--- title: Web Security During the COVID-19 Pandemic teaser: 'The COVID-19 pandemic has brought with it an increase in cyber threats, but we can fight back by being more thoughtful about web security. ' tags: security,web,ruby,rails,rails upgrade,code audit author: Daniel Colson published_on: 2020-04-20 --- With more of the world working remote than ever before, the **surface area for cyber attacks has increased dramatically**. We have already seen an attempted [denial-of-service][DoS] [attack against a U.S. health agency][HHS attack] and [attacks against video conferencing platforms][zoom attack], as well as a surge of [COVID-19-related scams and phishing emails][phishing]. These threats are not going to go away overnight, but luckily you can fight back by taking some time to **think about [security]**. There are many things to think about: * Requiring two-factor authentication wherever it is available * Training employees on good password hygiene, protecting sensitive information, and identifying phishing attempts * Planning how to respond to an attack * etc. ad infinitum There is no silver bullet; like practicing a musical instrument, **web security is an ongoing project** that will change over time as you learn new information and [continue to improve][continuous improvement]. As a developer, you will also need to **think about [application security]**, which includes both the code you write and the libraries you depend on. Applying security fixes for your dependencies as they are released is one of the easiest lines of defense. If you are working on a Ruby on Rails application, that currently means using Ruby [2.7.1], [2.6.6], or [2.5.8] and using [Rails 6.0.2.2 or 5.2.4.2], all of which have fixes for recent security vulnerabilities (note that [Ruby 2.4 is no longer receiving security updates][ruby 2.4 support], nor are [versions of Rails older than 5.2][rails maintenance policy]). You should also use tools like [bundler-audit] and [dependabot] to keep your gems updated and secure. **Using libraries with known security vulnerabilities puts your business and your customers at risk.** If you are running old versions of Ruby and Rails you should prioritize upgrading as soon as possible. For some applications, upgrading is as simple as bumping a version number, running the test suite, and deploying. If that is the case for your application, you should upgrade today. For others, the upgrade process can be quite a bit more involved and require significant planning. **thoughtbot can help with a [code audit]** to identify challenges to upgrading and provide a roadmap to guide the process. If you already have a plan for how to upgrade but are unable to staff the project, **thoughtbot has extensive experience upgrading Ruby on Rails applications** and [we would love to help][hire us]. [DoS]: https://en.wikipedia.org/wiki/Denial-of-service_attack [HHS attack]: https://www.bloomberg.com/news/articles/2020-03-16/u-s-health-agency-suffers-cyber-attack-during-covid-19-response [zoom attack]: https://www.forbes.com/sites/leemathews/2020/04/13/500000-hacked-zoom-accounts-given-away-for-free-on-the-dark-web/#26dbd88958c5 [phishing]: https://www.cdc.gov/media/phishing.html [security]: https://github.com/thoughtbot/guides/tree/master/security [application security]: https://github.com/thoughtbot/guides/blob/master/security/application.md [continuous improvement]: https://thoughtbot.com/purpose#continuous-improvement [dependabot]: https://dependabot.com/ [bundler-audit]: https://github.com/rubysec/bundler-audit [2.7.1]: https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-7-1-released/ [2.6.6]: https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-6-6-released/ [2.5.8]: https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/ [Rails 6.0.2.2 or 5.2.4.2]: https://weblog.rubyonrails.org/2020/3/19/Rails-6-0-2-2-and-5-2-4-2-has-been-released/ [ruby 2.4 support]: https://www.ruby-lang.org/en/news/2020/04/05/support-of-ruby-2-4-has-ended/ [rails maintenance policy]: https://edgeguides.rubyonrails.org/maintenance_policy.html [code audit]: https://thoughtbot.com/services/code-audit [hire us]: https://thoughtbot.com/hire-us