CODEWITHSUNDEEP
ruby-on-railsrubysecurityrubygems
Joe Gutierrez
Joe Gutierrez

Reputation: 121

Ruby/Rails security alerts

How do Ruby developers keep updated on ruby and rubygem security alerts and updates?. I found out about this today:

https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately

and wonder how developers usually keep up with these types of alerts. Thanks in advance.

Upvotes: 10

Views: 1610

Answers (7)

hawe
hawe

Reputation: 109

Also, if you find it hard to keep find the time to look for updates or perform the actual update: Use mini habits to e.g. update software every Monday, as I described in the week with a Rails security strategy

Upvotes: 0

Gavin Miller
Gavin Miller

Reputation: 43835

I actually wrote about this a few weeks back. These are the things that I would recommend:

  1. Follow the Ruby and Rails security mailing lists.
  2. Use CVE Reports to get details of security alerts as soon as you can. CVE stands for "Common Vulnerabilities and Exposures" and it's an industry standard reporting mechanism.
  3. Keep your dependencies as up to date as you can. Run bundle outdated to get this information. Keeping your test suite at > 85% is going to make dependency upgrading much easier.
  4. Create a process for your team so you can stay up to date on squashing security issues. I elaborate in the blog post on how to do that.
  5. Use tooling like bundle-audit, AppCanary, Hakiri, or Gemnasium to auto-detect gem security issues. These are easy tools to insert into a CI environment.

Upvotes: 4

hawe
hawe

Reputation: 109

Also check out the bundler-audit gem to automate this process. It will check your gems for known vulnerabilities and also recommend some improvements regarding the update process in general.

Upvotes: 3

indirect
indirect

Reputation: 3490

The Ruby Security Announcements list is specifically for security issues in Ruby and Rubygems.

Upvotes: 4

engineerDave
engineerDave

Reputation: 3935

Also the Ruby 5 Podcast is a twice weekly resource and only takes 10 minutes of your time per week.

Upvotes: 0

Anthony Alberto
Anthony Alberto

Reputation: 10405

For Rails, just register for email updates in the Rails security google group :

https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-security

Upvotes: 12

Peter Brown
Peter Brown

Reputation: 51717

I think these two sources should get you that info as soon as it's available. You could also sign up for an account at rubygems.org and add Rails to your RSS feed.

Upvotes: 0

Related Questions