Search
Red Dot Ruby Conference 2015
Security Is Hard, But We Can't Go Shopping
Edit
Summarized using AI

Security Is Hard, But We Can't Go Shopping

André Arko • June 04, 2015 • Singapore • Talk

In the talk titled "Security Is Hard, But We Can't Go Shopping," André Arko highlights the importance of security in software development, particularly for Ruby applications. He emphasizes that while security is a challenging topic, it is crucial for developers, especially Rubyists, who may lack familiarity with handling security vulnerabilities in their code. Below are the key points discussed throughout the presentation:

  • Introduction to Security: Arko introduces himself and his work at Cloud City Development and Ruby Together, a non-profit aimed at maintaining essential Ruby tools, emphasizing the need for investment in security measures.
  • Historical Context: He recounts a significant period where Ruby and Rails experienced an unusual number of security releases, leading to heightened scrutiny from security researchers.
  • Understanding CVEs: The presentation explains Common Vulnerabilities and Exposures (CVE) numbers as identifiers for security issues that are critical for developers to understand.
  • The Importance of Updating: Arko likens regular updates to insurance policies for businesses, stating that neglecting updates can lead to disastrous outcomes, including security breaches.
  • Responsible Disclosure: When developers discover vulnerabilities, they should practice responsible disclosure by reporting the issue privately to the respective software maintainers before making it public.
  • Dealing with Security Vulnerabilities: Arko outlines strategies for responding to security findings, emphasizing the importance of maintaining communication and ensuring timely updates in the codebase to keep applications secure.
  • Gem Management and Dependencies: He discusses the growing complexity of projects with multiple gem dependencies and the trade-offs involved in using third-party libraries versus maintaining security oversight.
  • Security Tools: He recommends using tools like Brakeman for identifying potential vulnerabilities in Rails applications, while stressing the importance of regular manual checks and security updates.
  • Conclusion: The talk concludes with a call to action for the Ruby community to prioritize security as an ongoing responsibility, forming a standard practice that becomes second nature rather than an afterthought.

By maintaining vigilance and integrating security practices into everyday development, developers can better protect their software from vulnerabilities. Arko's insights underline the fact that while dealing with security may not be as enjoyable as shopping, it is essential for safeguarding applications.

Security Is Hard, But We Can't Go Shopping
André Arko • Singapore • Talk

Date: June 04, 2015
Published: unknown
Announced: unknown

Security Is Hard, But We Can't Go Shopping by André Arko

Security is really important, and a lot of rubyists are unfamiliar with how it works, why it's important, how to explain it to bosses and managers, and most importantly, how to handle security vulnerabilities in code they use (or code they wrote). Let's talk about why security is important, even though Matz is nice. We'll also about what to do when vulnerabilities show up, since they always will.

Red Dot Ruby Conference 2015

00:00:19.680 hey everybody uh it's my first time in singapore it's really cool i like it here uh it's
00:00:25.600 really warm uh that's kind of nice and
00:00:30.880 it's too warm you guys just a little bit less warm and it'd be great uh because the problem i have with san
00:00:35.920 francisco just a little bit less cold it'll be great so i'm just gonna keep going back and forth i guess anyway uh
00:00:42.239 i'm here to talk about security so uh first let me introduce myself i'm andre arco that's my picture on the internet
00:00:49.440 i'm also indirect on basically all the internet things um i work at cloud city development
00:00:55.360 we do mostly uh rails contract work um and have like a
00:01:03.039 a bunch of devs who do cool stuff i specifically do uh pairing and team training
00:01:10.159 on teams doing rails development um if that's the kind of thing that your company's interested in talk to me later
00:01:16.240 it's cool the other thing i work on is called ruby together um
00:01:23.280 it's actually one of the things that winston and allen did as organizers of this conference is
00:01:28.799 everybody's goodie bags have ruby together stickers in them ruby together is a
00:01:34.400 non-profit company that i started specifically to make sure that
00:01:39.600 all of these tools that every rubyist use uses
00:01:44.720 every day keep working so bundler and rubygems and rubygems.org
00:01:51.600 and all of those things that basically all of us sit down and use any time that we're doing work
00:01:58.240 have spent years and years just getting maintained by people in their spare time
00:02:03.840 i don't know how much all of you know about the history of those tools but it's basically been people who are like
00:02:11.039 man it would be cool if and then spending like their weekends and their nights improving things
00:02:17.040 and that means that when people don't have weekends and nights
