October is National Cyber Security Awareness Month, so we asked Florin, our Head of Web Development at Wolfpack Digital if he has any suggestions on how to improve your web app security and to provide us with tips to build a web application with Ruby on Rails.
At Wolfpack Digital we use the latest technologies, which allow us to build secure and optimal solutions across different industries. This means making sure development is efficient while building powerful and scalable apps considering data privacy, app security, pixel-perfect design and well-written code at the core, no matter if it is a fintech app, healthcare app, or any other web application. And here are a few insights on how to build secure web apps based on our team of developers experience!
And, according to Oracle, sanitizing your inputs refers to the validation of a set of criteria and ensuring that it is valid - basically, have a set of must-have checks in your inputs (such as a string contains no standalone single quotation marks) and ensure it is valid (such as a string contains no standalone single quotation marks). Combining validation and sanitization will provide an in-depth defense of your web application.
If you skip any sanitization or escaping, there is a high risk for your web app to be exposed to vulnerabilities like unauthorized activity or untrusted data inserted in a SQL query. This is called SQL injection and this type of attack manipulates your parameters to influence your database and bypass authorization. Preventing SQL Injections when developing web applications with Ruby on Rails can be done by using dynamic attribute-based finders (and avoid passing a string as an argument, unless it is a dynamic finder), do not accept or/and construct values from “commands”, but from “inputs”.
Fortunately, Rails provides help in defending against code injection through its automatically escaped plain strings, the sanitize helper while still specifying the tags you want to allow through for your input.
Whitelists are a great method to create strong parameters while considering the fact that we, humans, forget things. Blacklisting means making a list of bad things we do not like, but we usually make a list of things we think of at the moment of making the list - and we tend to forget a lot of items (E.g., a list of spam emails). While whitelisting refers to a list of things we approve of (E.g., accept only emails using your company domain to log in within certain apps/accounts).
When it comes to whitelisting parameters, as a web app owner you can set all the actions and details you want as input and ensure you allow only secured details within your app servers (e.g., use filters like
:only => […] instead of
:except => […].
Most authentication methods are now token-based as an alternative to session-based authentication. This means that a token-based authentication will create a unique encoded token to be checked every time a request is made, without storing the data. But each token should have a set lifetime value. While the session-based authentication will store a set of criteria or data about each user, hence it should be encrypted.
bcryptto hash and salt passwords.
No matter the web app you have, there will always be a need for usernames and passwords to be validated (or at least we hope so). By hashing a password you basically transform apply an algorithm designed to take a string of any length as input and produce a fixed-length hash value. And salting it is not about spicing thing up, but it ensures that if you have two people with exactly the same password, the hash will be different because it will add a string of irregular data based on details such as computer type, OS, timezone, etc., and some other factors to the beginning of a password before it is hashed.
Building an app using Rails provides you with a gem called
bcrypt to securely store passwords and to easily handle setting, (some) validating, salting, hashing, and authenticating passwords.
There are many other measures you can take to up your game in terms of web app development and security using Rail, but we highly recommend you to check the official guide on Securing Rails Applications. Or just ask us and we will guide through the entire web app development process and build a flawless application for you!