Friday, August 31, 2007

FUD About Ruby on Rails?

James McGovern has a piece "The Insecurity of Ruby on Rails" that Alex picked up on and I think the whole idea is a little overblown....

The points raised by James were:
  1. Java has a security manager, Ruby does not.
  2. None of the common static analysis tools cover Ruby
I'll address both of these...

  1. I have yet to come across a single Java application that actually uses Java's security manager to specify security controls, access rights, etc. While there are certainly the hooks to do so, and some tools like Netegrity, Sun Access Mgr, etc. will allow you to override Java's native security manager with this implementation, this is by far the exception rather than the norm for server-side code.
    1. Note:We're not talking about client sandboxing here, where Java's security manager policy does come into play by default.

  2. No static analysis tools cover Ruby. True, but irrelevant. It is perfectly possible to write secure code without the assistance of a static analysis tool. Its just a lot easier to do so with one. Fact is, there isn't good static analysis capability for many languages including Ruby, Python, Perl, and so on.
The upshot of this, I think the premise is a bit flawed and maybe I'm overreacting to a relatively short thought provoking piece, but I thought I'd throw my 2-cents in there...

4 comments:

Anonymous said...

Andy,

Good call.

As I was thinking about it, I'm wondering how "transferable" secure coding skills are... If not discreet methods, then certainly someone who has invested in secure coding education has a mindset that can/should be transferable to other languages.

Anonymous said...

Follow on post here:

http://www.aaronbedra.com/2007/8/31/cutting-with-safety-scissors

Anonymous said...

Actually, Perl::Critic is a powerful static analysis tool for Perl.

Andy Steingruebl said...

I stand corrected on the Perl front. Quick glance though and I don't see the same kind of coverage you'd get from a Coverity, Fortify, etc. I'll have to look more.