Monday I spent the day at the offices of a government department. A few weeks ago I was asked to do a code review of a new application that they had built, specifically looking at security.
The application is built using Rails on Ruby - which currently isn’t in use at the department. I’ve never written a report on a Rails app, so I’m still figuring out how to best approach the code review. What I’ve come up with so far:
How users sign in to the app, and which parts of the app can only be accessed by signing in. Look at the authentication library in use (a well known library like devise is probably best)
Whether there are different roles or permissions for users, and what actions they can perform.
Which dependencies are used, are they up to date, and how trusted are they. Points for having Dependabot running.
Whether the application is configured with security in mind (mostly this would be following Rails’ defaults).
Advanced Rails security
Whether the application uses Rails’ advanced security features like Content Security Policy (CSP) and protection against Cross-Site Request Forgery (CSRF).
Whether the session cookies are secure, and whether the application uses additional cookies.
If error reporting to something like Airbrake or Sentry is set up, and if it’s configured to sanitise data before sending it.
Whether the code is linted on CI. A linter Rubocop can catch bugs in development, and bugs can often lead to security vulnerabilities.
Whether there are any integration or unit tests relating to security, and their coverage.