Tuesday, July 04, 2006
Is Ruby insecure?
There are a variety of tools in the marketplace today that can provide automated analysis of both source and binary code. Tools such as Fortify, Coverity and Abraxas provide useful insight into the quality of a good base.
Since industry analysts tend to focus on features at the expense of security, I figured I would use several tools to determine of what quality Ruby is relative to both Java and .NET. I wanted to also include a version of SmallTalk, more specifically the version that James Robertson evangelizes but wasn't sure of if benchmarking information could be published.
Anyway, Ruby did OK on some metrics but on other aspects it lost the race. The importance of getting security right in terms of secure coding practices is vital for the Ruby community to nail. Hopefully the folks coding Ruby will consider picking up two books: Software Security: Building Security In and 19 Deadly Sins of Software Security for their reading pleasure. Would be interesting to see if they could get the likes of Michael Howard, Gary McGraw, John Viega or someone that is an expert in secure coding practices to contribute expertise to bring Ruby up to enterprise level...
Links to this post: