[LRUG] Fwd: Keeping track of new security vulnerabilities?

Ben Lovell benjamin.lovell at gmail.com
Fri Sep 20 02:08:26 PDT 2013


On 19 September 2013 20:32, Joel Chippindale <joel.chippindale at gmail.com>wrote:

> LRUGers
>
> If you want to keep up to date with the latest known security
> vulnerabilities with Ruby and the gems you are using there seem to be many
> different places to look, for example:
>
> - For rails there is the rubyonrails-security mailing list (
> https://groups.google.com/forum/#!forum/rubyonrails-security) which has
> rails covered but what about any of the other ruby gems you rely on?
>
> - It is unclear to me whether the ruby-security-ann mailing list is still
> active (https://groups.google.com/forum/#!forum/ruby-security-ann).
>
> - The National Vulnerability Database (
> http://web.nvd.nist.gov/view/vuln/search-results?query=ruby&search_type=all&cves=on)
> appears to be more comprehensive and enables you to search for ruby
> vulnerabilities but does not appear to give you any nice way to be alerted
> when a new vulnerability is discovered.
>
> - The ruby-advisory-db on github (
> https://github.com/rubysec/ruby-advisory-db/) looks like a great project
> (with potential to create a tool which would read your Gemfile/Gemfile.lock
> and warn you of issues?) but the frequency of updates and number of open
> issues suggest to me that it is far from comprehensive.
>
> However none of these appear to be comprehensive, even with respect to
> reported issues, or make it easy to keep track of new vulnerabilities.
>
> How do you keep up to date with security vulnerabilities that are
> discovered in Ruby and the gems you use?
>

By waiting for the inevitable shit-storm on HN and twitter. :)

Ben


>
> J.
>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20130920/f28d26ec/attachment-0003.html>


More information about the Chat mailing list