00:02:22.400 it goes totally unmaintained and sometimes that means that there are security issues and sometimes that means
00:02:27.760 that rubygems.org goes down and sometimes that means that bundler doesn't work with the newest version of
00:02:32.959 rubygems because no one had time to make sure that those things kept happening so ruby together is a trade association
00:02:40.480 for ruby developers and ruby companies that funds developers to make sure that all
00:02:46.480 those things keep working so right now uh ruby together is paying for maintenance
00:02:52.800 work on bundler to make sure that bundler keeps working with new versions of ruby gems and new versions of ruby as they come out and it's paying for
00:02:58.959 maintenance on rubygems.org to make sure that the servers get security patches applied and it's not an easy target for
00:03:06.080 hackers we would love to do more including
00:03:11.840 additional development work adding new features making things faster and more awesomer
00:03:18.000 we'd even love to eventually pay people to improve rails and even ruby
00:03:23.200 but we need all of your help so check out ruby together so far
00:03:29.680 companies have joined ruby together include stripe engine yard cloud city where i work and bleacher report
00:03:36.159 we'd love to have you and your company help us with that as well um so back to security
00:03:44.159 security unfortunately is really hard uh it would be nice if when things were
00:03:50.400 hard we could just go off and do something easy um i find shopping much easier than security uh i recognize that
00:03:57.840 this may be different for individual people but i'm drawing from my own life experience so i get sad when i have to deal with
00:04:04.640 security instead of going shopping um so the the motivation for me to give this
00:04:10.480 talk is actually now like maybe uh a couple years old and it was when there was a huge string
00:04:17.600 of security releases depending on how long each of you has been programming ruby like maybe you
00:04:23.120 remember this maybe you kind of glossed over it maybe this was your nightmare for multiple months in a row um
00:04:29.919 so this thing happened where ruby went through a bunch of security releases in
00:04:34.960 like a few weeks it's really not normal to have a ruby release more than like maybe two or
00:04:40.400 three times a year and there were three three releases in like a month um
00:04:45.840 that's really a lot of releases um it it was actually so many releases that
00:04:52.479 the release manager apologized for releasing too much um
00:04:57.759 but it would have been worse to not release because the releases contain fixes for critical security problems so
00:05:04.160 everything's terrible at the same time in like in the same time period uh there was a
00:05:11.680 amazing record number of rails security releases look at that that's amazing how did that even happen
00:05:18.080 um that's a really huge number of releases so
00:05:23.360 uh while that was happening and i was talking to other ruby developers uh
00:05:28.800 i would say oh there was the security release because of this security problem it's really important you should update
00:05:34.080 so that all of your stuff isn't easily hackable by anyone who wants to hack it and
00:05:40.639 a really common question that i suddenly got when i started talking about security issues was like wait uh
00:05:46.400 okay a security issue means that there's some cve number that goes with it but what does that mean
00:05:51.680 so cve does mean a security issue but it
00:05:56.880 actually like also has additional meaning cve stands for common vulnerabilities and exposures and it's a
00:06:03.919 number issued by a company that tracks security issues for
00:06:09.280 actually all software um there's it's not like just ruby it's not just python it's not
00:06:16.160 just oracle it's not just it's security issues with all of the
00:06:21.360 software in the world and there's a company called mitre corporation that
00:06:28.880 issues the numbers that are used to track these security issues and lots of organizations including huge
00:06:35.520 corporations and even governments including the us government have agreed to use these numbers that are issued by
00:06:41.360 mitre as the like way to tell that you're talking about the same security vulnerability
00:06:47.280 because when you say as you just saw did you see that big security vulnerability in rails yesterday you could be talking
00:06:53.680 about three things so having the cve number is a good way to tell them apart
00:07:00.880 the mitre corporation assigns blocks of numbers to big software companies like oracle or apple or microsoft red hat
00:07:07.759 other companies those companies then when they encounter specific security issues use one of the numbers that they
00:07:14.720 already have in a block to say okay this security issue has this specific number and now we're just going to use that
00:07:20.080 number to talk about this problem from now on the
00:07:25.199 ruby community has been getting help with security issues from red hat the
00:07:30.240 red hat security operations group has mostly been the source of cves for
00:07:35.360 ruby and for software written in ruby like rails and bundler and other gems
