The 3 pillars of AAA in security stands for Authentication, Authorization and Accountability. Let’s put them into the context of a Rails application.
Authentication
I don’t think this needs much explanation. In most applications, there is a requirement to be able to identify the users. This identification can be done by something the user knows(username and password combination), something the user has access to(hardware token, passkeys) or someone the user is(biometrics like a fingerprint).
In the context of Rails, most apps authenticate via a username and password combination and the Devise gem is the most popular option to get authentication in a Rails application quickly. Devise is great until you need to customize it too much(custom sign up and/or login flows) and with the recently added helpers in Rails 7.1, I foresee a lot of apps rolling their own authentication. One important thing to keep in mind is to have a second-factor for authentication to increase the security of the authentication.
Authorization
Once we know who the user is, we need to make sure they can only access what they should. We call this authorization. This is usually role based and one important aspect is to use a white-list/allow-list approach so we follow the principle of least privilege. Permit nothing by default, and explicitly permit access to certain entities and functionality. It is also a good idea to centralize the authorization rules to make it easier to verify what are the rules.
In the context if Rails, this means that you should use a gem like Pundit or Cancancan, make sure the authorization calls are made in every controller. Also, don’t permit anything in the ApplicationPolicy to make sure that you are not opening up something inadvertently by inheriting from it.
Accountability
The third pillar is accountability. This one is important to be able to determine who did what and when in case of a security event.
In the context of Rails, you can use papertrail to audit changes to the models and you can use audits1984 to audit console sessions.
By making sure these three pillars are strong, you can significantly improve the security posture of a Rails application.
Or follow me on Twitter
I run an indie startup providing vulnerability scanning for your Ruby on Rails app.
It is free to use at the moment, and I am grateful for any feedback about it.If you would like to give it a spin, you can do it here: Vulnerability Scanning for your Ruby on Rails app!
