The points raised by James were:
- Java has a security manager, Ruby does not.
- None of the common static analysis tools cover Ruby
- I have yet to come across a single Java application that actually uses Java's security manager to specify security controls, access rights, etc. While there are certainly the hooks to do so, and some tools like Netegrity, Sun Access Mgr, etc. will allow you to override Java's native security manager with this implementation, this is by far the exception rather than the norm for server-side code.
- Note:We're not talking about client sandboxing here, where Java's security manager policy does come into play by default.
- No static analysis tools cover Ruby. True, but irrelevant. It is perfectly possible to write secure code without the assistance of a static analysis tool. Its just a lot easier to do so with one. Fact is, there isn't good static analysis capability for many languages including Ruby, Python, Perl, and so on.
4 comments:
Andy,
Good call.
As I was thinking about it, I'm wondering how "transferable" secure coding skills are... If not discreet methods, then certainly someone who has invested in secure coding education has a mindset that can/should be transferable to other languages.
Follow on post here:
http://www.aaronbedra.com/2007/8/31/cutting-with-safety-scissors
Actually, Perl::Critic is a powerful static analysis tool for Perl.
I stand corrected on the Perl front. Quick glance though and I don't see the same kind of coverage you'd get from a Coverity, Fortify, etc. I'll have to look more.
Post a Comment