Security news that informs and inspires

RubyGems Requires MFA for Popular Projects

RubyGems, the popular community site for hosting Ruby projects, is now requiring the maintainers of the most popular projects to enable MFA on their accounts in an effort to prevent software supply chain attacks of the sort that have hit open source projects and commercial software makers alike in the past couple of years.

The new requirement applies to gems, as Ruby packages are known, that have more than 180 million downloads and may be extended to other gems in the future.

“Today (August 15th, 2022), we will begin to enforce MFA on owners of gems with over 180 million total downloads. Users in this category who do not have MFA enabled on the UI and API or UI and gem signin level will not be able to edit their profile on the web, perform privileged actions (i.e. push and yank gems, or add and remove gem owners), or sign in on the command line until they configure MFA,” Jenny Shen wrote on the blog Monday.

“Maintainers of gems that surpass 165 million total downloads will continue to receive recommendation reminders on the UI and CLI until the gem reaches 180 million total downloads. At that point, MFA will be required.”

Supply chain attacks against the various software ecosystems have become a major challenge for both open source maintainers and commercial software vendors. Intrusions such as those that hit SolarWinds and Kaseya have had widespread effects on other software suppliers and customers, some of whom were compromised in those same operations. High-level attack teams like those employed by foreign intelligence and military services have made supply chain attacks a priority, as they know that the compromise of a single popular project or application can bear fruit for months of years to come if things break right.

The open source ecosystem is particularly at risk for these attacks because open source libraries and projects are woven into the fabric of so many platforms, commercial apps, and other systems that it’s virtually impossible to determine all of the places a popular project might be found. The Log4j Java logging library is a prime example. The Log4Shell bug that emerged in that library several months ago became a worldwide problem as organizations scrambled to figure out how many of their apps and systems were vulnerable.

To help prevent attackers from gaining access to critical projects and inserting malicious code, GitHub last year began requiring a form of strong authentication–such as a hardware security key or MFA app–for every git operation on its platform. Now, the platform is following suit, and also has plans to add WebAuthn support in the future. WebAuthn is an emerging standard for passwordless authentication.

“In addition, we are also currently working on adding support for WebAuthn. Maintainers would be able to use hardware tokens, biometric keys, and other WebAuthn-supported devices as their multi-factor device of choice,” Shen said.