Friday, August 31, 2007

FUD About Ruby on Rails?

James McGovern has a piece "The Insecurity of Ruby on Rails" that Alex picked up on and I think the whole idea is a little overblown....

The points raised by James were:
  1. Java has a security manager, Ruby does not.
  2. None of the common static analysis tools cover Ruby
I'll address both of these...

  1. I have yet to come across a single Java application that actually uses Java's security manager to specify security controls, access rights, etc. While there are certainly the hooks to do so, and some tools like Netegrity, Sun Access Mgr, etc. will allow you to override Java's native security manager with this implementation, this is by far the exception rather than the norm for server-side code.
    1. Note:We're not talking about client sandboxing here, where Java's security manager policy does come into play by default.

  2. No static analysis tools cover Ruby. True, but irrelevant. It is perfectly possible to write secure code without the assistance of a static analysis tool. Its just a lot easier to do so with one. Fact is, there isn't good static analysis capability for many languages including Ruby, Python, Perl, and so on.
The upshot of this, I think the premise is a bit flawed and maybe I'm overreacting to a relatively short thought provoking piece, but I thought I'd throw my 2-cents in there...

Tuesday, August 28, 2007

OWASP Day/Week - September 6th

Get in on the fun.....

OWASP Day : Day of Worldwide OWASP 1 day conferences on the topic "Privacy in the 21st Century" : Thursday 6th Sep 2007

I'll be at the San Jose meeting, it should be interesting.

Friday, August 03, 2007

What is Safe Enough?

I wrote a piece a little bit ago comparing software security and liability to liability in the pharmaceutical industry.

Wired had a great article today about drug safety titled "FDA Drug Standards: What's Safe Enough?" I think a few of their points are pretty relevant to the discussion:

Does the FDA advisory panel's decision mean Avandia is safe?

It's safe enough, according to 22 of the 23 scientists on the FDA panel. That means the drug's benefits -- decreasing blood-sugar levels -- are more important than the potential risks cited in the Journal study. Plus, it's not even clear that the harm indicated in the study was caused by the drug.

And, more on how we measure safe...

I'm not convinced. Why is the FDA approving drugs that may not be safe?

Before a drug is released, clinical trials study thousands of patients. But deadly complications to new drugs are often extremely rare and don't emerge until millions of people have taken the drug.


The FDA must weigh many factors when it comes to deciding whether to keep a drug on the market. Do the benefits outweigh the risks? Do other drugs on the market treat the disease with fewer side effects? As reporter Trevor Butterworth said recently on The Huffington Post: "What if we save 20 out of 100 people from going blind, but increase the risk of heart attack for four out of 100? Is this acceptable? No one really has a good answer."

I think this answer is a really good one to think about when you're developing software. Defining what safe enough is varies a lot by product, market, customer, type of data you're processing, etc.

The takeaway I suppose is that even where it truly it life-and-death there aren't easy answers to these types of questions. It makes me feel a little better I guess...