Is Ruby on Rails Suitable for Banking?
-
Recently there has been a lot of bad press around the security of Ruby on Rails, so I'm not looking for a re-hash of that issue. What would you think if you found that your bank's Internet Banking was built on Ruby on Rails? The big question is around how the Ruby community is going to respond to security issues? Will the platform stabilize and be useful for enterprise web applications for the next 10 years?
-
Recently there has been a lot of bad press around the security of Ruby on Rails, so I'm not looking for a re-hash of that issue. What would you think if you found that your bank's Internet Banking was built on Ruby on Rails? The big question is around how the Ruby community is going to respond to security issues? Will the platform stabilize and be useful for enterprise web applications for the next 10 years?
-
I think that in the end the users wouldn't and shouldn't know anyway, especially in such a situation.
-
I think that in the end the users wouldn't and shouldn't know anyway, especially in such a situation.
-
Recently there has been a lot of bad press around the security of Ruby on Rails, so I'm not looking for a re-hash of that issue. What would you think if you found that your bank's Internet Banking was built on Ruby on Rails? The big question is around how the Ruby community is going to respond to security issues? Will the platform stabilize and be useful for enterprise web applications for the next 10 years?
I work in a bank (not on the banking SW) and I have no idea what the banking code is written in, I imagine I could find out but I think it would be a challenge and I'd have security shining a light on my life almost instantly!
Never underestimate the power of human stupidity RAH
-
Recently there has been a lot of bad press around the security of Ruby on Rails, so I'm not looking for a re-hash of that issue. What would you think if you found that your bank's Internet Banking was built on Ruby on Rails? The big question is around how the Ruby community is going to respond to security issues? Will the platform stabilize and be useful for enterprise web applications for the next 10 years?
I'd suggest this might be a better topic for a Ruby newsgroup, but then you'd probably get a biased set of answers. Every framework has its security problems, some worse than others the most important things are how quickly and effectively the framework responds, and the awareness and competency of the developers who write the code.
Sort of a cross between Lawrence of Arabia and Dilbert.[^]
-Or-
A Dead ringer for Kate Winslett[^] -
I'd suggest this might be a better topic for a Ruby newsgroup, but then you'd probably get a biased set of answers. Every framework has its security problems, some worse than others the most important things are how quickly and effectively the framework responds, and the awareness and competency of the developers who write the code.
Sort of a cross between Lawrence of Arabia and Dilbert.[^]
-Or-
A Dead ringer for Kate Winslett[^]From experience, I'm getting two biased and contradictory set of answers already. I've come to trust CodeProject to be a bit more balanced. I like your point about speed of response, the Ruby community did clear up their most recent problem pretty quickly...
-
From experience, I'm getting two biased and contradictory set of answers already. I've come to trust CodeProject to be a bit more balanced. I like your point about speed of response, the Ruby community did clear up their most recent problem pretty quickly...
Adrian Akison wrote:
From experience, I'm getting two biased and contradictory set of answers already. I've come to trust CodeProject to be a bit more balanced.
That's interesting to me: because, one reason I trust CodeProject is: that I feel certain that if I ask any question, in the Lounge, I will get a range of biased, often contradictory answers, accompanied by various off-topic asides that will range from personal insults, to science-fiction, to sexual fantasies, and references to bodily functions: all of which may be very helpful, or, at least, amusing ! "CP Lounge Balance:" would be an oxymoron. yrs, Bill
This thing we tell of can never be found by seeking, yet only seekers find it. Abu Yazid Al-Bistami (Persian, Sufi, 804-872)
-
Recently there has been a lot of bad press around the security of Ruby on Rails, so I'm not looking for a re-hash of that issue. What would you think if you found that your bank's Internet Banking was built on Ruby on Rails? The big question is around how the Ruby community is going to respond to security issues? Will the platform stabilize and be useful for enterprise web applications for the next 10 years?
