Security is Hard (RedDotRubyConf 2015)

Security
is hard

View Slide

André Arko
@indirect

View Slide

View Slide

Security
is hard

View Slide

but we can’t
go shopping

View Slide

!

View Slide

Ruby
security releases

View Slide

View Slide

that is
a lot of releases

View Slide

View Slide

Rails
security releases

View Slide

View Slide

that is a lot
of more releases

View Slide

wait
what’s a CVE?

View Slide

common
vulnerabilities
and exposures

View Slide

numbering
authorities

View Slide

apple
adobe
cisco
redhat
etc.

View Slide

cve.mitre.org
nvd.nist.gov

View Slide

minaswan
security?
vulnerabilities?

View Slide

dhh + rails
not as nice

View Slide

dhh + rails
but we can learn
from them

View Slide

so many
gems
for everything

View Slide

so many
chances for
security issues

View Slide

rubygems
bundler
json
rexml
rack

View Slide

arel
activerecord
actionpack
activesupport
rdoc (rdoc?! yup.)

View Slide

what
should we do?

View Slide

updating
is a pain

View Slide

updating
blocks feature
development

View Slide

updating
is insurance

View Slide

a small cost
to mitigate risk

View Slide

without it
failures are
catastrophic

View Slide

!

View Slide

disclosure
liability
lawyers

View Slide

updating
is hard work
!

View Slide

but
updating is
worth it

View Slide

update
sleep well at night
!

View Slide

reporting
security issues

View Slide

responsible
disclosure

View Slide

the worst
except for all the
other options

View Slide

the best yet
because everyone
ends up unhappy

View Slide

!

View Slide

but
no one ends
up screwed

View Slide

disclosure
companies hate it

View Slide

responsible
clever, triumphant
hackers hate it

View Slide

rewards! !

View Slide

rewards! !
maybe everyone
ends up happy?

View Slide

google

View Slide

View Slide

google
severity scale
$100 to $20,000

View Slide

google
paid over $130k
so far this year

View Slide

View Slide

facebook

View Slide

View Slide

facebook
$500 minimum
no maximum

View Slide

github

View Slide

View Slide

github
no stated reward
$? maximum

View Slide

engine yard

View Slide

View Slide

engine yard
no compensation
$0 maximum

View Slide

you
anyway, back to

View Slide

ﬁnd a bug?
what if you

View Slide

questions
ask yourself two

View Slide

not mine?
can I access
something

View Slide

other people?
can I disable
something for

View Slide

disclose
responsibly
if the answer was yes

View Slide

publicly
contact an author
before reporting

View Slide

look for
a security policy
email in gemspec
email on github

View Slide

have empathy
work together

View Slide

if all else fails

View Slide

ﬁx it!
if all else fails

View Slide

ﬁnally,
what about
your gems?

View Slide

your gems
are security vulnerabilities
waiting to happen

View Slide

unless
your code is perfect
(and then I want to sell you this GREAT investment)

View Slide

easy
sympathetic discoverer

View Slide

easy
write ﬁx, review ﬁx
release + announce

View Slide

medium
problem in the wild

View Slide

medium
announce if safe
ﬁx ASAP, test ﬁx
release + announce

View Slide

hard
researcher out for glory

View Slide

hard
respond ASAP
set expectations
update every 24-48h
ﬁx + release + thanks

View Slide

make it
as easy as possible

View Slide

personally
gemspec email
github email

View Slide

on a team
security address
PGP key
disclosure policy

View Slide

ecosystem
mailing list for announcing
security issues and releases

View Slide

bit.ly/ruby-sec-ann

View Slide

go shopping
we can
!"#$
%&'(

View Slide

questions?

View Slide

Security is Hard (RedDotRubyConf 2015)

Security is Hard (RedDotRubyConf 2015)

André Arko

More Decks by André Arko

Other Decks in Technology

Featured

Transcript