Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
Using Ruby gems is safe, right? We're a nice community of friendly beings that act towards the same goal: making Ruby better. But is that true? Can we just blindly use libraries, without making sure, that they are what they are supposed to be? Come and learn how you can take over a gem, what you can do with it once you have it and what you can do to protect yourself against several types of attacks you're exposed to on a daily basis. Let's exploit the Ruby gems world, and its data together. RubyKaigi 2019 https://rubykaigi.org/2019/presentations/maciejmensfeld.html#apr18
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In this presentation, Maciej Mensfeld discusses the vulnerabilities associated with Ruby gems and how developers can protect themselves against various attacks. He begins with an overview of Ruby gems, their popularity, and mentions their potential security risks. Key points include: - **Introduction to Ruby Gems**: Ruby gems, similar to npm for JavaScript, have around 160,000 published gems and face security challenges. - **Malicious Installation**: Users can unknowingly install gems that perform harmful actions, such as gathering sensitive information. - **Post-Install Hooks and Code Execution**: Mensfeld explains how malicious actors can utilize post-install hooks and native extension compilations to execute hidden code during the gem installation process. - **Typosquatting Threats**: He highlights typosquatting, a technique where attackers register misspelled versions of popular gems, leading to the potential for exploiting unsuspecting developers. - **Risks of Abandoned Gems**: The presenter warns that many gems with high downloads are abandoned, granting attackers opportunities for takeover. He draws parallels to past events, such as the incident with Bootstrap Sass where a malicious code was introduced. - **Mitigation Strategies**: Mensfeld stresses the importance of adopting security practices, such as two-factor authentication, dependency policies, and conducting manual checks on gem updates. - **Conclusion**: The talk emphasizes the importance of vigilant code reviews and limited trust in dependencies, encapsulating the overarching need for developers to maintain security awareness when using Ruby gems.
Suggest modifications
Cancel