Adrian Akison wrote:
The big question is around how the Ruby community is going to respond to security issues?
I thought you weren't looking to re-hash the issue. ;) First off, the Rails community responded very quickly, and there was a new Rails gem was released that fixed the issue in short order.
Adrian Akison wrote:
Will the platform stabilize and be useful for enterprise web applications for the next 10 years?
"Will..." implies that it is not currently stable, and I think it is. As others have posted, questions about enterprise web applications using Rails probably ought best be addressed on one of their forums. Lastly, and this is an interesting point, the source for Rails is public. That means that a hacker doesn't have to try to guess, poke and prod at a black box as with possibly "other" (*cough*) systems but can look at the code to figure out security holes. In my opinion, this makes the whole system less vulnerable. Looking at the code, one should be able to discern very quickly whether there are security holes and how to test for them. As for performance in general, if you're doing any massive server-side computations, it's probably better to relegate those to the database engine (if possible). I've blogged about Ruby performance, and obviously, being interpreted rather than compiled, it's not great, but in my opinion it's totally adequate for lightweight lifting such as page rendering and interacting with a database. The more interesting question is, what's the performance of the actual server software running the Rails app. Even a Rails app rendering a simple "Hello World" page can be brought to its knees if the server executing the code can't handle hundreds, thousands, whatever, of near simultaneous connections. That my 2c. Marc
Latest Article: Intertexti - Resurrecting Apple's HyperCard
My Blog -
Adrian Akison wrote:
The big question is around how the Ruby community is going to respond to security issues?
I thought you weren't looking to re-hash the issue. ;) First off, the Rails community responded very quickly, and there was a new Rails gem was released that fixed the issue in short order.
Adrian Akison wrote:
Will the platform stabilize and be useful for enterprise web applications for the next 10 years?
"Will..." implies that it is not currently stable, and I think it is. As others have posted, questions about enterprise web applications using Rails probably ought best be addressed on one of their forums. Lastly, and this is an interesting point, the source for Rails is public. That means that a hacker doesn't have to try to guess, poke and prod at a black box as with possibly "other" (*cough*) systems but can look at the code to figure out security holes. In my opinion, this makes the whole system less vulnerable. Looking at the code, one should be able to discern very quickly whether there are security holes and how to test for them. As for performance in general, if you're doing any massive server-side computations, it's probably better to relegate those to the database engine (if possible). I've blogged about Ruby performance, and obviously, being interpreted rather than compiled, it's not great, but in my opinion it's totally adequate for lightweight lifting such as page rendering and interacting with a database. The more interesting question is, what's the performance of the actual server software running the Rails app. Even a Rails app rendering a simple "Hello World" page can be brought to its knees if the server executing the code can't handle hundreds, thousands, whatever, of near simultaneous connections. That my 2c. Marc
Latest Article: Intertexti - Resurrecting Apple's HyperCard
My BlogMarc Clifton wrote:
In my opinion, this makes the whole system less vulnerable. Looking at the code, one should be able to discern very quickly whether there are security holes and how to test for them.
Presuming of course that one in fact does 1. Have the knowledge/skills to do that 2. Has the time to do it 3. Actually does do it. Not to mention of course that the very exact same process is what a black hat might also do.
-
Recently there has been a lot of bad press around the security of Ruby on Rails, so I'm not looking for a re-hash of that issue. What would you think if you found that your bank's Internet Banking was built on Ruby on Rails? The big question is around how the Ruby community is going to respond to security issues? Will the platform stabilize and be useful for enterprise web applications for the next 10 years?
Adrian Akison wrote:
What would you think if you found that your bank's Internet Banking was built on Ruby on Rails?
I would be scared out of my mind if I found out that the developers at my bank thought that the primary security of their system is based on the language choice. I would be signficantly scared if I found out that the developers at my bank thought that language choice was even a significant security problem. I always keep in mind a large study from a couple of years ago that found that within one year 90% of data theft originated from internal users.