As open source software powers more of the world’s technology, security in the Ruby ecosystem has never been more critical. With billions of downloads per month and over 180,000 gems, RubyGems.org plays a key role in ensuring the reliability of software worldwide. At Ruby Central, we are leading the charge with a comprehensive approach to security, addressing today’s threats while anticipating tomorrow's challenges.

The Ruby Central Open Source Program, now guided by the OSS Committee formed in August 2023, has been at the forefront of our security efforts. The Committee, composed of contributors from across the Ruby community, acts as a steering body, providing oversight and strategic direction for key security initiatives. These projects are made possible by generous contributions from sponsors like AWS, Shopify, and the wider Ruby community, alongside support from the Sovereign Tech Agency (STA) and partnerships with the Linux Foundation and OpenSSF’s Alpha-Omega Project.

Security Initiatives Supported by Generous Donors

Ruby Central’s security work is made possible through the generous support of external donors, who have enabled several critical initiatives to protect the Ruby ecosystem and ensure its long-term stability.

  • AWS-funded Security Work: For the past year, Samuel Giddins’ full-time security-focused position has been entirely funded by AWS, Ruby Central’s cloud provider. One of his key responsibilities is integrating Sigstore into RubyGems, Bundler, and RubyGems.org. Sigstore allows developers to securely sign and verify packages without relying on long-lived signing keys, ensuring software integrity and protecting against tampering.
  • Shopify’s Contributions: Shopify has also made significant contributions to Ruby Central, with a large portion of its funding dedicated to security-related initiatives. This generous support has been crucial in advancing key security improvements and ensuring that RubyGems and Bundler meet the highest security and reliability standards.
  • Automated Gem Scanning: Mend.io fully funds and operates the automated gem scanning initiative, which continuously monitors newly updated gems for vulnerabilities. This system allows us to quickly identify and address potential security threats, enhancing the overall security of RubyGems.org.
  • Community-Driven Manual Malware Checks: Besides automated scans, the RubyGems team, supported by the community, conducts manual reviews of newly published or updated gems. These checks help detect and remove malicious code, ensuring that RubyGems remains a trusted platform for developers.

Thanks to the support of AWS, Shopify, and Mend.io, these security initiatives are vital to maintaining the long-term security and stability of RubyGems.org and Bundler, protecting the Ruby community from evolving threats.

STA-Funded Projects: Strengthening Ruby’s Core Infrastructure

The Sovereign Tech Agency (STA) has been instrumental in enabling Ruby Central to transition from a reactive security model to a proactive, strategic approach. STA funding has allowed us to implement several key initiatives that strengthen RubyGems.org’s security and reliability.

Key Security Advancements Through STA Funding:

  • Bundler Lockfile Checksums: This feature ensures that the packages used in development are identical in production, preventing tampering and supply chain attacks. Developed over two years, it significantly enhances Ruby’s security without major infrastructural changes.
  • RubyGems.org Infrastructure Upgrades: STA funding allowed for crucial upgrades to our Kubernetes platform and OpenSearch cluster, improving both stability and security. The implementation of Datadog Cloud Security Management (CSM) provides real-time monitoring and helps us proactively address vulnerabilities.
  • Trusted Publishing: Built on OpenID Connect (OIDC), Trusted Publishing ensures that only verified users can publish or update gems, reducing the risk of unauthorized or malicious changes. This feature secures the gem publication process and strengthens the supply chain.

Thanks to STA, we’ve delivered critical security enhancements that ensure RubyGems.org remains a secure and reliable platform for developers.

Audit-Driven Improvements: Insights from Alpha-Omega

Ruby Central’s partnership with the Alpha-Omega Project allowed us to conduct a comprehensive security audit of RubyGems.org, carried out by Trail of Bits. This audit provided invaluable insights into areas where we could improve security across our infrastructure and codebase.

Key Themes from the Alpha-Omega Security Audit:

  • Infrastructure Security: The audit identified opportunities to improve AWS configurations, reduce attack surfaces, and enhance infrastructure resilience.
  • Code Quality: Recommendations were made to improve code quality, ensuring long-term maintainability and adherence to best practices.
  • Access Controls: We’re implementing steps to further limit unnecessary privileges, strengthening access management policies across RubyGems.org.

The audit uncovered 33 findings, including 7 medium-severity and 1 high-severity issue. While most findings were low-severity or informational, we’ve already begun implementing fixes for the most critical issues. A full audit report will be published soon, demonstrating our commitment to transparency and ongoing security improvements.

Response to CVE-2024-21654: Reinforcing Multi-Factor Authentication (MFA)

In December 2023, a vulnerability, CVE-2024-21654, was discovered, revealing a potential bypass in RubyGems.org’s multi-factor authentication (MFA) process. The Ruby Gems team responded swiftly, overhauling the MFA system to ensure this vulnerability was fully addressed.

Key updates included:

  • Stronger MFA Prompts: We rebuilt MFA prompts to adhere to OWASP security guidelines, enhancing the protection of account recovery, password resets, and login actions.
  • Tightened Controls: We introduced stricter MFA enforcement, requiring additional authentication factors for any sensitive actions, such as credential changes.

These changes have made RubyGems.org’s authentication process more secure than ever. While the system is robust, we continue encouraging users to enable MFA for their accounts to further protect their credentials and assets.

Looking Ahead: Building a Secure Future for RubyGems

Ruby Central is dedicated to strengthening both supply chain security and operational resilience in the years ahead. Our vision includes:

  • Supply Chain Security: At RubyConf, we will unveil a new feature designed to bring transparency and verification to gems uploaded to RubyGems.org. This enhancement will allow gem consumers to verify that the gems they consume were built by the parties they expect to be building them and have not been tampered with since building.
  • Operational Excellence: Through continued investments in infrastructure, disaster recovery, and failover systems, we are reinforcing RubyGems.org to ensure stability and security, even in the face of unexpected challenges.

A Call to Action for the Ruby Community

At Ruby Central, we’re committed to securing Ruby's future, but we can’t do it alone. Your involvement, whether enabling MFA on your RubyGems account, contributing to our security projects, or staying engaged with our updates, helps keep our community safe. Together, we can make Ruby a more secure, reliable platform for everyone.