The State of Security in Ruby
Who Does This Guy Think He Is!?
- Matt Glover
- Software engineer at Mandiant
- Interested in software security and secure coding concepts
He Is NOT:
- A security expert
- More qualified to speak about security than anyone else in the room
- Even though he works at a security-focused company
- He just has to worry about security a little more often
He Also Is:
- Looking to hire:
- Test automation engineers and QA
- Strong UI developers (HTML/CSS)
What Will Be Covered
Recent Security Issues in the Ruby Ecosystem
Is Ruby Security A Mess?
What Can Be Done? - Practices, Tools, and Tips
Security Issues in Ruby
A rocky 12 months on the security front (primarily since the start of 2013)
- 55 CVEs mentioning Ruby:
- MRI, JRuby, Rubinius, etc.
- Rails, Devise, JSON, etc.
- Various other gems large and small
- Rubygems compromise in January
Rubygems Website Example
Rubygems compromise in January
TL;DR - Executed
Yaml.load on gem metadata enabling code execution. Now whitelists classes demarshalled from gems.
CVEs in Other Gems
A non-exhaustive list of other Ruby gem CVEs over the past year:
Security Vulnerability Impacts
[3.2.8 => 3.2.9]: Backwards incompatible changes. Wait for the revert.
[3.2.8 => 3.2.10]: Still waiting on the 3.2.9 reverts and easy to patch.
[3.2.8 => 3.2.11]: Still waiting on the 3.2.9 reverts and easy to patch.
[3.2.8 => 3.2.12]: Okay this is getting out of hand. Are the reverts even coming?
[3.2.8 => 3.2.13]: Reverts! More incompatible changes!? Work around issues?
Why Rails Patches Are Painful
Tight coupling between multiple components makes patching difficult.
Rails includes an ORM, a mailer, a full web request stack, parameter handlers, etc.
Github’s recent email problem demonstrated these pains
Rails has improved their patch policy
Why are we seeing this?
- Popularity of major libraries like Rails
- Increases/improvements in the software security research community
- Things long known to be broken or questionable finally coming to relevance
Where are we at now?
- A lot of low hanging fruit left?
How Does Ruby Stack Up?
Ruby v. Java - Java is a mature enterprise-grade solution! That MUST be more secure!!!
Ruby v. Other OSS (Apache, Postgres, etc.)
What Is The Lesson Here?
- Ruby has terrible security!
- Everything has terrible security!!
- Writing software is hard.
—Security Breaches Are Inevitable—
Disagree? Consider the following:
“Software bugs are inevitable.”
In my view:
:software_security == :software_quality
Arguably software security includes non-software elements that fall outside software quality
So how do we deal with this reality?
Easy! Just Write Good Code!
Scale your security.
- Compare a personal blog to Twitter
- Compare a personal blog to a small site handling financial data
- Compare a small financial site to a global financial organization
Defense in Depth
Detection - Internal Issues
Detecting a compromise:
- Monitoring and notifications
- Make it easy to report vulnerabilities and compromises securely
- Smart testing
- Writing tests for security (edge cases, authorization checks, etc.)
- Utilize security-focused testing tools like SAST and DAST
- Hiring third parties
Detection - External Issues
Areas to Consider:
- 3rd party code (gems)
- Tracking 3rd party libs (infrastructure postgres, apache, etc.)
- Problems with your hosting provider (Linode compromise)
Some Tracking Mechanisms:
- Find a place that announces security issues and follow it
- If that fails find a place that announces releases in general and follow it
- RSS/Atom feeds
- Mailing lists
- Follow established members of the tech community (blogs, Twitter, etc.)
- Track CVEs from NIST
- OWASP Top 10 Security Risks
- Read the OWASP Development Guide
- Security controls as design elements and requirements
- Ask security questions during code reviews
- Integrate security cases into your test suite
- Consider rolling your own code in place of third party libraries
- Controls on third party libraries
Defense - Continued
- brakeman is a SAST for Rails
- Code quality suites, like metric_fu, call out weak spots in your code
- OWASP ESAPI gem brings a FOSS web application security control library to Ruby
- One of many dynamic application security tools
- Intentionally cause failures in a cloud setting with Chaos Monkey by Netflix
To reiterate: Security breaches are inevitable
Treat a security response like a disaster recovery response:
- Keep backups
- Test your restore process
- Encrypt sensitive data
- SHA-2 hashing of passwords (or bcrypt, scrypt, et. al. if you prefer)
OpenSSL.fips_mode = true for Federal clients!
- Load balancing
- Ship audits/logs to another machine
- Logs tell you who, what, when, where, and how
- Notify appropriate stakeholders
- Sometimes compromise of data carries an obligation to notify
- During a breach don’t panic. You have a plan!
- Multi-purpose: Downed servers, corrupted data stores, etc.
What We Can Do
Community efforts that can help:
- Open communication
- Thoughtful disclosure of issues you discover
- Make step-wise progress
- rubygems-trust attempted a large scale solution to gem signing
Most images under a Creative Commons license.