Exploits happen when attackers discover that your application is actually an interpreter for a weird programming language with operators like ‘make admin’, or ‘consume all available memory’. Don’t give them access to that kind of computational power! Stop them at the very boundaries of your application’s input handling–the parser. By generating parsers tailored to the specific input formats of your app, you can prevent it from becoming a weird interpreter and make it harder to exploit.
When you use a parser specific to your input format, it’s not only more secure, it’s better specified and definite. When you have a grammar for your inputs, you can give your API consumers better error messages and better documentation based on that grammar.
Using Ruby’s metaprogramming superpowers, doing this doesn’t have to be a painful process. I’ve been working on a library called Muskox that aims to make generating parsers almost as simple as using Rails 4’s Strong Parameters. Writing code to secure your app’s inputs should be easy, fun and fast.