Ah, security, a complicated topic. There's the Rails Security Guide (I'm the author), there are blog posts with some bits, Rails security updates and new attack scenarios.
So I thought, doesn't it need a strategy before going into the details?
I’ll release the “Rails Security Strategy” e-book on June, 30th. If you sign up before that, it will be free for you: