[Brug-talk] using RoR for a "serious" site: how about security and performance ?

Peter De Berdt (10-forward) peter at 10-forward.be
Wed Oct 3 07:42:15 EDT 2007 

On 10 Aug 2007, at 19:16, Peter Vandenabeele wrote:

> I am Peter Vandenabeele and new to RoR. If I would build a
> site that would contain confidential data (e.g. a list of users,
> trusting me to not leak info like e.g. their e-mail addresses,
> real name, ...) and the site needs to process a large number
> of hits, would RoR then be a good candidate ?

Sure, I've found Rails application to be nicely scalable and  
optimizable and you can do it when there's a need:
• Caching
• Balancing (e.g. database on one server, web servers on another, …)
• Memcache for even more speed
• …

> On the security side for Web applications, a lot issues need
> to be taken into account: cross site scripting, SQL injection,
> session cookies, etc. etc. How mature is RoR on the security
> side for "serious" applications? How fast are security problems
> resolved ? Do we know of security flaws that where exploited ?
> How does RoR compare against other common server
> technologies like Java and PhP ?

Java and PHP are just as vulnerable to the security issues you are  
mentioning. That said, if you follow proper procedure like escaping  
the data from the database in your views etc., Rails is very secure.  
It has everything in it for you to make sure security is tight. The  
Agile Web Development with Rails book has a chapter on these issues.

> On the performance side, Ruby is a scripting language, but
> do I understand correctly that e.g. JRuby and other initiatives
> my allow faster executing ? Does Ruby also offer things like
> "hot spot" run-time compilers etc. ? Or is performance
> already better than other technologies, so this is a non-issue ?

Ruby (current version) is slower at certain things than some other  
languages out there, but it develops a lot faster and is easily  
maintainable. With the performance of computers nowadays and the fact  
that most of the time to process a request is spent in the database  
queries, I consider this a non-issue.

> Actually, do we know publicly in which server technologies,
> really big sites like LinkedIn, Xing, Spock and closer to home,
> netlog, are built ?

Could be just about anything, but it shouldn't matter to you. It's  
important you use the language and framework you feel good about, and  
Rails development does that for me.

> Do we know of large cases of publicly accessible sites, containing
> sensitive data that _are_ built in RoR. This list:
>
>   http://www.workingwithrails.com/browse/sites/country/Belgium
>
> was not that reassuring ... (might make sense to list a little more
> Belgian RoR projects there). And even on this list,
>
>   http://www.workingwithrails.com/browse/sites/country/United+States
>
> I did not immediately recognize large names (but they may just be me).

37signals and twitter are well known if you ask me.

Best regards.


Peter De Berdt
Research & Development
Software Expert

______________________
10-forward
Zwarteweg 28
B-8433  Middelkerke
Mobile : (0473) 38 35 86
info at 10-forward.be
http://www.10-forward.be
______________________



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/brug-talk/attachments/20071003/8389195e/attachment-0001.html

More information about the Brug-talk mailing list