00:07:41.840 there is a global or yeah global
00:07:47.759 both both mitre and the u.s government's national institute of standards and technology have websites that provide a
00:07:54.560 complete list of all the cves that have ever been issued so you can go look them up you can see what the problem was you
00:08:00.720 can see what software the problem was with and you can see if there are workarounds or if there's a version of
00:08:06.800 the software that fixes the problem or if there's nothing that can be done and you're just screwed
00:08:13.120 all of those things are there on those websites so
00:08:18.560 once i've explained that part and i'm telling people that these security issues could cause really
00:08:24.400 severe problems with their application because there are horrible people out there who would be
00:08:30.080 really happy to take advantage of these security problems the most common response that i get is but matt's is nice and we're nice and why is security
00:08:37.200 a big deal come on this is all everybody's just great right um
00:08:42.959 so unfortunately uh in that time period where ruby and rails
00:08:48.320 both had tons and tons of security issues discovered at the same time
00:08:53.839 there were so many security issues in such a small period of time
00:08:59.440 that security researchers who many of whom are not rubyists and many
00:09:04.640 of whom are not nice said wow if there are that many bugs there must be a lot more other bugs that
00:09:11.120 are pretty easy to find too and so uh
00:09:18.399 that's ultimately the reason why it's really important to start talking about this stuff and thinking about it now because
00:09:24.080 we've unfortunately for the last like year and a half or two years as the ruby community
00:09:30.399 been kind of a bigger juicier looking target than
00:09:37.360 other software and other communities just because there's this like well-known set of wow that was a whole lot of problems so
00:09:43.839 fast like maybe there's some more problems i should go check them out and so it's actually really important that we
00:09:49.600 start paying attention to this because it's not it's not like those security researchers are going to go away satisfied that there are no bugs in our
00:09:56.000 software there will be bugs in our software and now they're paying attention and looking for them
00:10:03.440 so as you have probably noticed there are
00:10:09.200 some other people in the ruby community who maybe aren't as nice um
00:10:15.360 but before all of these security issues happened um
00:10:21.680 rails was actually the only project that had any serious experience dealing with security issues at all
00:10:29.120 rails was part of this big group but before that rails actually had established procedures for dealing with
00:10:34.880 security issues and they had a security team and they had a security reporting address and they had a bunch of stuff
00:10:41.200 that meant that they were actually able to deal with this flood of security issues when it
00:10:46.800 came up and so that means that the rest of the ruby community can definitely learn from the
00:10:52.640 things that the rails team has already figured out as a result of having to be on top of that stuff just by being a
00:10:58.320 bigger more attractive target to security researchers so
00:11:03.440 um the other reason why for a very long time rails was the only
00:11:11.519 gem that had any experience dealing with security issues is because for a really long time rails was the only gem that
00:11:18.240 really was worth attacking um when when rails was like the only thing that
00:11:24.480 everyone used uh there wasn't really anything else that really mattered to attack um but
00:11:31.040 starting with rails three uh one of the big changes that happened in rails three is that things broke down into smaller
00:11:36.720 and smaller pieces and you can only use some of those pieces or you can swap some of those pieces out for other pieces and
00:11:43.680 ultimately the combination of rails 3 becoming modular and
00:11:49.440 bundler providing the ability to add a new gem to your project by like copying and pasting one line of code and then
00:11:55.120 typing bundle it means that now we have hundreds of
00:12:00.240 chances for security issues in every project hooray
00:12:05.279 so i actually went back and and tracked
00:12:11.600 uh an eight-week period kind of just after the ruby and rails issues that i showed you
00:12:18.079 and i counted up which gems had security releases with fixes for like critical
00:12:23.120 security issues in them so this is just eight weeks uh
00:12:28.399 rubygems yes rubygems had a security issue it was in the documentation generator there was a css
00:12:34.800 attack uh bundler had a security issue json had a security issue rexml had a security issue rack had a security issue
00:12:41.200 arrow had a security issue active record has security issue action pack had a security issue active support had a security issue ardoc ardoc had a
00:12:47.360 security issue um yup uh that was eight weeks um
00:12:54.320 unless you spend a lot of time running bundle outdated chances are good that you do not
00:13:00.399 actually make sure that rdoc is up to date in case there's a security issue um
