[Brug-talk] using RoR for a "serious" site: how about security and performance ?

Nick Boucart nboucart at gmail.com
Wed Oct 3 07:56:10 EDT 2007 

Hi,

Around security, be sure to check out:
http://www.quarkruby.com/2007/9/20/ruby-on-rails-security-guide and
http://www.rorsecurity.info/ruby-on-rails-security-cheatsheet/

The first link contains tons of info. It focuses on rails but is applicable
to all database driven websites: sql injection can happen everywhere and
requires a developer to be alert each and every time he/she writes a query
based upon input from the user. Same with cross site scripting, if you allow
your users to enter script tags in your forms and you render this without
proper escaping, you have a security issue, regardless whether you use php,
rails or java... Same for password encryption and so on...

With regards on scalability and what the larger websites of this world run
upon, a recent article I came across talks about this.
http://royal.pingdom.com/?p=173

An interesting read on scaling a large rails app can be found here
http://poocs.net/2006/3/13/the-adventures-of-scaling-stage-1

Regards,
Nick.

On 10/3/07, Peter De Berdt (10-forward) <peter at 10-forward.be> wrote:
>
>
> On 10 Aug 2007, at 19:16, Peter Vandenabeele wrote:
>
> I am Peter Vandenabeele and new to RoR. If I would build a
>
> site that would contain confidential data (e.g. a list of users,
>
> trusting me to not leak info like e.g. their e-mail addresses,
>
> real name, ...) and the site needs to process a large number
>
> of hits, would RoR then be a good candidate ?
>
>
> Sure, I've found Rails application to be nicely scalable and optimizable
> and you can do it when there's a need:
> • Caching
> • Balancing (e.g. database on one server, web servers on another, …)
> • Memcache for even more speed
> • …
>
> On the security side for Web applications, a lot issues need
>
> to be taken into account: cross site scripting, SQL injection,
>
> session cookies, etc. etc. How mature is RoR on the security
>
> side for "serious" applications? How fast are security problems
>
> resolved ? Do we know of security flaws that where exploited ?
>
> How does RoR compare against other common server
>
> technologies like Java and PhP ?
>
>
> Java and PHP are just as vulnerable to the security issues you are
> mentioning. That said, if you follow proper procedure like escaping the data
> from the database in your views etc., Rails is very secure. It has
> everything in it for you to make sure security is tight. The Agile Web
> Development with Rails book has a chapter on these issues.
>
> On the performance side, Ruby is a scripting language, but
>
> do I understand correctly that e.g. JRuby and other initiatives
>
> my allow faster executing ? Does Ruby also offer things like
>
> "hot spot" run-time compilers etc. ? Or is performance
>
> already better than other technologies, so this is a non-issue ?
>
>
> Ruby (current version) is slower at certain things than some other
> languages out there, but it develops a lot faster and is easily
> maintainable. With the performance of computers nowadays and the fact that
> most of the time to process a request is spent in the database queries, I
> consider this a non-issue.
>
> Actually, do we know publicly in which server technologies,
>
> really big sites like LinkedIn, Xing, Spock and closer to home,
>
> netlog, are built ?
>
>
> Could be just about anything, but it shouldn't matter to you. It's
> important you use the language and framework you feel good about, and Rails
> development does that for me.
>
> Do we know of large cases of publicly accessible sites, containing
>
> sensitive data that _are_ built in RoR. This list:
>
>
>   http://www.workingwithrails.com/browse/sites/country/Belgium
>
>
> was not that reassuring ... (might make sense to list a little more
>
> Belgian RoR projects there). And even on this list,
>
>
>   http://www.workingwithrails.com/browse/sites/country/United+States
>
>
> I did not immediately recognize large names (but they may just be me).
>
>
> 37signals and twitter are well known if you ask me.
>
> Best regards.
>
>
> Peter De Berdt
> Research & Development
> Software Expert
>
> ______________________
> *10-forward*
> Zwarteweg 28
> B-8433  Middelkerke
> Mobile : (0473) 38 35 86
> info at 10-forward.be
> http://www.10-forward.be
> ______________________
>
>
>
>
> _______________________________________________
> Brug-talk mailing list
> Brug-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/brug-talk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/brug-talk/attachments/20071003/f544e528/attachment.html

More information about the Brug-talk mailing list