Security is Hard, But We Can't Go Shopping (Madison Ruby 2014)

Security
is hard

View Slide

André Arko
@indirect

View Slide

View Slide

Bundler

View Slide

Security
is hard

View Slide

but we can’t
go shopping

View Slide

!

View Slide

accelerating
security issues are

View Slide

Ruby+Rails
security releases

View Slide

ruby CVEs
0
1
2
3
4
5
6
2009 2010 2011 2012 2013

View Slide

rails CVEs
0
3
6
9
12
15
18
2009 2010 2011 2012 2013

View Slide

wait
what’s a CVE?

View Slide

common
vulnerabilities
and exposures

View Slide

numbering
authorities

View Slide

apple
adobe
cisco
redhat
etc.

View Slide

cve.mitre.org
nvd.nist.gov

View Slide

minaswan
security?
vulnerabilities?

View Slide

dhh + rails
not as nice

View Slide

dhh + rails
but we can learn
from them

View Slide

so many
gems
for everything

View Slide

so many
chances for
security issues

View Slide

rubygems
bundler
json
rexml
rack

View Slide

arel
activerecord
actionpack
activesupport
rdoc (rdoc?! yup.)

View Slide

what
should we do?

View Slide

updating
is a pain

View Slide

updating
blocks feature
development

View Slide

updating
is insurance

View Slide

a small cost
to mitigate risk

View Slide

without it
failures are
catastrophic

View Slide

!

View Slide

disclosure
liability
lawyers

View Slide

updating
is hard work
!

View Slide

but
updating is
worth it

View Slide

update
sleep well at night
!

View Slide

reporting
security issues

View Slide

responsible
disclosure

View Slide

the worst
except for all the
other options

View Slide

the best yet
because everyone
ends up unhappy

View Slide

!

View Slide

but
no one ends
up screwed

View Slide

disclosure
companies hate it

View Slide

responsible
clever, triumphant
hackers hate it

View Slide

rewards! !

View Slide

rewards! !
maybe everyone
ends up happy?

View Slide

facebook

View Slide

View Slide

facebook
$500 minimum
no maximum

View Slide

github

View Slide

View Slide

github
$100 minimum
$5000 maximum

View Slide

heroku

View Slide

View Slide

heroku
$100 minimum
$1500 maximum

View Slide

engine yard

View Slide

View Slide

engine yard
no compensation
$0 maximum

View Slide

you
anyway, back to

View Slide

ﬁnd a bug?
what if you

View Slide

questions
ask yourself two

View Slide

I shouldn’t?
can I access
something

View Slide

other people?
can I disable
something for

View Slide

disclose
responsibly
if the answer was yes

View Slide

publicly
contact an author
before reporting

View Slide

look for
a security policy
email in gemspec
email on github

View Slide

have empathy
work together

View Slide

if all else fails

View Slide

ﬁx it!
if all else fails

View Slide

ﬁnally,
what about
your gems?

View Slide

your gems
are security vulnerabilities
waiting to happen

View Slide

unless
your code is perfect
(and then I have a bridge to sell you)

View Slide

easy
sympathetic discoverer

View Slide

write ﬁx, review ﬁx
release + announce
easy

View Slide

medium
problem in the wild

View Slide

medium
announce if safe
ﬁx ASAP, test ﬁx
release + announce

View Slide

hard
researcher out for glory

View Slide

hard
respond ASAP
set expectations
update every 24-48h
ﬁx + release + thanks

View Slide

make it
as easy as possible

View Slide

personally
gemspec email
github email

View Slide

on a team
security address
PGP key
disclosure policy

View Slide

ecosystem
mailing list for announcing
security issues and releases

View Slide

bit.ly/ruby-sec-ann

View Slide

go shopping
we can
!"#$
%&'(

View Slide

questions?
bit.ly/ruby-sec-ann
@indirect

View Slide

Security is Hard, But We Can't Go Shopping (Madison Ruby 2014)

Security is Hard, But We Can't Go Shopping (Madison Ruby 2014)

André Arko

More Decks by André Arko

Other Decks in Technology

Featured

Transcript