Talks
Speakers
Events
Topics
Search
Sign in
Search
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
search talks for
⏎
Suggest modification to this talk
Title
Description
What do rest-client, strong-password and bootstrap-sass gems have in common? They all suffered malicious code injections that were preventable. Attackers aim to take control of a legitimate RubyGems.org user account, and use it to publish malicious gem version for their own benefit. Multi-factor authentication (or MFA) prevents these account takeover attacks. In this talk, I'll be sharing a bit about how MFA works in a package ecosystem like RubyGems and how we started to enforce MFA on the RubyGems platform. Jenny is a developer at Shopify where she works to help secure Ruby's supply chain. Over the past year, she has enjoyed contributing to RubyGems. As a relatively new Torontonian, she often spends her free time acting like a tourist, eating different cuisines and trying new activities in the city. https://www.wnb-rb.dev/meetups/2023/01/31
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
The video titled "Combatting attacks against Ruby Gems with Multi-factor Authentication" features Jenny Shen, a developer at Shopify, discussing the importance of Multi-factor Authentication (MFA) in securing RubyGems.org from account takeover attacks. The session focuses on the proactive steps taken to enforce MFA among gem authors to mitigate the risk of malicious code injections that have affected various gems in the past. **Key Points Discussed:** - **Introduction to MFA**: Jenny begins by highlighting her enthusiasm for the topic, drawing connections between the historical iodine deficiency and contemporary vulnerabilities in software supply chains. - **Increasing Threats**: There has been a staggering 742% increase in supply chain attacks over the last three years, underscoring the significance of securing developer accounts. - **Account Takeovers**: A common method of attack involves malicious actors gaining access to maintainers' accounts to publish compromised versions of gems. - **Examples of Compromised Gems**: The talk includes an example of the 'strong-password' gem, where an attacker inserted harmful code through an account takeover. - **Preventative Measures**: The introduction of MFA is portrayed as a critical step, akin to iodizing salt to combat iodine deficiency—both seek to prevent widespread health issues through a simple, effective solution. - **Implementation Journey**: Jenny elaborates on the process her team underwent to implement MFA, starting from understanding RubyGems' infrastructure to drafting a proposal for requiring MFA on popular gems. - **Community Engagement**: Initially suggested that MFA should be mandatory for the top 100 gems; stakeholders were engaged through a Request for Comments (RFC), which was met with positive feedback. - **Final Rollout**: By June, the policy was publicly announced, with a mandate requiring MFA for gems with over 180 million downloads, showcasing successful community collaboration. - **Future Directions**: The session concludes by discussing forthcoming enhancements, such as enabling security keys for authentication and developing safer methods for CI/CD processes. In summary, Shen emphasizes that implementing MFA is a fundamental step in securing the RubyGems ecosystem and invites further conversation on open-source contributions and supply chain security initiatives.
Suggest modifications
Cancel
