Session

Ruby on Rails Security

Heiko Webers

Date: Wednesday 19 September 2007
Time: 11:35 - 12:20
Location: Saal Maritim A

Every day criminal hackers steal numerous credit card numbers, confidential information, passwords, and everything else they can make money with. They deface web sites, make web applications unavailable, delete data in them, or use it to attack others. There are too many businesses depending on the Internet, that security is not an area to ignore. They risk brand damage, financial loss, fines, or even legal liability.

Many Rails' developers share the perception of Rails being a "secure" framework. And that might well be true, because less code is needed to get things done, and less code means a better overview of what is happening. But though Rails seems to be safer, doesn't allow us to lean back.

In fact, most of the security issues with web sites or web applications don't necessarily stem from the programming language or framework we use, but affect web applications in general. This talk takes a look at Interpreter Injection, including Cross-Site Scripting (XSS), SQL Injection, Logic Injection, common configuration flaws, session and user handling, Ajax security, and more. There are good security features in Rails -- use them.

News and Coverage