Missing application-level encryption of sensitive data

• Rule ID: ruby_rails_default_encryption
• Languages: ruby
• Source: default_encryption.yml

Description

Failing to encrypt sensitive data at the application level can lead to data breaches. This vulnerability arises when sensitive information within records is not encrypted, making it readable and accessible.

Remediations

• Do encrypt the entire record when storing sensitive data in a datastore. This approach ensures that all sensitive information is protected.

  class User < ApplicationRecord
    encrypts :personal_info
  end

• Do encrypt specific fields if encrypting the entire record is not feasible. This method protects individual pieces of sensitive data.

  class User < ApplicationRecord
    encrypts :ssn, :credit_card_number
  end

References

• Ruby on Rails Active Record encryption

Associated CWE

• CWE-312: Cleartext Storage of Sensitive Information

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_default_encryption

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_default_encryption