00:13:06.720 so uh i'm here to talk to you about what should we do about that problem um
00:13:12.720 just keeping up with the super critical security releases is sometimes really hard right like ruby has a critical
00:13:18.880 security release and you're like oh but something slightly different and my application doesn't quite work seamlessly and that means we have to
00:13:24.480 upgrade production and that means that the other developers also have to upgrade their development environments and maybe we should just do this a
00:13:30.720 little later and then you have a critical security vulnerability that everyone knows about in production on your servers which is
00:13:38.000 not good um so how how can we handle the problems that we
00:13:44.480 face when other people's code have security issues um
00:13:49.839 well it's it's really frustrating right um updating is a pain security updates are
00:13:56.560 important but it's not always really clear what the downside of ignoring them is um
00:14:04.160 again when i talk to ruby developers about security updates they're like oh yeah that's important security is
00:14:09.600 important i know security is important uh we'll we'll do that when we have some free time you know
00:14:15.120 after this important thing and then that important thing and then the other important thing
00:14:20.240 well one day we'll do it um so it's also really hard to sell updating
00:14:26.160 sometimes to bosses you're like well we need to spend some time to do this update and the law is like oh okay that
00:14:31.440 won't make your your shipping schedule slip at all right you're you're going to be done with everything at exactly the same time after you upgrade and you're
00:14:37.760 like yeah maybe um
00:14:42.839 so uh the way that i've found is most useful to think about updating is that it's a
00:14:50.160 lot like insurance businesses businesses are actually really fond of
00:14:55.600 insurance if something really disastrous happens uh the business is not instantaneously
00:15:01.440 destroyed by whatever the problem was they talked to the insurance company and the insurance company says wow that was really unlikely um good thing you've
00:15:08.399 been paying for insurance we got you covered updating is basically like that
00:15:14.639 it's a small amount of developer time that you pay on an ongoing basis when there are new updates
00:15:22.880 but without that small payment over time
00:15:28.480 when something goes wrong what goes wrong goes really wrong because your system is full of security issues that
00:15:35.199 anyone who pays attention just like already knows about how to use and exploit and
00:15:41.600 hack your stuff and hack your users stuff and hack their stuff
00:15:46.800 and it just gets worse from there um as as you can maybe imagine this is not
00:15:52.000 really great for anyone honestly but uh you as a developer in particular um
00:15:58.480 and just one security breach can be a really big deal ask me i worked on rubygems.org
00:16:05.680 when there was a security breach and we had to throw away the servers and build new servers from scratch and
00:16:12.560 download every single gem and check to make sure that no one had replaced any of them
00:16:17.759 and build new servers and a week later rubygems.org was back up and everyone
00:16:22.880 was really relieved but it was not good um so
00:16:28.720 uh it takes down like if if you do so assuming that you're not doing this
00:16:35.920 insurance level maintenance of upgrading when there are critical security upgrades available
00:16:41.920 when you have a problem it takes down your site for an amount of time that is
00:16:47.040 more than five minutes and less than months i guess but it's not really clear how long it's going to take right like
00:16:53.440 uh there was there was a company that offered backups um
00:16:59.199 as like their entire service was give us some money and we'll hold your backups and
00:17:04.959 they one of their like uh not even really important servers hadn't
00:17:12.000 had security updates applied and it got hacked and they had been using the same aws key for
00:17:20.400 every single thing that they did on aws on every machine and their not important server had a copy of that key
00:17:27.679 and the people who hacked that not important server that they hadn't bothered to upgrade because it wasn't important
00:17:33.520 use the aws key to delete every single piece of data that the entire company had ever put onto aws
00:17:40.880 and make sure that it couldn't be recovered because it was the admin key for the account so that entire business literally
00:17:47.919 replaced their website with we have gone out of business sorry and they were out of business the next day um like that is actually a real
00:17:55.200 thing that happened uh so security issues are somewhere between bad and your business is now over go
00:18:02.559 find a new job um even if it's not that bad uh security
00:18:10.080 issues especially in places where there are laws around disclosing
00:18:15.280 being hacked like in the u.s it's not super even it's like a state by state thing but like in
00:18:21.360 california which matters for a lot of tech companies because if they have some corporate existence in california this
