ruby-security
Safeguard articles tagged "ruby-security" — guides, analysis, and best practices for software supply chain and application security.
8 articles
Rails Security Best Practices: Strong Parameters, SQL, and Gems
Rails ships secure defaults, but mass assignment, string-interpolated SQL, and unvetted gems still cause real breaches. Here is how to hold the line.
Ruby Security Best Practices: Deserialization, Injection, and the Gem Supply Chain
Rails is safe by default — until a developer reaches for YAML.load, Kernel#open, or a raw-string query. Here are the Ruby footguns and the gem hygiene that keep them closed.
Ruby Security Explained
Ruby security in one place: the 2019 rest-client hijack, CVE-2022-32224's RCE, RubyGems' MFA mandate, and 2025's credential-stealing gem campaign.
Ruby deserialization vulnerabilities: Marshal.load, YAML....
A decade of Ruby CVEs — from CVE-2013-0156 to CVE-2022-32224 — shows how Marshal.load and YAML.load turn untrusted input into remote code execution.
Auditing Ruby dependencies for known CVEs with bundler-audit
A step-by-step bundler-audit tutorial for scanning Ruby gems against known CVEs, patching vulnerable dependencies, and enforcing the check in CI.
Case study: RubyGems account takeover incidents and their...
A look at real RubyGems account takeover incidents, including the rest-client hijack, and what they reveal about Ruby supply chain risk.
Ruby supply chain security report
A report on Ruby supply chain security: malicious RubyGems campaigns, maintainer credential compromises, and 2025's RubyGems governance dispute.
XXE Prevention in Ruby with Nokogiri NONET/NOENT
Nokogiri wraps libxml2, and one misconfigured parse call can leak local files or trigger SSRF. Here's how NONET and NOENT actually work, and how to lock them down.