Ah, security, a complicated topic. There's the Rails Security Guide (I'm
the author), there are blog posts with some bits, Rails security updates
and new attack scenarios.
So I thought, doesn't it need a strategy before going into the details?
I’ll release the “Rails Security Strategy” e-book on June, 30th. If you
sign up before that, it will be free for you: