DigitalOcean: Fixing a critical Ruby Gem vulnerability
within a day of disclosure

After integrating Snyk into their development lifecycle, DigitalOcean was able to fix two vulnerabilities in Nokogiri within a day of being notified! Such a quick turnaround could not have happened when monitoring for vulnerable dependencies without Snyk.

DigitalOcean, a cloud platform provider with offices in New York, NY and Cambridge, MA, makes it simple for developers to build great software by offering transparent and affordable pricing, a simple and elegant user experience, a highly engaged developer community, and one of the most comprehensive libraries of open source resources in the world. Its development team delivers rapid feature development on multiple Rails applications and single-page web applications.

״Supply-chain vulnerabilities constitute some of the most preventable vulnerabilities, and are also the most costly in terms of company reputation and blast radius of affected systems.
You need to continuously scan for vulnerabilities, and mitigate found vulnerabilities, in your operating systems, applications and libraries.״

 

״Continuous scanning for open source library vulnerabilities is not 
a trivial task, and we recommend using Snyk to make it easier for 
you to detect and respond to vulnerabilities in a timely manner.״

 

Challenges

Before DigitalOcean integrated Snyk into their development lifecycle, keeping up to date with the latest dependencies and vulnerabilities was carried out by individual technical leads on each of their projects. What DigitalOcean needed was a timely and pragmatic response to vulnerabilities in their third-party dependencies.

 

How Snyk Helped

Snyk simplified the non-trivial task of scanning for vulnerabilities in DigitalOcean’s third-party libraries. This allows the DigitalOcean Application Security team to focus their efforts on scanning for vulnerabilities in the code and applications that are continuously produced by their development teams. Snyk makes it easier for the AppSec team to keep up-to-date with newly discovered vulnerabilities, and its automated remediation lets developers resolve most issues quickly with a click.

 

User Experience Matters

Snyk's tools are built with the developer in mind, designed to work seamlessly with existing tools and workflows

What specific feature do you like most about Snyk?
Slack integration so that our application security team can be notified of new critical vulnerabilities in a timely manner.

״Following notification by Snyk and our internal impact analysis, we found that the vulnerabilities exposed were in-line for most of our request processing so it became critical for us to upgrade the version of Nokogiri that was used in our front-door applications״.

 

The Results:

In June 2017 DigitalOcean was notified by Snyk of two vulnerabilities in Nokogiri. Nokogiri is an HTML, XML, SAX, and Reader parser, which has the ability to search documents via XPath or CSS3 selectors.

SNYK-RUBY-NOKOGIRI-20367     High severity Arbitrary Code Execution vulnerability.

SNYK-RUBY-NOKOGIRI-20368     High severity Out of Bounds Memory Write vulnerability.

Over the course of a single work day, DigitalOcean was able to upgrade multiple services and internal libraries to a newer and safer Nokogiri version and roll them out to its 
pre-production and, following verification, production environments. 
Prior to using Snyk the process of finding and fixing this type of vulnerability would have taken much longer, which meant DigitalOcean was previously at risk of vulnerabilities being exploited for greater lengths of time.