What is the most secure we can get with Rails?
Rails have a large number of built-in security features. As far as I know, it deals with all of the most common security issues, such as CSRF, account hijacking, code injection, session fixation, etc.
If a Rails application makes good use of all those built-in features, what may be missing? How distant it gets from other well-known secure applications such as Salesforce?
How much does the infrastructure affects that? Is Heroku a safe platform? Running your own servers may lead to a more secure environment?
I’m building an application that will be used by a NYSE listed company and therefore it must follow the SOX act. This company has large concerns with data security, but it uses Salesforce, i.e., it has data living outside their walls. If I follow all the Rails best practices and host this app in Heroku (which is now owned by Salesforce), how far I will be from Salesforce security?
Infrastructure-wise, Heroku is a secure platform and is SOX compliant. You can read more about this here: https://www.heroku.com/policy/security
The standard Rails features provide the base level you need to build a secure application.
Beyond that, there are two major areas you need to concern yourself with:
- Ensuring you don’t introduce security flaws in your application code. http://codeclimate.com can assist with basic security checks, but if this is serious, I recommend you audit all code changes for security, and consider working with an outside security consulting firm to ensure integrity of the system. This could be as simple and doing active security scans for common vulnerabilities, to more code review and manual hacking attempts.
- Ensuring that the application you build is compliant with any regulations that the NYSE listed company may be held to. For example, I believe there are data retention and audit-trail requirements for these kinds of companies.
I hope that helps,
I think it’s worth giving the brakeman gem a run on your codebase if you don’t have access to Code Climate.
Also, maybe the mutant gem would be worth a run too. It uses a technique called “mutation testing” that tries to change your code to introduce errors. It could highlight potential security flaws.
@cpytel it’s good to know that Heroku is SOX compliant. I’ve read that before but I didn’t know if it was referring to their own financial data, or to their hosted infrastructure as well.
I will certainly use codeclimate.com on this project, it’s a great tool! Regarding a security audit, is there any well known certificate I should pursue? Is there any well known company I should look for?
I’m having some conversations with their IT department. I’ll try to find out if there any requirements like those. Thanks!
@aaronmcadam just tried brakeman and it’s awsome! It showed me a CreatedWith bug presented on Rails 4.1.4 and recommended a 4.1.5 upgrade. I’m also trying codesake-dawn. Seems like a nice gem too. It’s more rigorous and showed me two other issues that brakeman didn’t presented. Thanks!
In addition to Brakeman, you might also want to consider bundler-audit to check for known security defects in your app’s dependencies.
Sorry, I don’t have a strong recommendation for a company. the only times we’ve bumped up against this it was client/customer mandated and they are just automated scans, which I didn’t think were that great.
As a “deep pockets” CTO I used 403labs and Neustar for external PCI compliance scanning and reporting. Outside scanning and reports are only one piece of a full strategy internal and external for security.
http://www.nettitude.com the last company I worked for used them to pen test our servers. They did a great job and gave a full report and remediation plan for us. They aren’t cheap. I think it was around 5 grand to test an app using black box testing, gray box was a lot more and white box was around 5k-7k as well.
I’d recommend them if security of your app is a primary concern. Pen testing can save a company thousands or millions in some cases.
Just be careful. Don’t spent 99 cents to protect 1 dollar.