10 Jun, 2013

Railsgoat and Ruby on Rails Security

by Ken Johnson

The Open Web Application Security Project or “OWASP” is an organization dedicated to non-profit (open source) efforts that enhance the security of applications whether mobile, web, or other. We have contributed tutorial-driven, purposefully vulnerable applications to this organization in an effort to further educate software developers. Simply put, we wanted to give free high-quality training and OWASP is a great medium for doing so.

Our latest contribution is named Railsgoat, details of which (installation, about, etc.) can be found at the  Unofficial Project Page and the OWASP Official Wiki Page. The purpose of this application is to provide Rails-focused security professionals and software developers with a training tool that helps the user find, attack, and fix vulnerabilities on the Ruby on Rails platform.

Here are some photos of the application:

Features include:

  • OWASP Top 10, 2010 Driven Vulnerabilities
  • Ruby on Rails specific vulnerabilities
  • Semi-realistic, scalable HR application
  • Choose your own adventure style of training
  • Rails Framework v3.2
  • Code Flaw and Remediation Examples

On the Roadmap:

  • A version developed in Rails 4.x
  • OWASP Top 10 - 2013
  • More functionality and more bugs
  • Tutorials on running in AWS or Heroku environment
  • Virtual Machine

We hope you find this project useful. All feature requests or bug submissions can be posted via the GitHub site.

Thanks!

~nVisium Security Team