Greg Molnar - The state of security in Rails 8 - Rails World 2024

Learn about Rails 8's new authentication generator, encryption features, rate limiting & security best practices. Greg Molnar covers key tools & common vulnerabilities at Rails World.

Key takeaways
  • Rails 8 is introducing a built-in authentication generator that provides basic authentication features including password-based login and password reset flow

  • Active Record encryption provides strong built-in encryption for data at rest, with support for key rotation and both deterministic/non-deterministic encryption options

  • New built-in rate limiting functionality helps protect against automated attacks, with requests grouped by IP address by default and customizable configuration options

  • Security best practices recommendations:

    • Own your authentication system rather than relying on third-party services
    • Store audit logs in write-only tables that cannot be modified
    • Use whitelist approach for authorization - lock down everything first then explicitly allow access
    • Keep sensitive information out of application logs
    • Maintain secure deployment flows and lock down SSH access
  • Tools available for Rails security:

    • Brakeman for static code analysis and finding security issues
    • Dependabot for vulnerability scanning
    • Bundle audit for checking outdated/insecure dependencies
    • Content Security Policy helpers
    • Parameter filtering for sensitive data
  • Common security issues to watch for:

    • Authorization problems remain the most common security vulnerability
    • Credential stuffing attacks typically happen within 24 hours of password database leaks
    • XSS attacks still occur despite Rails’ built-in protections
  • Rails maintenance policy provides security fixes for minor releases for 2 years after initial release

  • The Rails ecosystem has strong security focus with:

    • Built-in protections against common vulnerabilities
    • Active security community
    • Regular security updates and CVE patches
    • Tools for most security needs built into the framework