• Sign up for newsletter
  • Login

edgescan / IISF – Ruby secure coding workshop

Owen Mooney

Owen Mooney, edgescan's lead developer, delivered a talk about common risks faced when coding in ruby and ruby on rails.

The talk covered some best practices and pitfalls when writing a secure web application in ruby on rails. With examples on how to deal with the OWASP top 10, as well as some ruby specific vulnerabilities.

Click here to access the Git Repository with the working code.

Please follow these steps in orther to get the app to work:

To install, you must have ruby, gem, and bundler installed. Run the following command to install dependencies:

bundle install

To get the SQL injection stuff working, you will have to perform a few additional steps. If you want to use MySQL, then you will have to edit the config/database.yml file. Specify the adapter as mysql2 and then set the username, password, database, and host properties as appropriate.

In any case, you must run the following tasks to create/migrate the database:

bundle exec rake db:create
bundle exec rake db:schema:load

To create some data to populate the database, run rails console, and use the following command

User.create(:name => 'Name', :email => 'me@me.com', :points => 1000, :password_hash => 'fff')

You can change the attributes appropriately and run the command multiple times.

To run the application, simply run

bundle exec rails server

The bundle exec can be omitted if you are using some sort of ruby environment manager like RVM.

Have fun!

edgescan, your SaaS digital security radar