Ruby On Rails Security Guide published as free ebook
The Ruby on Rails Security Project have published a Ruby on Rails Security Guide as a free e-book and also made it available as HTML. The guide covers how to secure Ruby on Rails applications, looking at, sessions and how to manage them securely, cross site forgery, redirection and other common attacks.
It also provides practical advice on securing administration consoles, password management and CAPTCHAs, protecting against SQL injection attacks, securing MySQL when used with Ruby on Rails and the value of monitoring your Rails servers. The Rails specific "mass assignment" issue, which allows attackers to manipulate any column in a database model unless precautions are taken, is explained and countermeasures to the problem detailed.
The guide has been developed Heiko Webers, who blogs about security issues related to Rails. The security guide is part of a new set of Rails guides being published at guides.rubyonrails.org and will be officially announced by Webers at the OWASP EU Summit 2008, which is being held this week in Portugal.