SecurityRatty: FUD About Ruby on Rails?

This is cache of http://feeds.feedburner.com/~r/SecurityRetentive/~3/150585677/fud-about-ruby-on-rails.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.

FUD About Ruby on Rails?

2007-08-31 08:45:00 by Security Retentive in Security Retentive

James McGovern has a piece "The Insecurity of Ruby on Rails" that Alex picked up on and I think the whole idea is a little overblown....

The points raised by James were:

Java has a security manager, Ruby does not.
None of the common static analysis tools cover Ruby

I'll address both of these...

I have yet to come across a single Java application that actually uses Java's security manager to specify security controls, access rights, etc. While there are certainly the hooks to do so, and some tools like Netegrity, Sun Access Mgr, etc. will allow you to override Java's native security manager with this implementation, this is by far the exception rather than the norm for server-side code.

Note:We're not talking about client sandboxing here, where Java's security manager policy does come into play by default.

No static analysis tools cover Ruby. True, but irrelevant. It is perfectly possible to write secure code without the assistance of a static analysis tool. Its just a lot easier to do so with one. Fact is, there isn't good static analysis capability for many languages including Ruby, Python, Perl, and so on.

The upshot of this, I think the premise is a bit flawed and maybe I'm overreacting to a relatively short thought provoking piece, but I thought I'd throw my 2-cents in there...