Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security is Hard (RedDotRubyConf 2015)

Security is Hard (RedDotRubyConf 2015)

Ruby has gotten quite popular, which is really exciting! But it also means that we are now square in the crosshairs of security researchers, whether whitehat, blackhat, or some other hat. Before 2013, only the Ruby and Rails core teams had meaningful experience with security issues. This year everyone got meaningful experience. Vulnerabilities are everywhere, and handling security issues responsibly is critical if we want Ruby (and Rubyists) to stay safe and in high demand.

I discuss responsible disclosure, as well as repsonsible ownership of your own code. How do you know if a bug is a security issue, and how do you report it without tipping off someone malicious? As a Rubyist, you probably have at least one library of your own. How do you handle security issues, and fix them without compromising apps running on the old code? Don’t let your site get hacked, or worse yet, let your project allow someone else’s site to get hacked! Learn from the hard-won wisdom of the security community so that we won’t repeat the mistakes of others.

André Arko

June 04, 2015
Tweet

More Decks by André Arko

Other Decks in Technology

Transcript

  1. Security
    is hard

    View full-size slide

  2. André Arko
    @indirect

    View full-size slide

  3. Security
    is hard

    View full-size slide

  4. but we can’t
    go shopping

    View full-size slide

  5. Ruby
    security releases

    View full-size slide

  6. that is
    a lot of releases

    View full-size slide

  7. Rails
    security releases

    View full-size slide

  8. that is a lot
    of more releases

    View full-size slide

  9. wait
    what’s a CVE?

    View full-size slide

  10. common
    vulnerabilities
    and exposures

    View full-size slide

  11. numbering
    authorities

    View full-size slide

  12. apple
    adobe
    cisco
    redhat
    etc.

    View full-size slide

  13. cve.mitre.org
    nvd.nist.gov

    View full-size slide

  14. minaswan
    security?
    vulnerabilities?

    View full-size slide

  15. dhh + rails
    not as nice

    View full-size slide

  16. dhh + rails
    but we can learn
    from them

    View full-size slide

  17. so many
    gems
    for everything

    View full-size slide

  18. so many
    chances for
    security issues

    View full-size slide

  19. rubygems
    bundler
    json
    rexml
    rack

    View full-size slide

  20. arel
    activerecord
    actionpack
    activesupport
    rdoc (rdoc?! yup.)

    View full-size slide

  21. what
    should we do?

    View full-size slide

  22. updating
    is a pain

    View full-size slide

  23. updating
    blocks feature
    development

    View full-size slide

  24. updating
    is insurance

    View full-size slide

  25. a small cost
    to mitigate risk

    View full-size slide

  26. without it
    failures are
    catastrophic

    View full-size slide

  27. disclosure
    liability
    lawyers

    View full-size slide

  28. updating
    is hard work
    !

    View full-size slide

  29. but
    updating is
    worth it

    View full-size slide

  30. update
    sleep well at night
    !

    View full-size slide

  31. reporting
    security issues

    View full-size slide

  32. responsible
    disclosure

    View full-size slide

  33. the worst
    except for all the
    other options

    View full-size slide

  34. the best yet
    because everyone
    ends up unhappy

    View full-size slide

  35. but
    no one ends
    up screwed

    View full-size slide

  36. disclosure
    companies hate it

    View full-size slide

  37. responsible
    clever, triumphant
    hackers hate it

    View full-size slide

  38. rewards! !
    maybe everyone
    ends up happy?

    View full-size slide

  39. google
    severity scale
    $100 to $20,000

    View full-size slide

  40. google
    paid over $130k
    so far this year

    View full-size slide

  41. facebook
    $500 minimum
    no maximum

    View full-size slide

  42. github
    no stated reward
    $? maximum

    View full-size slide

  43. engine yard
    no compensation
    $0 maximum

    View full-size slide

  44. you
    anyway, back to

    View full-size slide

  45. find a bug?
    what if you

    View full-size slide

  46. questions
    ask yourself two

    View full-size slide

  47. not mine?
    can I access
    something

    View full-size slide

  48. other people?
    can I disable
    something for

    View full-size slide

  49. disclose
    responsibly
    if the answer was yes

    View full-size slide

  50. publicly
    contact an author
    before reporting

    View full-size slide

  51. look for
    a security policy
    email in gemspec
    email on github

    View full-size slide

  52. have empathy
    work together

    View full-size slide

  53. if all else fails

    View full-size slide

  54. fix it!
    if all else fails

    View full-size slide

  55. finally,
    what about
    your gems?

    View full-size slide

  56. your gems
    are security vulnerabilities
    waiting to happen

    View full-size slide

  57. unless
    your code is perfect
    (and then I want to sell you this GREAT investment)

    View full-size slide

  58. easy
    sympathetic discoverer

    View full-size slide

  59. easy
    write fix, review fix
    release + announce

    View full-size slide

  60. medium
    problem in the wild

    View full-size slide

  61. medium
    announce if safe
    fix ASAP, test fix
    release + announce

    View full-size slide

  62. hard
    researcher out for glory

    View full-size slide

  63. hard
    respond ASAP
    set expectations
    update every 24-48h
    fix + release + thanks

    View full-size slide

  64. make it
    as easy as possible

    View full-size slide

  65. personally
    gemspec email
    github email

    View full-size slide

  66. on a team
    security address
    PGP key
    disclosure policy

    View full-size slide

  67. ecosystem
    mailing list for announcing
    security issues and releases

    View full-size slide

  68. bit.ly/ruby-sec-ann

    View full-size slide

  69. go shopping
    we can
    !"#$
    %&'(

    View full-size slide