Why I love working for New Relic, by Brent Miller

New Relic is an awesome company, and there are many reasons why. I want to explain one of them, which culminates in being name-checked in a Rails security vulnerability alert. But first some back story.

Security hole

We use a white-hat security company to discover security flaws on our site. A few weeks ago, they discovered that we were vulnerable to an HTTP header injection attack that allowed malicious users to control the HTTP headers in our responses, and therefore to control the entire contents of our returned pages. That’s not just bad; it’s big bad. Thankfully this was discovered by our security company, and not by an actual attack. No customer data was ever at risk from this vulnerability. We very quickly patched the security hole, but in a way that was unique to New Relic’s architecture. While working on the patch, I discovered that the vulnerability was in Rails itself, not in our app.

We had patched the vulnerability within 30 minutes of discovering it, which is pretty cool, but that’s not why New Relic is awesome. I’m getting there.

RoR security team

People were asking me if we were going to report the bug to the Rails security team. Without needing to consult anybody, to seek permission, or to clear my schedule, I sent an email to the RoR security list, and spent some time tracking down the location of the vulnerability in the Rails code base. Koz responded within 30 minutes. I thought to myself, “Wow! Just like pizza used to be.” It reaffirmed to me one of the reasons why the Rails community is so wonderful.

After we exchanged a few emails, Koz said he’d handle the rest of the process. Props to him and the RoR security team for being so freakin’ efficient with issues like this.

Spending time

When all was said and done, instead of spending 30 minutes fixing the vulnerability and moving on, I’d spent about a half a day total working with Koz. A half a day of engineering time is a lot for a startup to spend on something that doesn’t directly benefit their customers. What amazes me about New Relic is that it wasn’t just okay for me to spend my time that way, it’s not that it was actively encouraged (which it was), it’s that it was expected. How cool is that?

A word of thanks

Lastly, I want to take a moment to say a word of thanks to the Rails community. Though New Relic is a commercial concern, and that sometimes puts us at odds with the philosophy behind open source, I want to acknowledge the hard work that goes in to maintaining Rails and all of the associated gems, utilities, etc. It’s great to work for a company where the value of that work is understood and where I am encouraged to take the time I need to give back to the community in my own way.

 

Brent Miller is a principal engineer & architect for New Relic. He traded in his training as a botanist to become a frontend engineer, and has spent the past decade building UIs that are easy to manage and helping the engineers around him become better at what they do. View posts by .

Interested in writing for New Relic Blog? Send us a pitch!