Which is more secure, DotNet or Ruby on Rails?
I've been building a web app using Ruby on Rails. Recently, someone asked me why I wasn't developing in DotNet, stating that it was much more secure. I searched a bit, but all the articles I found comparing the security of DotNet and Rails seem to be more than a year old. Does anyone have a current opinion on this issue?
19 comments
[ 5.1 ms ] story [ 90.9 ms ] threadI'm a CISSP and CISM and a Ruby/Rails developer. I practice secure coding techniques and know the benefits of security testing.
What I'm asking, if it isn't obvious, is which has more outstanding vulnerabilities. I'm also asking for opinions on the _current_ security of each.
The "security" of a web framework is not a well-defined quantity.
Your question is malformed, and you got an answer that you should listen to: your choice of web framework is not a very important factor in the security of your site.
If you decide to go with certain versions of .NET, entire attack vectors will be closed, but ONLY because there are entire sets of features missing that you might get with Rails.
Presumably this barely scratches the surface of the list of .NET patches with potential security implications. The ideal security patch goes out quietly and gets applied quietly, after all.
I'm not going to take the time for a more exhaustive search, because I've got the knowledge I'm looking for: .NET is not made of magic, such that it has not had critical patches for half a decade and I can safely choose to let it run itself. If I run a .NET stack, I'll need to watch for critical patches and apply them ASAP. If I run a Rails stack I'll need to do the same. This is the state of the art and nobody has a silver bullet for it.
Meanwhile, it remains the case that the overwhelming issue in site security is my own decisions as an implementor, either architectural (e.g. "do administrators share the same login path as tens of thousands of users?") nuts-and-bolts ("did I sanitize each and every one of those queries or did I make an error late at night?") or even strategic ("did I notice that scary article about the new style of attack against compressed HTTP, and note how it applies to my stack and my application?")
Concern over gigantic flaws like this is a good reason not to adopt a brand new unproven framework; but, once a framework matures, it's pretty much random chance whether it's going to suffer a setback like Rails did with YAML input encoding or .NET did with CBC padding oracles.
Though I'm also not crazy about .NET in general, Microsoft does have a pretty vested interest in making it very secure, around the clock.
In all seriousness, I wholeheartedly agree with Patrick. A given platform (ASP.NET or Ruby On Rails) will not be a dominating factor. It's about whether or not you know about risks involved in writing web applications and how you mitigate against it as a developer. If you don't know what you are doing, both .NET and Ruby On Rails solutions will be vulnerable to SQL Injection, CSRF, XSS etc.
Patrick gave you the correct answer in the most concise possible fashion, concision being a virtue on HN. You might try thanking him instead of yelling at him.
Your question doesn't have a good answer. If you're picking based solely on security, my professional opinion is "flip a coin".
After all the fun we had with the NSA lately, and the stories of eg. skype calling home with your (at least) https:// links posted in the chat... Do you trust microsoft that every single piece of their softwarestack has no backdoors? Oh, and security patches for .NET are released regulary, so there are enough bugs, too.
This is my current opinion as you asked for it.
If the NSA wants your server stack, they're going to use the hardware to get it. But the reality is, the NSA doesn't need to backdoor your servers.
Obviously, now and then security vulnerabilities opens up, in all such occasions RoR prompts before you think about MS patch! It is something to do with MS release cycles, even though you can fix it as most of this frameworks (ASP.NET MVC or Web Api) are opensource ones.
I think your question is open ended that you cannot expect one answer.
For example, if you're worried about SQL Injections it is purely a framework like Entity Framework or NHibernate is to question about or in other cases how you're dealing with SQL queries (Are you using StringBuilder to build your query yet?) otherwise there are answers in both the land for every known security issues.
To start with, security isn't really a scalar measurement; a vector maybe closer. But all it takes is one tiny vulnerability in a remote corner of the application to open up the door to complete compromise.
Rather than vulnerabilities in underlying platforms such as .net/asp.net ruby/rails, more vulnerabilities are the result of erroneous application programming or mis-configuration.
And the age of the articles that you mention won't be much help in your search, as vulnerabilities are noticed in very old platforms, such as the recent issue with the old version of rails.
You are more likely to introduce a vulnerability in your application than being exposed to risks by either of these two platforms.