Online banking with Ruby on Rails?


#1

I am wondering if it would be possible (and safe) to develop online
banking or other security-related applications with Ruby on Rails,
instead of using J2EE frameworks or .NET?
Are there any particular implications needed to write e-banking apps
with Rails? Security problems?
So… is anyone developing these types of applications with RoR?
Any advantage or disadvantage? Personal experiences are welcome!
Thanks!


#2

To my personal knowledge no one has done such a thing… yet.

There is no specific thing that would keep that from happening and being
just as secure as a J2EE application, but its mostly an age issue. A
bank
will always choose away from agile programming and towards “stable” and
“reliable” (and “slow” and “cumbersome”) applications rather than those
which are percieved to be unstable. I use the word “percieved” because
on
my working with the guts of Rails and seeing the way its written, its my
opinion that its hard to get more secure. Its actually the relative
simplicity that adds the security.

A lot of the security in a bank app would come down to the security of
the
natively written components for handling transactions. That’s where the
hole
might be.

It is just a matter of time though. Especially for a really small bank
that
can’t pay 20MM to develop a J2EE app.

-hampton.


#3

natively written components for handling transactions. That’s where the hole
might be.

It is just a matter of time though. Especially for a really small bank that
can’t pay 20MM to develop a J2EE app.

Actually, my bank (well, actually, credit union) uses ASP.Net for
their online banking. And through no fault of ASP.Net, it’s the most
insecure thing ever. As a test late last year, I ran a brute force
attack on my own bank account through an HTTP proxy while I was at the
library using their free WiFi. I broke into my own bank account in
about 45 minutes. I haven’t heard anything at all from the bank
warning me that there were over 2000 failed password attempts on my
account, and the site let me in just fine after incorrectly guessing
the password from the same IP address over 2000 times.

Of course, the reason the site is insecure is because the only
“security” they have is their SSL certificate. Which they share with
like 50 other unrelated credit unions. The password to your online
banking account is forced to be a 4-digit numeric pin number, and most
people will pick the same one they use at the ATM. That’s exactly
10,000 possible combinations, a very tiny number when you can try
around one combination a second. And the 5 digit account number can
be easily had off from any check.

I transferred all the money out long before I even decided to do this
since I knew that their security sucked – I forgot my pin number at
one point and tried like 10 times before I remembered it.

Moral of the story: No amount of enterpriseyness will undo your sheer
stupidity about security.

Second moral of the story: Those Verisign trusted badge thingys don’t
say anything at all about security. They just tell you that the bank
has an SSL certificate.

Cheers,
Bob A.

AIM: sporkmonger
Jabber: removed_email_address@domain.invalid


#4

On Apr 24, 2006, at 16:31, Bob A. wrote:

Of course, the reason the site is insecure is because the only
one point and tried like 10 times before I remembered it.

Moral of the story: No amount of enterpriseyness will undo your sheer
stupidity about security.

Great, thank you for sharing!

Second moral of the story: Those Verisign trusted badge thingys don’t
say anything at all about security. They just tell you that the bank
has an SSL certificate.

I assume that website had one? Aren’t those stamps awarded after some
audit of some sort?

– fxn


#5

I assume that website had one? Aren’t those stamps awarded after some
audit of some sort?

Yes, the website had one. So if an audit was done, it was a really
insanely poor one. I believe verisign’s stamps are not indicative of
an audit. Other stamps are.

Cheers,
Bob A.

AIM: sporkmonger
Jabber: removed_email_address@domain.invalid


#6

GbT wrote:

I am wondering if it would be possible (and safe) to develop online
banking or other security-related applications with Ruby on Rails,
instead of using J2EE frameworks or .NET?
Are there any particular implications needed to write e-banking apps
with Rails? Security problems?
So… is anyone developing these types of applications with RoR?
Any advantage or disadvantage? Personal experiences are welcome!
Thanks!

It seems to me that you are far more likely to run into security
problems because of poor design, or because you don’t keep the
technologies that you are running on up-to-date (e.g., your Linux or
Windows boxen, Apache/IIS/IPlanet/Lighttpd, etc.). Any lack of
security in Rails itself would probably be patched within days (if not
hours) of the first announcements of the flaw, and you if patch your
servers on a regular basis, the odds that you’ll be one of the first
ones affected are extremely low (since any tools for script-kiddies to
exploit those flaws won’t have been written yet). This is the same for
any platform with an active support base.

I’m sure anyone that has worked for a bank can list out dozens of
security concerns with sites they’ve worked on before running out of
paper–security concerns that have nothing to do with the choice of
technology and everything to do with design, and above all arbitrary
conventions and corporate “security” requirements.

If anything, Rails will probably be a bit more secure because it’s
easier to avoid security holes in 1000 lines of code than it is with
10,000 lines of code. On top of that, Rails currently has a lot of
attention and development, so the response time to any valid flaws is
bound to be very fast.

That said, I can see why an investor, or non-tech business person might
be hesitant to be the first company to put financial information on a
Rails app. But I really do think it’s more to do with perception that
with security.


#7

The larger banks have to check everything to make sure it’s secure,
and checking a program in Java can take a year or more. The people who
check these things already know the J2EE inside out, and know where
it’s strong and weak points are. If they were to check something
written in rails, they wouldn’t just check the ruby source you’ve
written and Application.rb etc, they would have to do loads of tests
on ruby itself, making approval take a very long time. Java itself has
already been approved by all the major banks. I would hazard a guess
that ruby hasn’t been approved by any of them, and won’t be for a long
time, if ever.
-Nathan


#8

On 24 Apr 2006, at 17:07, Bob A. wrote:

I assume that website had one? Aren’t those stamps awarded after some
audit of some sort?

Yes, the website had one. So if an audit was done, it was a really
insanely poor one. I believe verisign’s stamps are not indicative of
an audit. Other stamps are.

If I recall right, the only auditing Verisign does, is verify that
the certificate holder actually exists and says who he/she says he
is. It doesn’t indicate security, it only makes sure you are using a
secure connection with an existing and real company.

Best regards

Peter De Berdt