Checklists are really useful to ensure you don’t forget certain things, so why not create one for your code review process? Here are my recommended checks:
Static Code Analysis: Utilize tools to detect common security vulnerabilities automatically.
Test Coverage: Ensure there’s thorough testing, including edge cases and failure paths. Pay special attention to authentication and authorization related tests.
Input Validation: Confirm all user-supplied data is validated. Validation must also happen on the server and cannot be bypassed in any way. Validation should include protection against authorization bypasses by setting a foreign key to an arbitrary value and accessing someone else’s data through it. Regular expressions should be safe and secure.
Dangerous Methods: Review usage of methods that could lead to security risks, such as eval, send, dangerous Active Record query methods(https://rails-sqli.org/), Marshal, etc ensuring they’re used safely.
Strong Parameters: Ensure strong parameters is used to prevent mass assignment vulnerabilities.
Authentication and Authorization: Scrutinize any changes related to user authentication and authorization, ensuring they’re secure and in line with the application’s requirements.
Data Handling: Check how sensitive data is handled, ensuring encryption where necessary and that sensitive information is excluded from logs.
Dependencies: Review new or updated dependencies for known vulnerabilities, security misconfigurations.
Business Logic: Analyze the business logic for potential security flaws, especially in multi-step processes.
Configuration Changes: Review any changes to security-related configurations, ensuring they don’t inadvertently weaken the application’s security posture. Secrets shouldn’t be committed to the repository in plain text.
Error Handling: Ensure error handling doesn’t expose sensitive information.
File Uploads: If applicable, ensure file uploads are secure, checking file types, sizes, malware and storage practices.
Third-Party Services: Review any integrations with third-party services for secure data exchange and proper error handling.
Or follow me on Twitter
I run an indie startup providing vulnerability scanning for your Ruby on Rails app.
It is free to use at the moment, and I am grateful for any feedback about it.If you would like to give it a spin, you can do it here: Vulnerability Scanning for your Ruby on Rails app!