Ruby on Rails - Security

1. Introduction
   1. What is Ruby? What is Rails?
   2. Why Ruby on Rails?
   3. Importance of writing secure code
   4. About this course - What you will learn - Need prior dev experience (preferably with ruby) but not necessary. Can do just fine with programming experience.
2. Injections in Rails
   1. SQL Injection
   2. Cross site Scripting
   3. Header Injection
   4. Command Injection
   5. CSS Injection
   6. AJAX Injection
3. CSRF & Clickjacking in Rails
   1. What is CSRF
   2. How it works in rails
   3. Countermeasures
   4. What is Clickjacking
   5. How it works in rails
   6. Countermeasures
4. Default Headers + CSP
   1. What are headers? And why headers?
   2. Default headers rails generates
   3. CSPs
5. User Management in Rails
   1. Basics
   2. Privilege Escalation
   3. Brute Forcing Accounts
   4. Regular Expression usage
   5. Logging
   6. Account Hijacking
   7. Intranet and admin security
6. Redirections
   1. What is redirection
   2. How to do in rails
7. Files
   1. File uploads - Basics
   2. File uploads - 2 (scanning for viruses using clamav)
   3. Executable code in file uploads and how to avoid them
   4. Handling file downloads
8. Sessions
   1. Basics
   2. Session Hijacking
   3. Session Fixation
   4. Session Expiry
   5. Session Storage
   6. Rotations and Signed Cookies
   7. Replay Attacks
9. Rate limiting using rack attack
   1. What is rate limiting
   2. Rate limiting tactics and strategies
   3. Safelisting and blacklisting
   4. Tracking and throttling
   5. Blocking bad requests not in routes - advanced
   6. Combining it all together
10. Testing application using brakeman
    1. Why test
    2. How to test using brakeman
    3. Analyzing results
    4. Example SQLI fix
    5. Other examples and how to fix
11. Security gems
    1. Secure Headers
    2. Codesake Dawn
    3. Devise
    4. Rubocup
12. Best practices in Rails
    1. Penetration testing techniques
    2. Secure Coding tips
    3. Authentication in rails - using devise - short guide
    4. Other security and privacy tips
13. Wind up
    1. Summary of what to look out for when coding
    2. Digital Privacy tips

Topics related to rails security

• Mass assignments and SQL injection - 30 mins
• Application security tools - 5 mins
• Code review - 5 mins
• Penetration testing techniques - 15 mins
• Statics analysis - 15 mins