Originally posted on the thoughtbot Blog
With more of the world working remote than ever before, the surface area for cyber attacks has increased dramatically. We have already seen an attempted denial-of-service attack against a U.S. health agency and attacks against video conferencing platforms, as well as a surge of COVID-19-related scams and phishing emails.
These threats are not going to go away overnight, but luckily you can fight back by taking some time to think about security. There are many things to think about:
- Requiring two-factor authentication wherever it is available
- Training employees on good password hygiene, protecting sensitive information, and identifying phishing attempts
- Planning how to respond to an attack
- etc. ad infinitum
There is no silver bullet; like practicing a musical instrument, web security is an ongoing project that will change over time as you learn new information and continue to improve.
As a developer, you will also need to think about application security, which includes both the code you write and the libraries you depend on. Applying security fixes for your dependencies as they are released is one of the easiest lines of defense.
If you are working on a Ruby on Rails application, that currently means using Ruby 2.7.1, 2.6.6, or 2.5.8 and using Rails 220.127.116.11 or 18.104.22.168, all of which have fixes for recent security vulnerabilities (note that Ruby 2.4 is no longer receiving security updates, nor are versions of Rails older than 5.2). You should also use tools like bundler-audit and dependabot to keep your gems updated and secure.
Using libraries with known security vulnerabilities puts your business and your customers at risk. If you are running old versions of Ruby and Rails you should prioritize upgrading as soon as possible.
For some applications, upgrading is as simple as bumping a version number, running the test suite, and deploying. If that is the case for your application, you should upgrade today.
For others, the upgrade process can be quite a bit more involved and require significant planning. thoughtbot can help with a code audit to identify challenges to upgrading and provide a roadmap to guide the process.
If you already have a plan for how to upgrade but are unable to staff the project, thoughtbot has extensive experience upgrading Ruby on Rails applications and we would love to help.