The Railsgoat application stores user's Social Security Numbers in plain-text within the database and because of this, it fails to adequately protect these numbers from theft. Additionally, the user's full SSN is sent back to the user within an HTTP response from the application.

The WorkInfo model (app/models/work_info.rb) is missing code to encrypt this data prior to storage. Additionally, while code exists to render only the last 4 numbers of an SSN, at no time is it used.

				class WorkInfo < ActiveRecord::Base
				  attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked
				  belongs_to :user

				  # We should probably use this
				  def last_four
				    "***-**-" << self.SSN[-4,4]
				  end

				end
	
			  

SSN Storage - SOLUTION

There is a lot of guidance on adequately protecting sensitive data at rest and using a layered defensive approach. Make no mistake, this should not be your sole means of securing sensitive data. That being said, there are at least four precautions that should be taken.

The sensitive data is encrypted everywhere, including backups

Only authorized users can access decrypted copies of the data

Use a strong algorithm

Strong key is generated, protected from unauthorized access, and key change is planned for.

One additional item to note with rails specifically, the framework makes it easy to determine the type of environment running, example:

					Rails.env.production?
				

...or

					Rails.env.development?
				

This allows developers to easily create different keys for development and production and should be considered an asset to utilize. While development keys are usually stored within the source code of most rails applications, and developers with access to the repo can download those keys, the same should NOT hold true for production keys.

My SSN seems pretty important, hope it's kept safe!