27 cards
Posted over 3 years ago. Visible to the public.

Security standards and practices

Rails LTS is a service of makandra Archive , a team of Ruby developers and Linux system engineers based in Germany. We have more than 10 years of experience developing and operating web applications, and have always taken security very seriously.

This is a brief overview of how we handle Rails security issues for LTS, and how we operate the service:

Handling of security issues

Rails LTS primarily fixes security vulnerabilities after they have been publicly disclosed for the official release of Ruby on Rails. After an official advisory is published, multiple Rails security experts at makandra will determine which Rails LTS versions are vulnerable, and develop appropriate patches for all affected versions. Patches are validated, and always reviewed by more than one person. There are unit
tests in place for all versions of Rails LTS as well as integration tests using some of our own applications to make sure there are no regressions.

In some cases, security researches have reported issues to us that only affect older Rails versions, which have been fixed for Rails LTS. We operate a bug bounty program Archive for critical vulnerabilities that do not apply to officially maintained Ruby on Rails releases.

Access to Rails LTS code and infrastructure at makandra

Access to the Rails LTS repository and infrastructure is restricted to a small subset of senior employees at makandra, secured by appropriate authentication mechanisms.

Gem server infrastructure

The Rails LTS gem server is hosted in an access controlled data center in Cologne operated by plusserver Archive . The gem server is frequently patched and kept secured by our in-house operation tea Archive .

About makandra

Security plays an important role at makandra, in regards to the software and services we run, as well as to our workflows and practices. We are trusted by big German companies, our customers include names such as Audi, Volkswagen, Siemens, and Deutsche Bahn.

makandra has passed a independent audit and is certified according to TISAX Archive , an information security standard of the European automotive industry.

Does your version of Ruby on Rails still receive security updates?
Rails LTS provides security patches for unsupported versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2).

Owner of this card:

Tobias Kraze
Last edit:
over 2 years ago
by Tobias Kraze
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
This website uses short-lived cookies to improve usability.
Accept or learn more