00:18:28.160 law applies to them you actually have to inform every single person whose information might have been stolen when
00:18:33.360 you get hacked that means lawyers that means having to figure out how to contact
00:18:38.400 hundreds or thousands or hundreds of thousands of people and it's just like a gigantic
00:18:45.200 problem is a nice way to put it so
00:18:51.039 updating is hard work i totally get that i experienced the hard work myself it sucks but updating is worth it because
00:19:00.720 uh updating like insurance gets you something that takes a gigantic disaster
00:19:06.880 into something that is not actually a complete disaster and then you can do things like sleep at night because you
00:19:13.120 don't have to find any job which is great uh so that covers security issues with
00:19:19.360 other people's code now let's talk about what happens when you find security issues that aren't
00:19:26.400 actually causing critical security updates yet right so
00:19:32.960 we're developers we use other people's code chances are really high that while
00:19:38.240 you use other people's code at some point you will find a problem with other people's code anybody who's never found a problem with
00:19:44.559 other people's code raise their hand okay that's what i thought
00:19:49.760 so if the problem that you find with someone else's code
00:19:55.200 is maybe a security problem what should you do about it well uh fortunately
00:20:02.320 we don't have to try to figure that out software developers and security
00:20:08.480 researchers and companies that sell software for the last several decades have been engaged in a kind of
00:20:15.039 low level argument slash war about how security
00:20:20.240 issues should be reported and they've kind of hashed out something that is considered the best practice for a
00:20:27.840 software developer who finds a security issue so that's what i'm going to talk about it's called responsible disclosure
00:20:34.400 um it's as i said it's kind of worked out from years of trying different options
00:20:40.559 it is not super great except everything else is worse
00:20:47.120 and it's the best thing that we've come up with yet because although
00:20:52.799 everyone involved in the situation usually ends up unhappy uh everyone involved in the situation hopefully does
00:20:59.280 not end up screwed over um so uh responsible and disclosure i'll talk
00:21:05.360 about disclosure first uh companies hate disclosure right uh if
00:21:11.360 you announce that your software has a problem and isn't perfect that's like companies are like no no we're not
00:21:17.679 that's not okay we can't we can't tell people that we make not perfect software
00:21:22.799 um and companies are really motivated to make sure that problems with their
00:21:28.640 products aren't publicized right if they can spend money or
00:21:34.720 spend money on lawyers to sue you to make sure that no one will find out about the
00:21:39.840 problem it's actually often worth it to them um and then there's the responsible part
00:21:46.720 uh security researchers really hate this part um responsible disclosure means that
00:21:53.600 you don't say hey i found the security issue aren't i so cool and you put it on the
00:21:58.880 internet um it means that you go talk to the company and you say hey i found the security issue
00:22:04.799 uh there's a generally accepted amount of time depending on how bad the issue
00:22:10.400 is and what company it is it's usually between 30 and 90 days and you say hey i'm going to give you this window
00:22:16.559 at the end of this window if you haven't made an agreement with me about when you're going to have this fixed then
00:22:23.120 i'll make it public um this is the stuff that security researchers hate because
00:22:29.679 it means that they can't go talk about how awesome they are and that's basically what security researchers do security research for as far as i've
00:22:35.919 ever been able to tell so everyone ends up unhappy but hopefully
00:22:41.120 nobody ends up screwed over by it um and one way for this to possibly end up with
00:22:47.919 not everyone ending up screwed over is rewards some companies are trying to change the
00:22:54.080 equation of security researchers being really unhappy by saying hey we'll pay you
00:22:59.520 money to reward you for finding this and then you can talk about it but
00:23:06.480 we'll only give you the money if you don't talk about it until after we fixed it um which is cool like maybe everyone ends
00:23:13.039 up happy that'd be great uh so here are some examples of what companies
00:23:18.880 do um google for example has a very clear
00:23:24.400 application security researcher slash reward policy um
00:23:30.640 they rank how big a security issue is and then they
00:23:35.840 issue an award somewhere between a hundred and twenty thousand dollars um last time i checked the max was twenty thousand dollars per issue um
00:23:43.360 but i mean don't let that stop you there was one guy who reported three bugs in chrome at one time and got a pad of thirty five thousand
00:23:49.840 uh google actually uh
00:23:55.280 so far so far this year that might be last year but uh yeah lots
