The State of Security in Ruby

Broken lock

Ruby logo

Who Does This Guy Think He Is!?

He Is:

He Is NOT:

He Also Is:

What Will Be Covered

  1. Recent Security Issues in the Ruby Ecosystem

  2. Is Ruby Security A Mess?

  3. What Can Be Done? - Practices, Tools, and Tips

Security Issues in Ruby

A rocky 12 months on the security front (primarily since the start of 2013)

Ruby Example

Hash-flooding DoS vulnerability for ruby 1.9.

TL;DR - Replaces hashing algorithm to avoid predictable collisions leading to worst-case insert times.

Ruby logo

Rails Example

3.2.11 Abitrary Code Execution via XML

TL;DR - Entity types, like YAML, were parsed in XML parameter hash construction. Now vulnerable types are not allowed.

Rubygems Website Example

Rubygems compromise in January

TL;DR - Executed Yaml.load on gem metadata enabling code execution. Now whitelists classes demarshalled from gems.

CVEs in Other Gems

A non-exhaustive list of other Ruby gem CVEs over the past year:

Security Vulnerability Impacts

Upgrading Rails:

x [3.2.8 => 3.2.9]: Backwards incompatible changes. Wait for the revert.

x [3.2.8 => 3.2.10]: Still waiting on the 3.2.9 reverts and easy to patch.

x [3.2.8 => 3.2.11]: Still waiting on the 3.2.9 reverts and easy to patch.

x [3.2.8 => 3.2.12]: Okay this is getting out of hand. Are the reverts even coming?

check [3.2.8 => 3.2.13]: Reverts! More incompatible changes!? Work around issues?

Why Rails Patches Are Painful

Tight coupling between multiple components makes patching difficult.

Rails includes an ORM, a mailer, a full web request stack, parameter handlers, etc.

Github’s recent email problem demonstrated these pains

Rails has improved their patch policy

Why are we seeing this?

  • Popularity of Ruby
  • Popularity of major libraries like Rails
  • Increases/improvements in the software security research community
  • Things long known to be broken or questionable finally coming to relevance

Where are we at now?

  • A lot of low hanging fruit left?

How Does Ruby Stack Up?

Ruby v. Java - Java is a mature enterprise-grade solution! That MUST be more secure!!!


Ruby v. Other OSS (Apache, Postgres, etc.)

What Is The Lesson Here?

  • Ruby has terrible security!

x

  • Everything has terrible security!!

x

  • Security is hard!!!

x

  • Writing software is hard.

check

Accepting Reality


Security Breaches Are Inevitable

Disagree? Consider the following:

“Software bugs are inevitable.”

In my view:

:software_security == :software_quality

Arguably software security includes non-software elements that fall outside software quality

So how do we deal with this reality?

Easy! Just Write Good Code!

XKCD: How to write good code

Calibrating Risk

XKCD: Over-engineering The general problem

VS.

XKCD: Under-engineering - GOTO

Risk Management

Scale your security.

  • Compare a personal blog to Twitter
  • Compare a personal blog to a small site handling financial data
  • Compare a small financial site to a global financial organization

Defense in Depth

Good luck I'm behind 7 proxies

Detection - Internal Issues

Detecting a compromise:

  • Logging/auditing
  • Monitoring and notifications
  • Make it easy to report vulnerabilities and compromises securely

Detecting vulnerabilities:

  • Smart testing
    • Writing tests for security (edge cases, authorization checks, etc.)
    • Utilize security-focused testing tools like SAST and DAST
  • Hiring third parties

Detection - External Issues

Areas to Consider:

Some Tracking Mechanisms:

  • Find a place that announces security issues and follow it
  • If that fails find a place that announces releases in general and follow it
    • RSS/Atom feeds
    • Mailing lists
  • Follow established members of the tech community (blogs, Twitter, etc.)
  • Track CVEs from NIST

Defense

Practices:

It looks like you're trying to secure your software

Defense - Continued

Concepts:

Tools:

Mitigation

To reiterate: Security breaches are inevitable

Treat a security response like a disaster recovery response:

  • Keep backups
    • Test your restore process
  • Encrypt sensitive data
    • SHA-2 hashing of passwords (or bcrypt, scrypt, et. al. if you prefer)
    • OpenSSL.fips_mode = true for Federal clients!
  • Load balancing
  • Ship audits/logs to another machine
    • Logs tell you who, what, when, where, and how
  • Notify appropriate stakeholders
    • Sometimes compromise of data carries an obligation to notify

Ancillary benefits:

  • During a breach don’t panic. You have a plan!
  • Multi-purpose: Downed servers, corrupted data stores, etc.

What We Can Do

Community efforts that can help:

Credits

Most images under a Creative Commons license.

Any Questions?


Email: Matt Glover matt.glover@mandiant.com

GPG Key: 2048R/54C013B4

Presentation: https://github.com/matt-glover/state_of_security_ruby_presentation


Creative Commons License
The State of Security in Ruby by Matt Glover is licensed under a Creative Commons Attribution 3.0 Unported License.