An overview of cybersecurity for web apps built with Ruby on Rails
Why Cybersecurity Has Never Been More Important for your App? A quick overview of developing secure web apps with Ruby on Rails
No matter if you are an IT company or any other industry, as a business, it is YOUR DUTY to take care of your customers’ data and all the people providing you with information (employees, partners, etc.).
In the past years, everything in terms of data was overlooked and underestimated, until a few big data breaches changed the way we look at it (Cambridge analytics is just a simple example to think of.
But with no further ado, a security breach can lead your business to customer loss, damage to the companies you work with, reputation damage, PR crisis, brand management challenges, higher lead & customer acquisition costs and efforts, and, of course, financial problems.
Type of business information at risk
- employees’ information (salaries, names, addresses, IDs, e-mails, roles, etc)
- Databases (be it with customers, users of your customers, partners, etc)
- business and financial details (budgets, business plans, resource allocations, competitive assets)
- product details (patents, designs, manufacturing processes, development processes, etc)
Developing secure web apps with Ruby on Rails
We do love Ruby on Rails (RoR) — hence, we most of the web applications we build at Wolfpack Digital, no matter if they are in the fintech, healthcare, or transportation industry use Ruby on Rails.
Here’s a short guide to build secured web applications
- Use HTTPS protocols and Secure Sockets Layer (SSL) certificates to create an encrypted connection within your web app and establish trust (and security) amongst your customers
- Increase your website or app performance and security by using Cloudflare.
- Sanitize user input to prevent web attacks. Similar to the pandemic, if we do not sanitize well, the viruses will get us.
In the software development world, we keep the users safe by sanitizing input data.
The process is quite simple and straightforward: each digital product (or most of them, for sure) has a pool of customers (known as users) and a server and in order to use the product there is a data exchange between the user and the said server. Most users are nice and send the data needed for the product to work, but if we think about hackers or just bad guys, then one can try to send malicious or unauthorized data to the product’s server and cause harm.
Combining validation and sanitization will provide an in-depth defense of your web application. - Prevent SQL Injections
If you skip any sanitization or escaping, there is a high risk for your web app to be exposed to vulnerabilities like unauthorized activity or untrusted data inserted in a SQL query. This is called SQL injection and this type of attack manipulates your parameters to influence your database and bypass authorization. Preventing SQL Injections when developing web applications with Ruby on Rails can be done by using dynamic attribute-based finders (and avoid passing a string as an argument, unless it is a dynamic finder), do not accept or/and construct values from “commands”, but from “inputs”.
Fortunately, Rails provides help in defending against code injection through its automatically escaped plain strings, the sanitize helper while still specifying the tags you want to allow through for your input. - Whitelist parameters
When it comes to whitelisting parameters, as a web app owner you can set all the actions and details you want as input and ensure you allow only secured details within your app servers (e.g., use filters like:only => […]instead of:except => […]. - Ensure token expiration and deactivation, and encrypt all cookies.
Most authentication methods are now token-based as an alternative to session-based authentication. This means that a token-based authentication will create a unique encoded token to be checked every time a request is made, without storing the data.
The great thing about tokens is that they should have a set lifetime value and you can change it at any point. While the session-based authentication will store a set of criteria or data about each user, hence it should be encrypted. - Use
bcryptto hash and salt passwords.
No matter the web app you have, there will always be a need for usernames and passwords to be validated (or at least we hope so). By hashing a password you basically apply an algorithm designed to take a string of any length as input and produce a fixed-length hash value.
And salting it is not about spicing things up, but it ensures that if you have two people with exactly the same password, the hash will be different because it will add a string of irregular data based on details such as computer type, OS, timezone, etc.
Building an app using Rails provides you with a gem called bcrypt to securely store passwords and to easily handle setting, (some) validating, salting, hashing, and authenticating passwords.
- Don’t store credentials from third parties (or other sensitive data) in the projects directly, we either store them as ENV vars or keep them encrypted in the project (e.g., rails credentials)
Cybersecurity awareness month
October was cybersecurity awareness month, so we decided to cover as many topics as possible to inform people about digital security. If you’d like to read more about the topic here are a few useful links👇
- We started with an intro on Why Cybersecurity Has Never Been More Important for your App?
- Continued the series with Cybersecurity Tips: UX/UI design techniques for secure digital products
- Then we asked our Head of Web Development, Florin Ionce, about the process of developing secure web apps with Ruby on Rails and put together this guide with these 8 practical security measures anyone building a web app should be aware of.
- And just a few days ago Dan Ilies, the Head of Mobile, helped us build a quick guide on How to secure your mobile apps and 3 best practices to keep your iOS and/or Android app secured (with code samples)
- As you know by now, we are constantly following the prevention measures to keep our information and products secure. See how is ISO27001 helps Wolfpack Digital keep information assets secure?
