I recently appeared in Episode 41 of The Rails with Jason Podcast for a wide-ranging discussion about Ruby on Rails security, the security value of keeping gems updated, the security risk of infrequent deployment, state-sponsored hacking, and practical tips on how to protect your organization.
Give it a listen to better understand some common ways that production projects go south in their security practices and why solid test coverage, regular reviews of your dependencies, and frequent deploys help make you much more secure.
We barely scratched the surface on the state-sponsored threat. There is a reason that in defense circles cyber is now considered a domain in addition to land, sea, air, and space. Nations have to maintain both offensive and defensive capabilities. This is why the USA has the US Cyber Command now. But one of the big challenges with the cyber domain is that defense is largely up to the private sector. Other nations are attacking private companies with their capabilities, not just state targets. And because of our system of government and the nature of the Internet, our own country resources do not protect us.
I like to think of private businesses on the Internet as ships out in International waters. You have to be ready for pirate attacks. The Navy may be there to discourage and disrupt operations against U.S. flagged vessels in general, or provide escorts in exceptionally dangerous waters, but it is still up to your company to provide for your own defensive capabilities to thwart attacks against your assets.
Upcoming Virtual Event (April 26, 2020)
I will be presenting on an expanded version of this topic Securing the Open Source Software Supply Chain at Hella Secure’s most premiere Application Security Conference. Stream it live on Twitch on April 26, 2020.