New Relic is an awesome company, and there are many reasons why. I want to explain one of them, which culminates in being name-checked in a Rails security vulnerability alert. But first some back story.
We use a white-hat security company to discover security flaws on our site. A few weeks ago, they discovered that we were vulnerable to an HTTP header injection attack that allowed malicious users to control the HTTP headers in our responses, and therefore to control the entire contents of our returned pages. That’s not just bad; it’s big bad. Thankfully this was discovered by our security company, and not by an actual attack. No customer data was ever at risk from this vulnerability. We very quickly patched the security hole, but in a way that was unique to New Relic’s architecture. While working on the patch, I discovered that the vulnerability was in Rails itself, not in our app.
We had patched the vulnerability within 30 minutes of discovering it, which is pretty cool, but that’s not why New Relic is awesome. I’m getting there.
RoR security team
People were asking me if we were going to report the bug to the Rails security team. Without needing to consult anybody, to seek permission, or to clear my schedule, I sent an email to the RoR security list, and spent some time tracking down the location of the vulnerability in the Rails code base. Koz responded within 30 minutes. I thought to myself, “Wow! Just like pizza used to be.” It reaffirmed to me one of the reasons why the Rails community is so wonderful.
After we exchanged a few emails, Koz said he’d handle the rest of the process. Props to him and the RoR security team for being so freakin’ efficient with issues like this.
When all was said and done, instead of spending 30 minutes fixing the vulnerability and moving on, I’d spent about a half a day total working with Koz. A half a day of engineering time is a lot for a startup to spend on something that doesn’t directly benefit their customers. What amazes me about New Relic is that it wasn’t just okay for me to spend my time that way, it’s not that it was actively encouraged (which it was), it’s that it was expected. How cool is that?
A word of thanks
Lastly, I want to take a moment to say a word of thanks to the Rails community. Though New Relic is a commercial concern, and that sometimes puts us at odds with the philosophy behind open source, I want to acknowledge the hard work that goes in to maintaining Rails and all of the associated gems, utilities, etc. It’s great to work for a company where the value of that work is understood and where I am encouraged to take the time I need to give back to the community in my own way.