127
Chapter 5 CHAPTER 5
Security5
Given a choice between dancing pigs and security,
users will pick dancing pigs every time.
??”Ed Felten and Gary McGraw
Security issues are often overlooked on smaller sites or low-traffic applications;
unfortunately, the reach of the Web has expanded to a point where end-to-end security
is essential on any public-facing web site. There actually are people with nothing
better to do than run a distributed denial-of-service attack on ???Aunt Edna??™s Funny
Cat Pictures.??? Nobody can afford to ignore the dangers that face a site simply as a
consequence of being accessible on the Internet.
In this chapter, we will take a top-down approach to examining the various securityrelated
issues that plague web application developers. We start by examining the
architectural, application-level principles you should keep in mind. Later, we will get
progressively more detailed. We will examine the security-related issues you should
keep in mind when working at a lower level in Rails.
Application Issues
First, we will examine some important principles that should guide the design of any
web application.
Authentication
The most important guideline in the area of authentication is simple:
Always salt and hash all passwords!
There are very few valid exceptions to this rule, and even fewer apply to web applications.
The only possible reason to store passwords in plain text is if they must be provided
to an external service in plain text.
Pages:
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199