David H. wrote:
Yesterday, I was doing a dog-and-pony for the head of the company that
I work for.
He asked, “Is this (a rails application) secure?”
I said, “It’s as secure as anything else on the web is,” and proceeded
to talk about how the data was protected, how we weren’t saving
anything that’s worth protecting, and so on.
I’d like to have a better answer, for when we are storing things that
are worth protecting.
Well, first of all, asking if an application is secure and a framework
is secure are two totally seperate questions, which are you trying to
answer? If it’s an application, audit the application. If it’s Rails
in general…
A) Rails provides the essential tools for quality code and security: a
DRY methodology and powerful testing capabilities. DRY means less
chance for a typo, and increased testability, and increased testability
means the ability not to just say “We’re secure!” but to actually run
code that shows you exactly how secure you are. Tools like rcov can
even show you what you are testing and what you arn’t.
B) The Rails platform of choice these days is Mongrel with a proxying
load balancer. I’m not HTTP expert, but Zed has been adimate about the
security of Mongrel’s HTTP parser. Also, Mongrels are completely
seperate processes, so crashing or getting exploit code to run in one
does not mean the rest are directly affected.
What are some talking points about Rails security? Is there a good
place to start my education on this? How safe is the data from
somebody who really, really wants to get at it? (It seems to me like
maybe Rails isn’t the stress point here – we’re using mysql as a
database, and hosting on Fedora.)
Exactly, there are alot of holes which are much larger than a decently
written Rails application, even without tests.
Good luck!
–
Matthew B. :: [email protected]
Resume & Portfolio @ http://madhatted.com