Back To Schedule
Monday, January 26 • 8:30am - 5:00pm
Training: Safely Riding the Rails

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Register for Training

This course focuses on building secure Ruby on Rails applications. In addition to covering existing vulnerabilities within the OWASP Project built by the instructor dubbed “Railsgoat”, there will be comprehensive discussion on the implementation of Rails specific defense mechanisms. Students will learn attack techniques, all of which are specific to the Rails framework. The OWASP Top 10 Risks and Controls will be covered at great length as well.

After an overview on the fundamentals of Ruby on Rails, students will be immersed in modifying and improving the security flaws within the Railsgoat application. In addition to Rails-specific manifestations of the OWASP Top 10 vulnerabilities, students will learn about advanced topics such remote code execution and MetaProgramming vulnerabilities.

At the end of this course, attendees should understand how to review and protect their Rails applications, implement proactive defensive measures, and perform penetration testing geared towards Ruby on Rails applications.

High-level Course Outline:

- Secure use of cryptographic libraries
- Authentication system
• Password complexity
• Time-based attacks
• Enumeration
• Lockout
• Insecure forgot password functions
- Authorization
• Insecure direct object reference
• Impersonation functionality
• Role Based Access Controls
- Metaprogramming Issues
• Common flaws
• Secure usage of metaprogramming methods
- SQL Injection
• Scoping
• String interpolation or concatenation
• Insecure use of unsafe methods such as pluck
- Insecure usage of validation functions
- Insecure application configuration(s)
- Cross-Site Scripting (XSS)
• Types of XSS
• XSS Context - JS, HTML, JSON, CSS
• Vulnerable templating language methods
• Demonstrate impact
• CSP + Secure Header RubyGem
- Session management issues
• Client-side cookies
• Improper destruction
• Session Fixation
- Remote Code Execution flaws
• Serialization libraries
- Misconfiguration in application settings
- Denial of Service
- Sensitive Data Exposure
• Model attribute exposure
• Application log handling
- Defensive Measures
• Guard
• Brakeman
• Bundler-Audit
• Security-based Unit-Tests



Ken Johnson

Ken Johnson is the CTO of nVisium. Ken co-authored the Railsgoat project, is the creator of SecCasts, and is responsible for product development @nVisium. Ken has spent an enormous amount of time reviewing Ruby on Rails applications, developing them, securing them, and performing... Read More →

Monday January 26, 2015 8:30am - 5:00pm PST
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

Attendees (1)