Your Last Rails Application Had At Least One Serious Security Vulnerability

Too many Rails developers write insecure web applications.
Please. Stop being one of them.

Your vulnerable applications allows anyone on the internet to:

  • Commit fraud, extortion and the distribution of illegal content with your infrastructure
  • Trivially modify or delete your application's data to their own ends
  • Use data leaked through your application to defraud your users

None of us signed up for this. Security is wickedly hard to get right and it doesn't come with an instruction manual. At best, you're checking off a laundry list of OWASP vulnerabilities but this is not a viable strategy for keeping your software secure.

Who the hell am I to say your application is insecure?

I'm Ali, and I am not a security consultant. I'm just a rank-and-file Rails developer. I've been building web applications for nearly seven years.

Every single codebase I've worked on has exposed trivially exploitable vulnerabilities.

I took an interest in web app security and I now consistently find multiple security flaws in Rails applications, often with only a brief code review or browse of the website.

Don't believe me? Ask this guy:

Me and ryu washed

Me with our Chief Security Officer. Not whitelisting your request parameters? He will find you. It won't be pretty.


Benji Lanyado, Founder at Picfair

I was pretty confident that my rails app was secure. Then, lying on my couch,
I watched Ali remotely hack my site within minutes of showing it to him - damn. He followed this up with a concise explanation of what he'd done, and various recommendations for how I could prevent it from happening again. Incredibly valuable. A savvy hacker would've ripped my app apart in minutes if I'd launched without it.

I say again: I've never worked as a professional security researcher. The reason that I find these vulnerabilities is that most Rails developers are tragically unaware of the basic security requirements of their applications.

This is not through negligence or stupidity. Programmers who are smarter than me push insecure code to production all the time. What's lacking is an awareness of the behaviour of their code in an adversarial context.

Start finding the vulnerabilities in your application

I will continue to be the grumpy security guy on every team I'm hired into, but fixing the internet one Rails application at a time strikes me as somewhat inefficient.

I'm writing an ebook with all of my knowledge on finding and fixing vulnerabilities in Rails applications.

Securing Rails

A guide to finding and fixing the vulnerabilities in your application
By Najaf Ali

What we'll cover in the book:

  • The basic security requirements of all RoR applications
  • Common ways that developers fail to meet those requirements
  • The different types of attacks to expect and prepare for
  • How to work with independant security researchers
  • Using code review to identify and mitigate vulnerabilities in your application
  • How to prevent vulnerabilities from creeping into your application over time
  • Building proof-of-concept scripts using ruby and bash
  • Strategies for keeping your software stack and dependencies secure
  • Guidelines for dealing safely with cryptography (hint: don't)

Get better at spotting and fixing security flaws

My goal is to get you to look at your code like an attacker would. Every line of code you write is potentially another round of ammunition in an attackers arsenal. Making this shift in mindset is the only way to keep your code secure in the long run.

The best way to instill this mindset in you is to dive into the technical details of real-life vulnerabilities. By showing you exactly the sort of vulnerabilities I'm talking about, you'll begin to identify patterns and themes that you can use to develop exploits in your own applications.

So along with the ebook, I'm offering a set of screencasts. Each screencast will walk you through introducing, exploiting and fixing a security vulnerability in a typical Rails application.

The vulnerabilities are each "based on a true story" but shockingly similar to code you'll find in the wild.


Vulnerabilities demonstrated in the screencasts allow you to...

  • View, modify and delete any data in your application
  • Use your application to relay spam to anyone you like
  • As a user, modify the data of other users
  • Masquerade as another user without knowing their username/password
  • Upgrade your account priveleges
  • Modify the password of any user in the application
  • Build a targeted phishing attack using leaked data

For each vulnerability we'll cover:

  • How that vulnerability might be introduced into a codebase.
  • Developing an exploit and proof of concept for that vulnerability.
  • Conclusively fixing the vulnerability.

Get serious about security

No one is going to pat you on the back for getting security right and production (usually) won't explode when you get it wrong. In the worst case scenario, your entire infrastucture is put to use by bad people without you or your employer ever knowing. No one is going to encourage you to build secure software, you have to make that choice.

We're not doctors or lawyers. If we make mistakes building web applications, we don't immediately ruin peoples lives. But building insecure software causes real harm to your employer, your users and society at large.

I'm not guaranteeing that you'll work through my material and your application will become an unassailable fortress.

All I'm offering is a fighting chance against attacks targeting the most common weakpoints.

Matsumoto jo

An actual unassailable fortress.
Pro tip: Your Rails application is probably not like this.

Sign up here to get notified when Securing Rails launches


Securing Rails

A guide to finding and fixing the vulnerabilities in your application
By Najaf Ali

$49 USD

A breakdown of the strategy, tactics and process you'll need to keep your work free of vulnerabilities.

If you're looking for quick fixes, this is not the book for you. My aim is to instill in you the habit of looking for vulnerabilities in any code you write.

Ebook + Screencasts


$149 USD

The ebook, plus a step-by-step video break down of typical vulnerabilities that you find in a Ruby on Rails application.

For each vulnerability, we'll cover:

  • How you might accidentally introduce it into a codebase.
  • How to develop a proof of concept for that vulnerability.
  • How to fix the vulnerability conclusively.

Company License

User transparent

$349 USD

The Ebook + Screencast bundle, with a license granting use for all employees at your company.