Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
The open source gem ecosystem is a major strength of Ruby and it’s not uncommon for a production Rails application to depend upon hundreds of gems. But what are the risks of installing a gem and having it in your Gemfile? In this talk, we’ll cover what “bad things” can actually happen when you install a gem. We’ll also talk about the ways of preventing these attacks from occurring in your application dependencies (so you can sleep well at night).
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
The talk titled "Gem install: What could go wrong?" presented by Ashley Ellis Pierce and Betty Li at RailsConf 2022 dives into the vulnerabilities associated with using gems in Ruby applications. The speakers emphasize the risks inherent in trusting external gems, given that production Rails applications often rely on numerous gems, making them potential targets for malicious actors. ### Key Points Discussed: - **Criticality of Gem Security:** The use of gems raises significant security concerns, especially as software supply chain attacks have surged dramatically in recent years. The 2021 State of the Software Supply Chain report noted a 650% increase in supply chain attacks. - **Common Attack Types:** The speakers outline several forms of attacks that can affect gems, including: - **Supply Chain Attacks:** Attacks targeting specific gems like **Codecov** and **dependency confusion**. - **Attacks on Secrets:** Malicious code can be inserted into gems, enabling attackers to extract sensitive data like AWS tokens. - **Ransomware and Crypto Mining:** Some attacks lock users out of their data, while others may surreptitiously install cryptocurrency miners. - **Typosquatting:** Attackers exploit common typing mistakes to direct users to malicious gems by setting up versions with similar names to legitimate gems. - **Mitigation Strategies:** The talk emphasizes the importance of empowering developers to protect their applications against these threats by adopting proactive security measures: - **Allowlisting Gems:** Creating a vetted list of gems to restrict installations to known safe options. - **Dependency Governance:** Upgrading bundler to versions that prioritize safe gem sources. - **Gem Signing:** Cryptographically signing gems to verify their integrity upon installation. - **Multi-Factor Authentication (MFA):** Encouraging developers to enable MFA on their RubyGems accounts to enhance security against account takeovers. ### Conclusion and Takeaways: - The presentation concludes that while the risks of using gems are notable, implementing security practices can greatly reduce potential vulnerabilities. Developers are encouraged to take ownership of their security posture, ensuring that they aren’t solely reliant on security teams but can function as the first line of defense in protecting their applications. - The speakers advocate for ongoing vigilance and education regarding the risks of gem usage, emphasizing that proactive measures like enabling MFA are critical steps in safeguarding the Ruby ecosystem.
Suggest modifications
Cancel
