Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security is hard, but we can't go shopping (Ruby on Ales 2013)

Security is hard, but we can't go shopping (Ruby on Ales 2013)

The last few months have been pretty brutal for anyone who depends on Ruby libraries in production. Ruby is really popular now, and that’s exciting! But it also means that we are now square in the crosshairs of security researchers, whether whitehat, blackhat, or some other hat. Only the Ruby and Rails core teams have meaningful experience with vulnerabilites so far. It won’t last. Vulnerabilities are everywhere, and handling security issues responsibly is critical if we want Ruby (and Rubyists) to stay in high demand.

I’ll discuss responsible disclosure, as well as repsonsible ownership of your own code. How do you know if a bug is a security issue, and how do you report it without tipping off someone malicious? As a Rubyist, you probably have at least one library of your own. How do you handle security issues, and fix them without compromising apps running on the old code? Don’t let your site get hacked, or worse yet, let your project allow someone else’s site to get hacked! Learn from the hard-won wisdom of the security community so that we won’t repeat the mistakes of others.

André Arko

March 08, 2013
Tweet

More Decks by André Arko

Other Decks in Technology

Transcript

  1. Security
    is hard

    View full-size slide

  2. André Arko
    @indirect
      

    View full-size slide

  3. Security
    is hard

    View full-size slide

  4. we can’t
    go shopping
    !

    View full-size slide

  5. Ruby
    security releases

    View full-size slide

  6. this is not
    normal

    View full-size slide

  7. Rails
    security releases

    View full-size slide

  8. this isn’t
    normal either

    View full-size slide

  9. wait
    what’s a CVE?

    View full-size slide

  10. common
    vulnerabilities
    and exposures

    View full-size slide

  11. numbering
    authorities

    View full-size slide

  12. apple
    adobe
    cisco
    redhat
    etc.

    View full-size slide

  13. cve.mitre.org
    nvd.nist.gov

    View full-size slide

  14. minaswan
    security?
    vulnerabilities?

    View full-size slide

  15. dhh + rails
    not as nice

    View full-size slide

  16. dhh + rails
    but we can learn
    from them

    View full-size slide

  17. so many
    gems
    for everything

    View full-size slide

  18. so many
    chances for
    security issues

    View full-size slide

  19. rubygems
    bundler
    json
    rexml
    rack

    View full-size slide

  20. arel
    activerecord
    actionpack
    activesupport
    rdoc (rdoc?! yup.)

    View full-size slide

  21. what
    should we do?

    View full-size slide

  22. updating
    is a pain

    View full-size slide

  23. updating
    blocks feature
    development

    View full-size slide

  24. updating
    is insurance

    View full-size slide

  25. a small cost
    to mitigate risk

    View full-size slide

  26. without it
    failures are
    catastrophic

    View full-size slide

  27. disclosure
    liability
    lawyers

    View full-size slide

  28. updating
    is hard work
    !

    View full-size slide

  29. but
    updating is
    worth it

    View full-size slide

  30. update
    sleep well at night
    !

    View full-size slide

  31. reporting
    security issues

    View full-size slide

  32. responsible
    disclosure

    View full-size slide

  33. the worst
    except for all the
    other options

    View full-size slide

  34. the best yet
    because everyone
    ends up unhappy

    View full-size slide

  35. but
    no one ends
    up screwed

    View full-size slide

  36. disclosure
    companies hate it

    View full-size slide

  37. responsible
    clever, triumphant
    hackers hate it

    View full-size slide

  38. rewards!!
    maybe everyone
    ends up happy?

    View full-size slide

  39. facebook
    $500 minimum
    no maximum

    View full-size slide

  40. engine yard
    no compensation
    $0 maximum

    View full-size slide

  41. github
    no stated policy
    $? maximum

    View full-size slide

  42. you
    anyway, back to

    View full-size slide

  43. find a bug?
    what if you

    View full-size slide

  44. questions
    ask yourself two

    View full-size slide

  45. I shouldn’t?
    can I access
    something

    View full-size slide

  46. other people?
    can I disable
    something for

    View full-size slide

  47. disclose
    responsibly
    if the answer was yes

    View full-size slide

  48. publicly
    contact an author
    before reporting

    View full-size slide

  49. look for
    a security policy
    email in gemspec
    email on github

    View full-size slide

  50. have empathy
    work together

    View full-size slide

  51. if all else fails

    View full-size slide

  52. fix it!
    if all else fails

    View full-size slide

  53. finally,
    what about
    your gems?

    View full-size slide

  54. your gems
    are security vulnerabilities
    waiting to happen

    View full-size slide

  55. unless
    your code is perfect
    (and you want to buy this real estate in Florida)

    View full-size slide

  56. easy
    sympathetic discoverer

    View full-size slide

  57. easy
    write fix, review fix
    release + announce

    View full-size slide

  58. medium
    problem in the wild

    View full-size slide

  59. medium
    announce if safe
    fix ASAP, test fix
    release + announce

    View full-size slide

  60. hard
    researcher out for glory

    View full-size slide

  61. hard
    respond ASAP
    set expectations
    update every 24-48h
    fix + release + thanks

    View full-size slide

  62. make it
    as easy as possible

    View full-size slide

  63. personally
    gemspec email
    github email

    View full-size slide

  64. on a team
    security address
    PGP key
    disclosure policy

    View full-size slide

  65. ecosystem
    mailing list for announcing
    security issues and releases

    View full-size slide

  66. bit.ly/ruby-sec-ann

    View full-size slide

  67. go shopping
    we can
    !"#$
    %&'(

    View full-size slide