LA-CONF 2013 talk http://2013.la-conf.org/ Developers always focus on their code, and almost never on the eco-system around their app. Dependencies can quickly make an app vulnerable, because new security holes are discovered every day. As we can't read all libraries code we're using in our project, it's kind of hard to determine what side effects could be introduced by using this or this package. Last but not least, APIs evolve, and so are packages. Sometimes APIs versions are deprecated, and if you don't pay attention to that, your app could stop working one day without notice. Ever worse, some packages can simply stop being maintained, leaving no choice then implementing a new one. That's why it's important to keep your projects in shape, the longer you wait to make it up-to-date, the harder it will be. There are some tools out there to achieve this, that every developer should know about: gemnasium (dependencies monitoring, and security alerts on them) rubytoolbox (alternatives) brakeman (security scanner)