00:24:01.520 of money going to security researchers this is actually a thing that is totally working out for google
00:24:08.640 other companies explicitly provide responsible disclosure guidelines
00:24:15.440 but what is this this is oh yeah this is the payout schedule it's
00:24:21.679 i feel like someone thought that they were just so clever that they set the low end of the scale to
00:24:27.840 one three three seven dollars um anyway uh there are other companies that
00:24:34.960 have really explicit uh agreements about responsible disclosure but then state
00:24:41.600 that researchers will not be given any money um i'm not sure why companies would decide to do that but they definitely
00:24:48.080 exist um other big company examples who are willing to pay out include facebook
00:24:54.960 facebook has you know kind of a similar bounty set up to google um they say if it's an actual
00:25:01.600 security bug they will give you money it will be at least five hundred dollars the highest payout that i know of that
00:25:07.120 facebook has issued was i think uh like forty or fifty thousand dollars for
00:25:12.960 a single bug it was a really bad bug um there's uh other systems that are kind
00:25:19.039 of like semi-alternative github has set up like a bounty slash uh
00:25:25.679 game center leaderboard for security issues you can earn points for finding bugs in
00:25:31.360 github they give you both points and rank you on a leaderboard and give you
00:25:36.799 t-shirts and give you money works for github uh
00:25:43.360 they oh yeah uh they don't explicitly say whether they'll give you money or not
00:25:48.640 but they definitely have paid a lot of money to people who have found bugs in github um
00:25:54.640 where else was i going oh yeah uh engine yard is one of those companies like i was talking about a minute ago where
00:26:01.120 they have a policy they explicitly say zero dollars ever
00:26:07.200 um so if you find security issues to re-sum up
00:26:13.440 talk to the company whose code if it's a company definitely talk to the company whose code you found a security issue
00:26:18.960 with um try to make sure that
00:26:24.480 they know what's going on so right if you find a bug
00:26:31.120 back to your work as a developer once you have the bug stop
00:26:38.559 think for a second there are two questions that you can ask yourself that are really straightforward that let you
00:26:43.600 know how to handle the bug that you found um the the fact that
00:26:49.360 it's a bug means that something isn't working the way it's supposed to but the thing that makes it a security
00:26:55.279 issue or not is can you get to something that doesn't belong to you can you see someone else's
00:27:01.039 information can you change someone else's information can you cause problems for people
00:27:07.440 who aren't you and second can you disable something for
00:27:13.200 people who aren't you um this is like an entire class of attacks that mostly get called denial of service
00:27:20.159 even though they're not like a distributed denial of service attack like what happens to github every
00:27:25.600 couple of months they're an attack like when symbols used to not
00:27:30.960 be garbage collected and you could just send requests to a rail server in a loop until the rail server died and locked up
00:27:37.279 and you couldn't do anything so if the answer to either one of those two
00:27:42.320 questions was yes then you should go talk to whoever owns that
00:27:47.679 software before you go out onto the internet and say hey guys i found this problem everybody you should
00:27:54.720 attack it that's that's what happens right even if you don't actually say that there are people who pay attention to
00:28:01.279 stuff on the internet looking for new problems that they can use to attack things
00:28:08.000 so contact an author even if it's a false alarm the author will be able to say hey that's not actually a security issue but
00:28:14.559 thanks for letting me know and then you can go talk about it if you want but if it is a genuine security issue
00:28:20.559 it's a really good thing that you checked in with them before you went and announced it publicly it means that they have a chance to fix it and it means
00:28:26.320 that everyone else can potentially have a chance to upgrade to the version that's fixed before
00:28:31.520 there's a script that you can download that lets you auto hack anything with that that flaw
00:28:40.080 so if you go to report if there is a company behind it definitely go talk to the company most
00:28:46.399 companies as we just saw have specific security reporting guidelines if it's not a company
00:28:52.320 uh check the readme check to see if there's a security policy if there's not just check to see if
00:28:58.720 there's at least an email in the gem spec of the gem that you can send an email to sadly sometimes there's not even an
00:29:04.880 email in the gem spec but like find the repo on github and see if there's an email on the author's account on github
00:29:10.559 just like try to get in contact with them somehow definitely try to contact the author if
00:29:17.360 you can if you can't contact the author or if you try
00:29:24.720 to contact the author and you don't get any response at all even after waiting for a couple of days
