Rails have a large number of built-in security features. As far as I know, it deals with all of the most common security issues, such as CSRF, account hijacking, code injection, session fixation, etc.
If a Rails application makes good use of all those built-in features, what may be missing? How distant it gets from other well-known secure applications such as Salesforce?
How much does the infrastructure affects that? Is Heroku a safe platform? Running your own servers may lead to a more secure environment?
Iām building an application that will be used by a NYSE listed company and therefore it must follow the SOX act. This company has large concerns with data security, but it uses Salesforce, i.e., it has data living outside their walls. If I follow all the Rails best practices and host this app in Heroku (which is now owned by Salesforce), how far I will be from Salesforce security?
Infrastructure-wise, Heroku is a secure platform and is SOX compliant. You can read more about this here: Heroku Security | Heroku
The standard Rails features provide the base level you need to build a secure application.
Beyond that, there are two major areas you need to concern yourself with:
Ensuring you donāt introduce security flaws in your application code. http://codeclimate.com can assist with basic security checks, but if this is serious, I recommend you audit all code changes for security, and consider working with an outside security consulting firm to ensure integrity of the system. This could be as simple and doing active security scans for common vulnerabilities, to more code review and manual hacking attempts.
Ensuring that the application you build is compliant with any regulations that the NYSE listed company may be held to. For example, I believe there are data retention and audit-trail requirements for these kinds of companies.
Also, maybe the mutant gem would be worth a run too. It uses a technique called āmutation testingā that tries to change your code to introduce errors. It could highlight potential security flaws.
@cpytel itās good to know that Heroku is SOX compliant. Iāve read that before but I didnāt know if it was referring to their own financial data, or to their hosted infrastructure as well.
I will certainly use codeclimate.com on this project, itās a great tool! Regarding a security audit, is there any well known certificate I should pursue? Is there any well known company I should look for?
Iām having some conversations with their IT department. Iāll try to find out if there any requirements like those. Thanks!
@aaronmcadam just tried brakeman and itās awsome! It showed me a CreatedWith bug presented on Rails 4.1.4 and recommended a 4.1.5 upgrade. Iām also trying codesake-dawn. Seems like a nice gem too. Itās more rigorous and showed me two other issues that brakeman didnāt presented. Thanks!
Sorry, I donāt have a strong recommendation for a company. the only times weāve bumped up against this it was client/customer mandated and they are just automated scans, which I didnāt think were that great.
As a ādeep pocketsā CTO I used 403labs and Neustar for external PCI compliance scanning and reporting. Outside scanning and reports are only one piece of a full strategy internal and external for security.
http://www.nettitude.com the last company I worked for used them to pen test our servers. They did a great job and gave a full report and remediation plan for us. They arenāt cheap. I think it was around 5 grand to test an app using black box testing, gray box was a lot more and white box was around 5k-7k as well.
Iād recommend them if security of your app is a primary concern. Pen testing can save a company thousands or millions in some cases.
Just be careful. Donāt spent 99 cents to protect 1 dollar.