As is sadly often the case, well-meaning newcomers to programming take on the newest and/or most popular programming language/framework available. And as you might suspect, they usually get it wrong and make every design and security mistake possible along the way!

This is a trend that we’ve seen with pretty much every popular programming language out there – like for example PHP, which sadly still holds the record for most insecure websites written in the language.

One very popular web framework these days is Ruby on Rails, created by the very talented 29 year old Danish guy David Heinemeier Hansson. It uses a Model-View-Controller construction and emphasizes good design by such principles as DRY (Don’t Repeat Yourself). By all means it’s a very good web framework! But as with PHP, a lot of newcomers get it wrong. Either by not following the Ruby on Rails conventions or by ignoring security!

Now, we’re not here to teach you about design. If you want to learn more about proper software design, a good place to start is simply your local library. Look for books on topics like Design Patterns, Software Engineering, Extreme Programming, Test Driven Development and Agile Software Development.

However what we do want to teach you about, is proper security in Ruby on Rails! Luckily, we don’t have to take out extreme amounts of time from the work we need to do, to get you trained in RoR security – instead we can simply refer to the work already done by the OWASP organization. OWASP is an organization working to improve web application security in the entire world, by means of a whole bunch of different projects for developers, security professionals and end users. One of these projects is the Ruby on Rails Security Guide V2 project which includes a PDF file detailing the different security concerns and solutions concerning Ruby on Rails development.

If you are going to develop Ruby on Rails applications (or if you’re simply curious) please download the Ruby on Rails Security Guide from OWASP and read it before doing any production deployment of applications.

Note: If you’re too busy to go to the project page on OWASP and find the download link, then here’s a direct download link instead: Download the Security Guide

NOTE: This news item was originally posted on January 4, 2009

Since many of our clients have turned out to be fully capable of correcting their security issues themselves or really just wanted to get their own security corrections checked, we have now launched a service that can fulfil this need.

This service is Vulnerability Testing and is basically like Security Testing, however without Aconiac correcting the security issues and without Aconiac needing to have access to specifications about the system. A vulnerability test is therefore a real simulated attack from a hacker, so that companies can find whatever security issues a hacker would have found.

The service is sold at a fixed price of 540€ excl. VAT, with the sole exception that if your system is abnormally large or complex, Aconiac may deny to do the service at the fixed price and will instead suggest other solutions, like e.g. a real security test.

Further description of the service can be found here.