The document discusses various security vulnerabilities affecting Ruby and its frameworks, including heartbleed, shellshock, and a Drupal SQL injection issue. It emphasizes the importance of keeping software stacks, including operating systems, databases, and gems, up to date for security. Resources for tracking Ruby-specific vulnerabilities and tools for assessing code security are also provided.

1. Ruby & Framework
Security
Creston Jamison
Ruby Tree Software, Inc.

2. Security???
 Heartbleed
 Shellshock
 Poodle
 Drupal SQL injection vulnerability –
compromised within hours
 Next?

3. Up to date on your stack?
 OS + services?
 Database?
 Web server?
 Ruby?
 Rails / Sinatra?
 Gems?

4. Example Stack
 Ubuntu:
https://lists.ubuntu.com/mailman/listinfo/ubuntu
-security-announce
 Ruby:
https://groups.google.com/forum/#!forum/ruby-security-
ann
 Rails:
https://groups.google.com/forum/#!forum/ruby
onrails-security
 Nginx: http://forum.nginx.org/list.php?27
 Postgres:
http://www.postgresql.org/support/security/

5. Gems?
 Check them all?
 Use ‘gem outdated’
 Discussion on signing but no notification:
http://guides.rubygems.org/security/
 http://www.rubysec.com/
 https://gemcanary.com/

6. What about your code?
 Brakeman: http://brakemanscanner.org/

7. Questions?
Creston Jamison
@crestonjamison
creston.jamison@rubytreesoftware.com