This post originated from an RSS feed registered with Ruby Buzz
by Jonathan Weiss.
Original Post: Ruby on Rails Security
Feed Title: BlogFish
Feed URL: http://blog.innerewut.de/feed/atom.xml
Feed Description: Weblog by Jonathan Weiss about Unix, BSD, security, Programming in Ruby, Ruby on Rails and Agile Development.
Recently I've been made aware of people inside US Government organizations using my Ruby on Rails Security presentation as an excuse to limit Ruby on Rails adoption and projects inside those organizations.
They mandate that applications in Rails should be redone in Java because of the issues I covered.
It is not clear to me how anybody how saw/read this presentation would come to the conclusion that Rails is insecure. Every application is vulnerable. Some more and some less. Yes, this means that also Java applications are attackable.
It is my honest and strong belief that Ruby on Rails applications are not less secure than any other web application. In contrast, the Ruby on Rails framework provides several advanced security mechanisms that make it very easy to write secure applications. Further, Ruby on Rails enables very sane security options by default. Some of those defaults include auto-escaping, prevent Cross-Site Request Forgery, or protected from SQL-injection. I would even go as far as to state that the typical Rails application is more secure than the typical web application for those reasons.
The security of an application stands and falls with the knowledge and abilities of the people implementing and running it. Rails makes it very easy to write secure applications.
The conclusion I came to in my presentation still holds:
Ruby is by no means a "web app security silver bullet" but adding security is easy and not a pain like in many other frameworks
I hope this will change the opinion of some people and remove my presentation as their argument.
Previous Topic
