnerability. There are few steps that you could take to stay sane and have a little bit of assurance that your application is secure.

Add a gem trust policy

Adding a gem trust policy with MediumSecurity is a good way to stop malicious gems getting installed on the server.

Trust Policy Description
HighSecurity All dependent gems must be signed and verified.
MediumSecurity All signed dependent gems must be verified.
bundle --trust-policy MediumSecurity

Running above command will create a .bundle/config file with MediumSecurity trust policy and it will stop bundler from installing any gems that signature can not to be verified. Make sure that you commit this configuration file to your code repository.

HighSecurity is very desirable, if you can manage that. But it might not be very practical, because there are quite a few well know gems that not signed.

For more information read RubyGems signing document. Keep in mind that just because a certain gem is cryptographically signed, doesn’t mean it’s not a malicious gem and vice versa. Try to avoid installing unnecessary gems and do your research before introducing new gems to your application.

Add bundler audit test

Easiest way to keeping up to date with new vulnerabilities is using bundler-audit gem and run it daily using a Jenkins job or similar.

bundler-audit runs through your Gemfile.lock and reports with an error if any of the gems has a known vulnerability. This gem use ruby-advisory-db which is kept up to date with known vulnerabilities.

Run following command as a daily security job and make sure you get proper notifications if this job fails.

bundle audit check --update

Above command gets updates from ruby-advisory-db and checks your Gemfile.lock. There is also a rails security mailing list, if you want to keep update with rails related vulnerabilities.

Static analysis with Brakeman

Brakeman is a static analysis security tool for Ruby on Rails. You can configure your code repository server to run this before any pull request and add passing this as a merge requirement. Or you could setup a daily job that runs this on your production or development branches.

brakeman -A

Above command will run all the checks. You must run that on your project root. It is possible that brakeman will complain about false positives. But it provides nice way to ignore them. Read Brakemanscanner documentation for more information.

References