Which is more secure, DotNet or Ruby on Rails?

6 points by rman666 ↗ HN
I've been building a web app using Ruby on Rails. Recently, someone asked me why I wasn't developing in DotNet, stating that it was much more secure. I searched a bit, but all the articles I found comparing the security of DotNet and Rails seem to be more than a year old. Does anyone have a current opinion on this issue?

19 comments

[ 5.1 ms ] story [ 90.9 ms ] thread
The dominating factor in whether your web application is secure or not will not be whether you choose to write it in .NET or Rails.
Geez, thanks for that truly insightful comment!

I'm a CISSP and CISM and a Ruby/Rails developer. I practice secure coding techniques and know the benefits of security testing.

What I'm asking, if it isn't obvious, is which has more outstanding vulnerabilities. I'm also asking for opinions on the _current_ security of each.

Neither has any outstanding critical security vulnerabilities, which is normal for any web framework.

The "security" of a web framework is not a well-defined quantity.

Your question is malformed, and you got an answer that you should listen to: your choice of web framework is not a very important factor in the security of your site.

I don't know if that's quite right... There was a huge rails vulnerability a little while ago (something to do with YAML executing arbitrary code) -- and I'm not sure I have seen anything thus with .NET (not to say it's not there).

If you decide to go with certain versions of .NET, entire attack vectors will be closed, but ONLY because there are entire sets of features missing that you might get with Rails.

I typed "zero day .NET" into Google as a proxy for actual research and got back results from 2010, early 2011, and late 2011. All seemed to be publicizing critical .NET patches, which is what you want to see.

Presumably this barely scratches the surface of the list of .NET patches with potential security implications. The ideal security patch goes out quietly and gets applied quietly, after all.

I'm not going to take the time for a more exhaustive search, because I've got the knowledge I'm looking for: .NET is not made of magic, such that it has not had critical patches for half a decade and I can safely choose to let it run itself. If I run a .NET stack, I'll need to watch for critical patches and apply them ASAP. If I run a Rails stack I'll need to do the same. This is the state of the art and nobody has a silver bullet for it.

Meanwhile, it remains the case that the overwhelming issue in site security is my own decisions as an implementor, either architectural (e.g. "do administrators share the same login path as tens of thousands of users?") nuts-and-bolts ("did I sanitize each and every one of those queries or did I make an error late at night?") or even strategic ("did I notice that scary article about the new style of attack against compressed HTTP, and note how it applies to my stack and my application?")

Yes, in the end, as others have stated, it's definitely your job to make sure that you follow the practices that will make your system safe, but I'm essentially hoping that .NET is so old that most gaping security holes have already been found
.NET had a gigantic vulnerability just a few years ago due to pushing an encrypted blob out to users that was CBC encrypted but not authenticated; the result in many apps was direct remote code execution. Juliano Rizzo and Thai Duong won a Pwnie for it, I think.

Concern over gigantic flaws like this is a good reason not to adopt a brand new unproven framework; but, once a framework matures, it's pretty much random chance whether it's going to suffer a setback like Rails did with YAML input encoding or .NET did with CBC padding oracles.

Definitely agree here too, but, the point I'd like to make is at least, a framework that has been around longer (like .NET) has already had it's tires kicked, and most of the low hanging fruit has been picked.

Though I'm also not crazy about .NET in general, Microsoft does have a pretty vested interest in making it very secure, around the clock.

Geez, if you know so much about security then why are you asking us?

In all seriousness, I wholeheartedly agree with Patrick. A given platform (ASP.NET or Ruby On Rails) will not be a dominating factor. It's about whether or not you know about risks involved in writing web applications and how you mitigate against it as a developer. If you don't know what you are doing, both .NET and Ruby On Rails solutions will be vulnerable to SQL Injection, CSRF, XSS etc.

Just so you know, writing things like "I'm a CISSP and CISM" to establish your authority in message board arguments is not sending the signal you want it to.

Patrick gave you the correct answer in the most concise possible fashion, concision being a virtue on HN. You might try thanking him instead of yelling at him.

Your question doesn't have a good answer. If you're picking based solely on security, my professional opinion is "flip a coin".

I don't mean to be a dick, but the CISSP is a weak certification. You could just do rote memorization for it. Being sarcastic and throwing around letters like CISSP makes you sound childish and uninformed.
@patio11 - I'm the OP. It appears the consensus is that I was rude in my reply your comment, and perhaps a bit childish in referencing my certifications. I apologize. I guess I was looking for a black & white answer, and I should have know there isn't one. Again, my apologies.
Since Ruby and Rails are completely open sourced, there are no backdoors involved.... But every now and then some critrical bugs occur.

After all the fun we had with the NSA lately, and the stories of eg. skype calling home with your (at least) https:// links posted in the chat... Do you trust microsoft that every single piece of their softwarestack has no backdoors? Oh, and security patches for .NET are released regulary, so there are enough bugs, too.

This is my current opinion as you asked for it.

That is a pretty uninformed and unhelpful opinion. Microsoft's code is the most heavily reverse engineered in the entire industry; code Microsoft ships is just about the worst possible place to sneak an NSA backdoor, since even innocuous weirdness is enough to generate a news story about it.

If the NSA wants your server stack, they're going to use the hardware to get it. But the reality is, the NSA doesn't need to backdoor your servers.

To be honest, being a guy in both lands for living, ASP.NET is much more to offer as a base framework that worries about security.

Obviously, now and then security vulnerabilities opens up, in all such occasions RoR prompts before you think about MS patch! It is something to do with MS release cycles, even though you can fix it as most of this frameworks (ASP.NET MVC or Web Api) are opensource ones.

I think your question is open ended that you cannot expect one answer.

For example, if you're worried about SQL Injections it is purely a framework like Entity Framework or NHibernate is to question about or in other cases how you're dealing with SQL queries (Are you using StringBuilder to build your query yet?) otherwise there are answers in both the land for every known security issues.

Idiomatic code on both Rails and .NET is about equally likely to harbor SQL injection vulnerabilities.
I just did an internal communication for my client about of two particular platforms, which is more secure.

To start with, security isn't really a scalar measurement; a vector maybe closer. But all it takes is one tiny vulnerability in a remote corner of the application to open up the door to complete compromise.

Rather than vulnerabilities in underlying platforms such as .net/asp.net ruby/rails, more vulnerabilities are the result of erroneous application programming or mis-configuration.

And the age of the articles that you mention won't be much help in your search, as vulnerabilities are noticed in very old platforms, such as the recent issue with the old version of rails.

You are more likely to introduce a vulnerability in your application than being exposed to risks by either of these two platforms.