In the third and final article of our series on the OWASP Top 10 Web Application Security Risks, we’ll explore the lesser-known risks associated with the development of web applications on Rails when it comes to threats involving security misconfiguration, JSON escaping, etc.
OAuth2 is everywhere. From "Login With Facebook" buttons to back-end API authentication. But how does it work? In this article, Diogo Souza will give us a gentle introduction to the big concepts behind OAuth2, then walk us through implementing it in Node.js.
Authentication is at the heart of most web development, yet it is difficult to get right. In this article, Diogo Souza discusses common security problems with authentication systems and how you can resolve them. Even if you never build an authentication system from scratch (you shouldn't), understanding these security concerns will help you make sure whatever authentication system you use is doing its job.
One of the best things about Rails is that it protects your app from a wide variety of injection attacks with minimal development effort. But we're never 100% safe. After all, Rails can't protect us from our own bad decisions. We need to understand the threats so we know when we can lean on Rails and when we can't. In this article, Diogo Souza introduces us to the OWASP Top 10 list of vulnerabilities and dives into injection vulnerabilities to show us how rails protects us against them and how we can protect ourselves.
A fast app means happy users. The speed that your pages render depends on which templating system you use. In this article, Diogo Souza puts the three most popular Ruby templating engines to the test to see which is fastest. In the process, he shows us how to construct benchmarks and do our own investigations into performance.
Logging is tricky. You want logs to include enough detail to be useful, but not so much that you're drowning in noise - or violating regulations like GDPR. In this article, Diogo Souza introduces us to Ruby's logging system and the LogRage gem. He shows us how to create custom logs, output the logs in formats like JSON, and reduce the verbosity of default Rails logs.
Let me know if this feels familiar. Your users want to "login with GitHub," so you install a gem, follow the setup instructions, then pray it never needs maintenance because you have no real idea how OAuth2 works. Let's fix that. In this article, Diogo Souza shows us the fundamental concepts behind OAuth2 and how to implement them using Devise and Doorkeeper.