Your Ruby on Rails application is a vital piece of your organization's infrastructure exposed to the internet. The internet is the wild-west with a sizable population of high-profile cybercriminals, some sponsored by rogue states, and ever-increasing cyber-attacks. A security breach would disrupt your operations, cause embarrassment and make your lawyers rich. One crucial step in securing your RoR application is to update it with the latest security updates.

Application Lifecycle Management

During development, your Ruby on Rails application went through a Software Development Lifecycle (SDL). It started from gathering requirements and then going through project management, design, coding, testing and deployment. Application Lifecycle Management (ALM) extends further to its retirement.

The software at the point of deployment is "current". Over time developers discover bugs and security vulnerabilities. To keep your application secure, you will have to either update the application (Rails and application dependency updates) or address the issues yourself.

The former is the easy way out, but there is a catch. The developers of Rails and other libraries your application depends on only release bug fixes and security updates for a limited time, usually two to three years. For example, Rails v5.1, released 4.5 years ago, had its security support elapsed two years ago.

Thus it is crucial as part of ALM to keep your application up to date. In addition, you have to keep your Linux/BSD servers up to date and before their support windows expire to migrate the application to an up to date.

I am an experienced DevOps engineer who can take control of the lifecycle of your application. Thanks to my extensive experience in Ruby on Rails application development and significant Linux/BSD systems administration experience, I have become a one-stop-shop for many small-to-medium organizations IT needs.

What happens if you don't update

The internet is a dangerous place for an up to date app, let alone a legacy app that has gone years without security updates. Keep in mind that nothing may happen, but the worst could happen.

I recently upgraded a Rails 3.2 application hosted in Ubuntu 12 server. It operated through its history without incident (either security-wise or performance-wise) well beyond the EOL of Ubuntu 12 (April 2017) and Rails 3.2 (2015).

Just over two years back, I got to audit a Rails 3.2 application. A security breach had exposed its database. Making matters worst, the hackers broke its encryption and revealed sensitive data. The week encryption was a result of validation error in the encryption library and lousy engineering. Had the library been updated, any good developer would have discovered the shortcomings and mitigated the threat. The company never recovered.

The danger of not updating the application is that the world knows of the bugs and security vulnerabilities. In time hackers will share tools and technologies that even amateurs can use to exploit such shortcomings.

How I can help you

I can help upgrade your Ruby on Rails application and the server-side applications (including the OS) to the latest stable version. An upgrade would mitigate any existing vulnerabilities and make future upgrades easier.

If you choose not to upgrade and understand the risks of maintaining such a legacy system without official support, I can help you sustain the application in the long run.