Don't love it, don't hate it. Wish people would stop coming up with ad-hoc Rails security guides, because you have to read all of them to catch the collected wisdom now. For instance, this document is the first formal doc that talks about Redcloth injection --- something you're not going to care about until you happen to use Redcloth for Textile rendering.
Generally I think this particular guide is satisfactory on details but very poor on structure. For instance, it starts the section on SQL Injection off by saying that Rails is mostly immune to it, due to clever design choices. Nonsense. The same corner cases that cause all modern apps to still have SQLi apply to Rails as well --- sort columns on tables, query builders, and everything else that requires you to concatenate SQL expression tokens instead of using stored procedures. If you con yourself into believing Rails protects you from this, you're the dev who's going to wind up with the Rails SQLi vulns.
Not a particularly big fan of their coverage of session security, either: a passing mention of httpOnly, just enough to give people the impression that it does something that it doesn't do, but a total miss on something that is going to cause Rails devs to fail PCI audits: poor domain scoping on cookies and lack of the "secure" flag.
Generally I think this particular guide is satisfactory on details but very poor on structure. For instance, it starts the section on SQL Injection off by saying that Rails is mostly immune to it, due to clever design choices. Nonsense. The same corner cases that cause all modern apps to still have SQLi apply to Rails as well --- sort columns on tables, query builders, and everything else that requires you to concatenate SQL expression tokens instead of using stored procedures. If you con yourself into believing Rails protects you from this, you're the dev who's going to wind up with the Rails SQLi vulns.
Not a particularly big fan of their coverage of session security, either: a passing mention of httpOnly, just enough to give people the impression that it does something that it doesn't do, but a total miss on something that is going to cause Rails devs to fail PCI audits: poor domain scoping on cookies and lack of the "secure" flag.