This page explores the security in Rails-based web development, focusing on security features provided by Rails and the measures, as well as gems, that should be considered while developing a Rails application to keep it safe.

Background

Web application frameworks are made to help developers building web applications. In fact, however, one framework is not more secure than another: the Gartner Group estimates that 75% of attacks are at the web application layer, and found out "that out of 300 audited sites, 97% are vulnerable to attack". The threats against web applications include user account hijacking, bypass of access control, reading or modifying sensitive data, or presenting fraudulent content. Or an attacker might be able to install a Trojan horse program or unsolicited e-mail sending software, aim at financial enrichment or cause brand name damage by modifying company resources.

Ruby on Rails<ref>http://rubyonrails.org/</ref>, a MVC, has many features and some clever helper methods that automatically prevent security holes. There are additional tools and gems for Ruby and Rails that can further reduce the risks and handle some of the common programming errors<ref>http://www.sans.org/top25-software-errors/</ref>. In the next section we will see how each of these errors are handled according to their classification and in the third section we will see how Rails compares with other application framework in handling these errors.

Built-in secure features

Tools and gems

Common security errors and their mitigations

How Ruby and Rails security compares to other platforms

Appendix

References

<references/>