Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security is Hard, But We Can't Go Shopping (Madison Ruby 2014)

Security is Hard, But We Can't Go Shopping (Madison Ruby 2014)

The last year has been brutal for Ruby and security. Ruby has gotten quite popular, which is really exciting! But it also means that we are now square in the crosshairs of security researchers, whether whitehat, blackhat, or some other hat. Before 2013, only the Ruby and Rails core teams had meaningful experience with security issues. This year everyone got meaningful experience. Vulnerabilities are everywhere, and handling security issues responsibly is critical if we want Ruby (and Rubyists) to stay safe and in high demand.

I discuss responsible disclosure, as well as repsonsible ownership of your own code. How do you know if a bug is a security issue, and how do you report it without tipping off someone malicious? As a Rubyist, you probably have at least one library of your own. How do you handle security issues, and fix them without compromising apps running on the old code? Don’t let your site get hacked, or worse yet, let your project allow someone else’s site to get hacked! Learn from the hard-won wisdom of the security community so that we won’t repeat the mistakes of others.

André Arko

August 23, 2014
Tweet

More Decks by André Arko

Other Decks in Technology

Transcript

  1. !

  2. ruby CVEs 0 1 2 3 4 5 6 2009

    2010 2011 2012 2013
  3. rails CVEs 0 3 6 9 12 15 18 2009

    2010 2011 2012 2013
  4. !

  5. !