There’s a limit to what you can test with security using TDD. It’s a good idea to use a static analysis tool to look for security issues. Two options are Brakeman, which you would run yourself, and CodeClimate, which automatically runs Brakeman on each commit. Brakeman looks for a variety of security issues and provides some tips on working around them.
|Prescription 30||Use an automatic security scanner to check for common security issues.|
The Open Web Application Security Project has all kinds of useful information on security risks. Of particular interest is WebGoat, a deliberately insecure application designed to allow you to hack and test solutions. The Rails version is called RailsGoat.