As I enter the world of web development, I’m very wary of the security pitfalls of the domain. It is a completely different set of security threats than what I used to worry about. Different attack vectors that need to be defended against or mitigated with different techniques.
I had known about the Open Web Application Security Project (OWASP) but I can’t say I’ve reached proficiency understanding all the concepts there. At this point I can articulate most of the concepts listed in the OWASP Top 10 list. If I come across a description of an attack using one of these top 10 techniques, I can follow along with the description.
But that is far far short of the skill level where I can spot the security issues ahead of time. That is yet to come. With expectations set suitably low, I went through the Securing Rails Applications RailGuide to see how much I can understand. And surprisingly… quite a lot! Whoever wrote this guide was able to explain a lot of these issues in a way I can understand. I really appreciate the effort they put into breaking the problems down.
With every exploit, the guide also describes some mitigation for Rails applications. Not knowing a whole lot about Rails just yet, most of the mitigation descriptions made little sense. So while I understood more than I thought I would, I’d still have to come back again.
Right now I have no confidence that I can tell a secure Rails app from an insecure one. There’s a whole lot of very clever people trying to find ways to break security boundaries. Whenever I read about an exploit, I usually end up shaking my head “I never would have thought to try that.”
Since there’s no way to guard against a problem you never thought of, I need to build up my web programming toolbox. I want to get from “I never would have thought to try that” to “ah, that’s a clever thing to try” to “no problem, I’m pretty sure I’ve taken care of it.”
One step at a time.