

Stupid security question on Rails - prakster

Is there a way to secure a Rails-deployed app without exposing the source code?
======
astrodust
In terms of deploying an app for a customer without giving the customer
source-code level access, then what you need to do is structure in terms of
Software as a Service, where the customer is only able to access the
application and not the server itself.

As others have pointed out, it might seem like an idea to "obfuscate" the
source code, but really this does nothing to protect your application. For
one, any obfuscation trick, no matter how obscure, is usually easily undone.
Secondly, since Rails depends heavily on the use of eval(), there will be
large chunks of raw code in your application even if, theoretically, it could
be compiled.

Keep in mind you still have a lot of latitude in how you deploy Software as a
Service. You can give your client DB dumps, you can run off your client's DB
platform, if they want their data "in house" and not at some untrusted
facility.

------
tptacek
Can you be more specific about the word "secure"?

If you mean, "can I ship customers a Rails app that they themselves run,
either on their own servers or an appliance, while keeping them from seeing
the source code?", then the answer is "no".

You should be aware that the same answer applies to Python, Perl, Tcl, Java,
and C#. Bytecode is trivially decompiled back to readable source code.

~~~
cstejerean
I think there are pretty good obfuscation tools to provide some degree of
protection to C# or Java apps (although I don't remember if they are free).
But if you have some proprietary code that you don't want anyone to see the
best solution is to run it on your own server and just expose an interface to
code that runs on customer machines.

~~~
tptacek
Bytecode obfuscation is a speed bump. We do more raw X86 than .NET, and
compared to X86 --- which every security consultancy worth its bill rate can
handle now --- obfuscated .NET bytecode is a dream. And that's as mature as we
get now.

------
luminousbit
Five runs developed a system for packaging and deploy ruby/rails apps without
exposing the source. Bruce Williams presented on it at RubyConf2007:
<http://rubyconf2007.confreaks.com/d2t2p2_desktop_apps.html>

I don't know what the state of the project is, but it looks like what you
wanted.

~~~
tptacek
FiveRuns deploys berkdb's with AES-encrypted compressed Ruby source. I have no
idea what the point of the encryption is here, because it's a speed bump to
someone who wants the source code; the "player" needs the key to run the code,
the key sits in memory, as does the decoded source code.

This system looks even easier to deal with than a typical J2EE app; at least
with J2EE, I have to fix up all the JAD artifacts.

Beware of systems that offer packaged solutions to hard problems, like the
software protection problem.

------
jrockway
No. If someone has only 15 seconds to get the source code, you might be able
to try the encryption mentioned below. Otherwise, it's not possible; if the
computer can run the code, the attacker can read the source code.

It's better to just host the application yourself.

------
aupajo
Well, put it like this. If they're looking at your source code it means
they're already _in_ your production server, and they can do pretty much
whatever the hell they want anyway :)

