Operations as a Service (OaaS) is where you get an external company to assist your in house team manage your application stack from an Operations point of view. This sort of support can come in many forms, from Infrastructure management through to patching your application for the latest security flaw.
Most organisations that run Ruby on Rails applications have a team of developers that have built and maintain the application. This is a good thing. But these team members usually wear many hats. They are the chief architect, infrastructure manager, lead developer, management expectation manager, scrum master, agile ninja, front end developer, user experience designer, systems tester, deploy master and consumer of copious amounts of caffeine.
Even when the “developer” represents a team of 3 or 4 people, the volume of hats they have to carry is quite profound. A recent blog post showed just how many things your modern Ruby on Rails application developer needs to know to get their job done.
With that many things vying for developer attention, it’s quite easy to see how “small” things could slip through that net.
For example, does your development team subscribe to the Ruby on Rails security alert list? Do they check that list constantly and take immediate action when new security alerts are announced? Do they even have time to do this?
Do they monitor the application stack on an ongoing basis to make sure backups are happening, that the servers aren’t about to run out of disk space and that operating systems are not falling to far out of date?
If not, then you are potentially opening your organisation up to serious risk issues with regards to your liability insurance. Most insurance policies require you to take reasonable technical steps to maintain the integrity of your application. If you are not keeping your Rails stack up to date with announced security patches, or monitoring your backup systems to make sure they are doing a backup, then you potentially are exposing yourself to the risk of your insurer refusing to foot the bill if the worst happened.
At the very least, if you are providing your own application support in house, you should be doing the following:
- Review Rails security mailing lists daily and perform needed updates on all Rails applications
- Upgrade to the latest patch release on all Rails applications within the week of their release
- Review at least once a month that the backup of your Rails stack worked
- Monitor disk space, CPU and RAM utilisation on your Rails stack continuously and alert if outside of norms
- Monitor availability of the Rails application via the web and alert if offline
- Continuously monitor the performance of your Rails stack
- Review operating system patch levels to upgrade and handle any security issues
- Maintain and update the README of the Rails stack to reflect changes in the system or infrastructure
Doing this as a part time job for a development team is daunting. Especially with the constant pressure of feature development deadlines. These sorts of tasks inevitably get pushed to the bottom of the pile of things to do.
The above situation is why we created out Sentinel Ruby on Rails OaaS. It’s the first dedicated support service designed for Ruby on Rails applications providing continuous monitoring of your infrastructure and application and immediate upgrades for security alerts.
Sentinel provides you with an industry leading risk mitigation solution for your Ruby on Rails application. Providing a constant safety net for your application.
In the modern world of “always on” and “highly secure” consumer expectation, not having these policies in just opens your company up to risks that don’t need to be there.