Security standards and practices

Posted almost 4 years ago. Visible to the public.

Rails LTS is a service of makandra Show archive.org snapshot , a team of Ruby developers and Linux system engineers based in Germany. We have more than 10 years of experience developing and operating web applications, and have always taken security very seriously.

This is a brief overview of how we handle Rails security issues for LTS, and how we operate the service:

Handling of security issues

Rails LTS primarily fixes security vulnerabilities after they have been publicly disclosed for the official release of Ruby on Rails. After an official advisory is published, multiple Rails security experts at makandra will determine which Rails LTS versions are vulnerable, and develop appropriate patches for all affected versions. Patches are validated, and always reviewed by more than one person. There are unit
tests in place for all versions of Rails LTS as well as integration tests using some of our own applications to make sure there are no regressions.

In some cases, security researches have reported issues to us that only affect older Rails versions, which have been fixed for Rails LTS. We operate a bug bounty program Show archive.org snapshot for critical vulnerabilities that do not apply to officially maintained Ruby on Rails releases.

Access to Rails LTS code and infrastructure at makandra

Access to the Rails LTS repository and infrastructure is restricted to a small subset of senior employees at makandra, secured by appropriate authentication mechanisms.

Gem server infrastructure

The Rails LTS gem server is hosted in an access controlled data center in Cologne operated by plusserver Show archive.org snapshot . The gem server is frequently patched and kept secured by our in-house operation tea Show archive.org snapshot .

About makandra

Security plays an important role at makandra, in regards to the software and services we run, as well as to our workflows and practices. We are trusted by big German companies, our customers include names such as Audi, Volkswagen, Siemens, and Deutsche Bahn.

makandra has passed a independent audit and is certified according to TISAX Show archive.org snapshot , an information security standard of the European automotive industry.

Avatar
Tobias Kraze
Last edit
Over 2 years ago
Tobias Kraze
About this deck
We are makandra and do test-driven, agile Ruby on Rails software development.
Posted by Tobias Kraze to Rails LTS documentation (2019-04-01 12:05)