00:29:30.640 um then you have to kind of make a decision um
00:29:36.720 what what are you gonna do about it so uh i'll talk about that in a second but
00:29:42.399 ultimately when you're talking to developers about security issues please try to remember that those are
00:29:47.919 also developers and you could be on the other end of this at some point with your own code have
00:29:55.360 empathy with the other person it is not their primary job in life to fix the security problem that you found
00:30:02.399 try to figure out a solution that means that they can fix their problem and that you can get credit for it that doesn't involve
00:30:09.039 anyone having to be vulnerable to attacks most authors most of the time will say
00:30:15.840 hey i really appreciate that you let me know about this i figured out how to fix it and i'm going to announce the fix
00:30:22.399 and let's announce the bug and the fix at the same time and then everyone can upgrade and it should be fine
00:30:27.919 that is actually really fortunately the most common thing that happens
00:30:34.320 but in the worst case you won't be able to get a hold of the author uh the author will have disappeared
00:30:40.320 um you can just stop using that gem i've done that a couple of times if there's some other option that you can use that
00:30:46.880 does have a maintainer or that you can take over maintaining instead i've done that
00:30:52.080 but you could also just fork it and fix it yourself and be like hey i fixed the security problem in the version that you
00:30:57.520 have and then start using that at least then you don't have the problem um
00:31:02.840 so uh that in i guess not that short of a summary is
00:31:09.200 responsible disclosure and last uh i want to talk about what happens when you have a security problem in one
00:31:16.240 of your gyms um so uh maybe show of hands how many of you have
00:31:22.159 ever written a gem that is published on rubygems
00:31:27.760 that's a pretty good number of hands how many of you have written ruby code that's on github that other people can use
00:31:34.080 even more hands okay cool so this actually applies to all of you uh even
00:31:39.200 if it's not a gem your code is a security vulnerability for someone else waiting to happen hooray
00:31:46.399 uh you know unless your code is perfect uh in which case i'm sure everything's fine
00:31:52.240 um so there's uh three people who find problems with your code
00:31:58.559 that you'll have to deal with three kinds of people the easy one is someone like you they
00:32:04.399 say hey i found this problem maybe we can get it fixed and then announce that it was a problem and you can
00:32:10.000 release it that's totally the easy case right you fix it you release it you announced
00:32:15.120 there was a problem but now it's fixed everyone's happy um there's a medium hard one where
00:32:21.440 the problem is already out there and people are already maybe already figuring out how to use it to do bad
00:32:27.760 things um in that case if you can announce it without making it
00:32:33.360 even more dangerous for the people who already have the problem do it right away but fix it like that's basically the
00:32:40.159 answer always but in this case it's even more important because people might already be having problems as a result
00:32:46.399 and then just announce it and basically everything's fine the hard one is when it's a security researcher who's like i'm amazing you
00:32:53.840 better fix this i want to talk about how cool i am um so
00:33:00.080 if and if you run into a person like this i'm really sorry there are definitely people in this room who have had to deal with this kind of security
00:33:07.360 researcher possibly many times aaron um
00:33:13.840 and so it's really important to respond
00:33:19.279 soon enough that they know that you heard them which usually means within 48 hours 48 business hours
00:33:26.559 it's really important to tell them what you plan to do and it's really important to let them know that you're still working on it if you're still working on
00:33:33.039 it security researchers will usually wait until they haven't heard from you for two or three days and then say
00:33:39.840 oh you haven't told me anything i guess you're not fixing it i better go tell everyone in public now um that totally
00:33:46.240 sucks be careful ultimately if you own code make it as
00:33:51.679 easy as possible for people to let you know if there are problems with it so that you can fix it
00:33:58.159 put your email or an email that people who use the gem can use to contact you in the gem spec put it on github
00:34:04.880 if you're on a team have a security address for that team write a security disclosure disclosure policy even if it's just like
00:34:11.440 one paragraph of like please let us know we will thank you we will fix it um
00:34:18.079 yeah that's that's basically the plan so uh i created a
00:34:23.679 mailing list specifically for uh gems that have security issues there's a rails only mailing list for
00:34:30.480 security issues but there isn't a mailing list for ruby and rails and bundler and gem whatever or there wasn't
00:34:37.599 until i created this one it's a google group you can subscribe to it that's the address
