$30 off During Our Annual Pro Sale. View Details »

Security is hard, but we can't go shopping (RubyKaigi 2013)

Security is hard, but we can't go shopping (RubyKaigi 2013)

The last few months have been pretty brutal for anyone who depends on Ruby libraries in production. Ruby is really popular now, and that’s exciting! But it also means that we are now square in the crosshairs of security researchers, whether whitehat, blackhat, or some other hat. Only the Ruby and Rails core teams have meaningful experience with vulnerabilites so far. It won’t last. Vulnerabilities are everywhere, and handling security issues responsibly is critical if we want Ruby (and Rubyists) to stay in high demand.

I’ll discuss responsible disclosure, as well as repsonsible ownership of your own code. How do you know if a bug is a security issue, and how do you report it without tipping off someone malicious? As a Rubyist, you probably have at least one library of your own. How do you handle security issues, and fix them without compromising apps running on the old code? Don’t let your site get hacked, or worse yet, let your project allow someone else’s site to get hacked! Learn from the hard-won wisdom of the security community so that we won’t repeat the mistakes of others.

André Arko

May 31, 2013
Tweet

More Decks by André Arko

Other Decks in Technology

Transcript

  1. Security
    is hard

    View Slide

  2. André Arko
    @indirect
      

    View Slide

  3. View Slide

  4. [ANN]

    View Slide

  5. !
    +

    View Slide

  6. +
    !

    View Slide

  7. +
    !

    View Slide

  8. !
    ! !

    View Slide

  9. Security
    is hard

    View Slide

  10. but we can’t
    go shopping

    View Slide

  11. !

    View Slide

  12. Ruby
    security releases

    View Slide

  13. View Slide

  14. View Slide

  15. View Slide

  16. this is not
    normal

    View Slide

  17. View Slide

  18. Rails
    security releases

    View Slide

  19. View Slide

  20. View Slide

  21. this isn’t
    normal either

    View Slide

  22. wait
    what’s a CVE?

    View Slide

  23. common
    vulnerabilities
    and exposures

    View Slide

  24. numbering
    authorities

    View Slide

  25. apple
    adobe
    cisco
    redhat
    etc.

    View Slide

  26. cve.mitre.org
    nvd.nist.gov

    View Slide

  27. minaswan
    security?
    vulnerabilities?

    View Slide

  28. dhh + rails
    not as nice

    View Slide

  29. dhh + rails
    but we can learn
    from them

    View Slide

  30. so many
    gems
    for everything

    View Slide

  31. so many
    chances for
    security issues

    View Slide

  32. rubygems
    bundler
    json
    rexml
    rack

    View Slide

  33. arel
    activerecord
    actionpack
    activesupport
    rdoc (rdoc?! yup.)

    View Slide

  34. what
    should we do?

    View Slide

  35. updating
    is a pain

    View Slide

  36. updating
    blocks feature
    development

    View Slide

  37. updating
    is insurance

    View Slide

  38. a small cost
    to mitigate risk

    View Slide

  39. without it
    failures are
    catastrophic

    View Slide

  40. !

    View Slide

  41. disclosure
    liability
    lawyers

    View Slide

  42. updating
    is hard work
    !

    View Slide

  43. but
    updating is
    worth it

    View Slide

  44. update
    sleep well at night
    !

    View Slide

  45. reporting
    security issues

    View Slide

  46. responsible
    disclosure

    View Slide

  47. the worst
    except for all the
    other options

    View Slide

  48. the best yet
    because everyone
    ends up unhappy

    View Slide

  49. !

    View Slide

  50. but
    no one ends
    up screwed

    View Slide

  51. disclosure
    companies hate it

    View Slide

  52. responsible
    clever, triumphant
    hackers hate it

    View Slide

  53. rewards! !

    View Slide

  54. rewards! !
    maybe everyone
    ends up happy?

    View Slide

  55. google

    View Slide

  56. View Slide

  57. google
    severity scale
    $100 to $20,000

    View Slide

  58. google
    paid over $130k
    so far this year

    View Slide

  59. View Slide

  60. facebook

    View Slide

  61. View Slide

  62. facebook
    $500 minimum
    no maximum

    View Slide

  63. github

    View Slide

  64. View Slide

  65. github
    no stated reward
    $? maximum

    View Slide

  66. engine yard

    View Slide

  67. View Slide

  68. engine yard
    no compensation
    $0 maximum

    View Slide

  69. you
    anyway, back to

    View Slide

  70. find a bug?
    what if you

    View Slide

  71. questions
    ask yourself two

    View Slide

  72. not mine?
    can I access
    something

    View Slide

  73. other people?
    can I disable
    something for

    View Slide

  74. disclose
    responsibly
    if the answer was yes

    View Slide

  75. publicly
    contact an author
    before reporting

    View Slide

  76. look for
    a security policy
    email in gemspec
    email on github

    View Slide

  77. have empathy
    work together

    View Slide

  78. if all else fails

    View Slide

  79. fix it!
    if all else fails

    View Slide

  80. finally,
    what about
    your gems?

    View Slide

  81. your gems
    are security vulnerabilities
    waiting to happen

    View Slide

  82. unless
    your code is perfect
    (and you want to buy this )

    View Slide

  83. easy
    sympathetic discoverer

    View Slide

  84. easy
    write fix, review fix
    release + announce

    View Slide

  85. medium
    problem in the wild

    View Slide

  86. medium
    announce if safe
    fix ASAP, test fix
    release + announce

    View Slide

  87. hard
    researcher out for glory

    View Slide

  88. hard
    respond ASAP
    set expectations
    update every 24-48h
    fix + release + thanks

    View Slide

  89. make it
    as easy as possible

    View Slide

  90. personally
    gemspec email
    github email

    View Slide

  91. on a team
    security address
    PGP key
    disclosure policy

    View Slide

  92. ecosystem
    mailing list for announcing
    security issues and releases

    View Slide

  93. bit.ly/ruby-sec-ann

    View Slide

  94. go shopping
    we can
    !"#$
    %&'(

    View Slide

  95. questions?

    View Slide