Ruby Security Vulnerabilities and Language Overview

What is Ruby?

Conceived in the early 1990s by Japanese programmer Yukihiro “Matz” Matsumoto in Japan, Ruby is a dynamic, open source programming language that centers on simplicity and productivity. Influenced by Perl, Smalltalk, Eiffel, Ada and Lisp, Ruby combines elements of all these languages and balances functional and imperative programming. In the 2016 Stack Overflow Developer Survey, Ruby ranked as the 11th most popular programming language amongst the 50,000 developers polled.

Ruby has a pure object oriented approach and is highly flexible as a language since essential parts of Ruby can be removed or redefined by the coder. Setting Ruby apart from other object-oriented languages, Ruby only features single inheritance which is less complex for the coders than the complex and restrictive multiple inheritance found in Eiffel, Lisp and some of the other languages that influenced Ruby.

Why Was Ruby Initially Created?

Yukihiro Matsumoto, creator of the Ruby programming language.

Yukihiro Matsumoto, creator of the Ruby programming language.

The idea for Ruby originated in a conversation between Matsumoto and his colleague that centered around the creation of an object-oriented scripting language.

Matsumo described his some of his inspiration behind creating Ruby in 1999 in a post sent out to his ruby-talk mailing list where he describes how he wanted to find a true object-oriented and simple scripting language which was simple to use and since he couldn’t find one, he created one. What he considered drawbacks in Perl and Ruby also fueled his drive to create the flexible and simple language which Ruby became.

ruby-talk dispatch

Text from the 99/06/03 mailer where Ruby founder Yukihiro “Matz” Matsumoto describes some of the inspiration behind the creation of Ruby.

Ruby Frameworks:

What is Ruby on Rails

Designed to make the development of modern web applications easier and more fun, Ruby on Rails is a model–view–controller (MVC) web application framework written in Ruby which provides default structures for a database, a web service and web pages. Ruby on rails facilitates the use of web standards like JSON and XML while utilizing HTML, CSS and JavaScript for display and user interfacing.

Tour of the latest Rails version, 5.0.0, released in June 2015

Originally extracted from David Heinemeier Hansson’s work on Basecamp, a project management tool, Rails was first launched as open source in July 2004. Ruby on Rails follows the Convention over Configuration (CoC) design paradigm and the Don’t Repeat Yourself (DRY) principle. For his work on Ruby on Rails, Hansson won Best Hacker of the Year in 2005 at OSCON from Google and O’Reilly.

The nine most important pillars of the The Rails Doctine written by David Heinemeier Hansson

ruby on rails doctrine

Who uses Ruby on Rails?

From CRM software to enterprise project management tools, from online shopping to customer support and from streaming video to streaming music there are hundreds of thousands of applications built using Ruby on Rails

  • Basecamp
  • GitHub
  • Shopify
  • Airbnb
  • Twitch
  • SoundCloud
  • Hulu, Zendesk
  • Square
  • Highrise

Ruby on Rails Security Vulnerabilities

In 2013, the over 240,000 websites that were using Ruby on Rails were threatened by two major vulnerabilities (CVE-2013-0155 and CVE-2013-0156) which centered around the way that user entered data was parsed and handled by the Ruby on Rails application. These critical vulnerabilities allowed for remote code execution against any Ruby on Rails applications with an XML parser enabled and while they were able to be patched with a quick upgrade to the latest Ruby release, they opened a window which could allow hackers to take everything from a website’s database while installing persistent backdoors in the infrastructure of every website running the vulnerable code.

As with all languages and frameworks, when coding with Ruby on Rails, it’s crucial to ensure that your code stays vulnerability free.

High-Risk Ruby Security Vulnerabilities:

Alongside SQL Injections (SQLi) and XSS (Cross Site Scripting), which affect most contemporary programming languages, Ruby applications also face threats from:

Securing your Ruby on Rails Code

Checkmarx’s CxSAST, a static code analysis solution, stands out amongst Ruby testing solutions as not only the solution which will keep your Ruby code free from security and compliance issues, but also as the tool which will contribute to your organization’s advancement when it comes to application security maturity.

CxSAST works with the tools your developers are already using as it seamlessly integrates with most of the common development programs available at every stage of the SDLC. CxSAST’s features such as incremental code scanning and the best fix location made it ideal for any continuous integration continuous development (CICD) environment.

When vulnerabilities are detected in the Ruby code, CxSAST will not only identify the best fix location, but will also offer resources to the developer to understand how the attack vector work as well as remediation advice which will help them ensure similar mistakes are avoided in the future.

Want to learn more about Ruby vulnerabilities, why they happen, and how to eliminate them? Click for a tutorial and start sharpening your skills!