RailsConf 2013 is right around the corner! And to celebrate, we’re publishing a series of blog post that highlight what’s new and exciting in the world of New Relic’s Ruby support. Don’t forget to check out the entire series so far: Cross Application Tracing, Thread Profiling, Living on the Edge with Rails 4 & Ruby 2, and Thread Safe APIs & Sidekiq Support for Your Threading.
Over the last few months there’s been a lot of traffic on the rubyonrails-security list. High profile remote code execution exploits were found in both Rails and Rack, which heightened the focus on security in the community. It’s also brought increased scrutiny from security researchers probing for more vulnerabilities. Overall this will lead to more secure versions of Rails and other frameworks. The discussions also help more people consider their own applications’ security.
However, there’s the lurking issue of unpatched applications. Lots of people have Rails apps deployed they may not realize are vulnerable. It could be that small app a consultant installed two years ago that’s been chugging away untouched since. Or maybe it’s an experiment that got uploaded to a cloud service last year before being forgotten. It’s easier than ever to lose track of applications, and depending on your configurations and infrastructure, one insecure app can impact far more than just that app’s functionality.
New Relic’s Ruby agent has always reported the gems active in the application’s environment. That information has been useful for debugging and guiding us toward other libraries to instrument.
Brand new in time for RailsConf 2013 we’re taking advantage of that information to notify you of vulnerable versions of Rails and Rack. For Rails we check against versions 2.3.x and 3.x. Rack gets checked across versions 1.1.X through 1.5.X.
When we find a vulnerable version of these gems, you’ll see a banner in the New Relic UI pointing to the application and problematic gems. Additional links to the relevant development groups online will also let you dig further into the issues and learn more about the vulnerabilities.
Here’s to a more secure future!
Headed to RailsConf 2013? Stop by our booth to see the New Relic Ruby Agent in action, pick up your free Data Nerd t-shirt and more. You can even try New Relic Pro free for 30 days. For more information, go to newrelic.com/railsconf.