00:34:44.240 and the rails team and lots of other gems send all their security issues there so
00:34:50.320 you don't have to like track down individual security announcements for gems you can just subscribe to that one um
00:34:55.919 ultimately i hope that if we're all paying attention
00:35:01.200 security will become just kind of like a background thing that we all know how to deal with and that's when we can go
00:35:06.640 shopping thanks
00:35:16.160 do we have any questions for andre yes
00:35:23.599 thanks for the great talk uh so our team uses things like breakman or like rails practice
00:35:30.480 what do you think about them and also are there any automated ways of like running these gems and then
00:35:37.119 automatically updating them do you think that's a good practice some automation tools for security patches thanks uh
00:35:42.800 sure so uh definitely i think brakeman is a super
00:35:47.920 valuable tool because it watches for things that you can do in rails that
00:35:54.160 create security holes it's kind of unfortunate that it's so easy to potentially create security
00:36:00.160 holes that you can find them by running a regular expression against the code base uh but
00:36:05.440 brakeman's good at finding them and for sure using a code climate integrates breakman if you use that
00:36:11.280 or you can run breakman itself against your code base um that
00:36:16.400 definitely protects you against the set of like really obvious things that break man knows about
00:36:22.240 definitely keep in mind that it is very like it's not actually even hard to
00:36:27.280 write a security issue that breakman doesn't know exists um it's not a fix for everything it just protects you
00:36:32.720 against some of the like well-known things that people have done a lot in the past um as for updating things uh it
00:36:40.720 is possible to get a list of
00:36:46.320 outdated or i guess a list of updates to all of the gems that you have in an application just by running the bundle
00:36:52.720 outdated command that will at least tell you if you're behind
00:36:58.320 it's harder to know if there are critical security updates in those changes
00:37:04.160 there actually isn't any super good collection of like here's what changed and that you can easily read um
00:37:11.760 ultimately it just kind of comes down to an ongoing again actual amount of work
00:37:17.520 and doing things like subscribing to the security list so that you know if there is like a big critical security issue
00:37:23.599 you can at least know about that and then just kind of like over time look at one outdated gem spend a few
00:37:30.480 minutes on it sometime later come back and look at one more outdated jam and be like well do i
00:37:35.599 need this update is it going to break things does it work do the test pass if i upgrade it cool let's do it
00:37:41.599 that's pretty much the best that we know how to do right now
00:37:47.520 any other questions over here yeah so uh actually i really
00:37:54.720 love ruby jams you know i think it really helps projects um i i write gems
00:37:59.760 and maintain some of them myself um but when we are on a project we can easily see that you know big long running
00:38:06.400 projects have like easily 50 to 100 gems oh yeah as the maintainer of you
00:38:11.599 know bundler and do you think it's a you know it's a problem or what's your take on it uh
00:38:19.200 i i guess there are a lot of applications that use 50 or 100 or 200 or i've seen
00:38:26.880 applications that use 400 gems and uh as the author of bundler i'm sorry
00:38:33.760 um uh it's it's trading one problem for another right like
00:38:40.240 you were able to spend a lot less time doing things by using those gems but
00:38:45.920 using those gems means that you have to spend more time doing some things like upgrading those gems when there are security problems um
00:38:53.119 unfortunately we have yet to discover whatever it is that makes the computer actually do it for us i'm waiting for
00:38:59.280 mats to ship that in ruby 3.0 um but in the meantime uh
00:39:05.680 decide if it's worth the trade-off if what the gym does for you is actually like gives you a single function that
00:39:10.880 you could write in five lines it's probably actually not worth keeping the gem because then you don't have to pay
00:39:16.560 attention to security updates if the gem implements an entire login system and has active main you know
00:39:23.200 maintainers like that's probably worth it you don't have to write a bunch of code it's a trade-off
00:39:28.720 i know you mentioned there isn't really a good place online to find out about it there's something called the ruby advisory database which is github that
00:39:35.760 is trying to track all those definitely plans to kind of maybe like i see a life of bundle is like bundle security outdated or
00:39:42.240 something uh i don't have any explicit plans to add bundle outdated security but that
00:39:48.000 actually is a pretty good idea um if somebody wants to submit a pull request
00:39:55.520 let me know um i would be interested in bundle outdated security uh yeah for sure
00:40:01.760 great thank you so much andre no worries let's thank our speakers
00:40:07.839 again
André Arko
@indirect
Explore all talks recorded at Red Dot Ruby Conference 2015
+18