

Which is more secure, DotNet or Ruby on Rails? - rman666

I&#x27;ve been building a web app using Ruby on Rails. Recently, someone asked me why I wasn&#x27;t developing in DotNet, stating that it was much more secure. I searched a bit, but all the articles I found comparing the security of DotNet and Rails seem to be more than a year old. Does anyone have a current opinion on this issue?
======
patio11
The dominating factor in whether your web application is secure or not will
not be whether you choose to write it in .NET or Rails.

~~~
rman666
Geez, thanks for that truly insightful comment!

I'm a CISSP and CISM and a Ruby/Rails developer. I practice secure coding
techniques and know the benefits of security testing.

What I'm asking, if it isn't obvious, is which has more outstanding
vulnerabilities. I'm also asking for opinions on the _current_ security of
each.

~~~
emmett
Neither has any outstanding critical security vulnerabilities, which is normal
for any web framework.

The "security" of a web framework is not a well-defined quantity.

Your question is malformed, and you got an answer that you should listen to:
your choice of web framework is not a very important factor in the security of
your site.

~~~
hardwaresofton
I don't know if that's quite right... There was a huge rails vulnerability a
little while ago (something to do with YAML executing arbitrary code) -- and
I'm not sure I have seen anything thus with .NET (not to say it's not there).

If you decide to go with certain versions of .NET, entire attack vectors will
be closed, but ONLY because there are entire sets of features missing that you
might get with Rails.

~~~
mechanical_fish
I typed "zero day .NET" into Google as a proxy for actual research and got
back results from 2010, early 2011, and late 2011. All seemed to be
publicizing critical .NET patches, which is what you want to see.

Presumably this barely scratches the surface of the list of .NET patches with
potential security implications. The ideal security patch goes out quietly and
gets applied quietly, after all.

I'm not going to take the time for a more exhaustive search, because I've got
the knowledge I'm looking for: .NET is not made of magic, such that it has not
had critical patches for half a decade and I can safely choose to let it run
itself. If I run a .NET stack, I'll need to watch for critical patches and
apply them ASAP. If I run a Rails stack I'll need to do the same. This is the
state of the art and nobody has a silver bullet for it.

Meanwhile, it remains the case that the overwhelming issue in site security is
my own decisions as an implementor, either architectural (e.g. "do
administrators share the same login path as tens of thousands of users?")
nuts-and-bolts ("did I sanitize each and every one of those queries or did I
make an error late at night?") or even strategic ("did I notice that scary
article about the new style of attack against compressed HTTP, and note how it
applies to my stack and my application?")

~~~
hardwaresofton
Yes, in the end, as others have stated, it's definitely your job to make sure
that you follow the practices that will make your system safe, but I'm
essentially hoping that .NET is so old that most gaping security holes have
already been found

------
vadivlkumar
To be honest, being a guy in both lands for living, ASP.NET is much more to
offer as a base framework that worries about security.

Obviously, now and then security vulnerabilities opens up, in all such
occasions RoR prompts before you think about MS patch! It is something to do
with MS release cycles, even though you can fix it as most of this frameworks
(ASP.NET MVC or Web Api) are opensource ones.

I think your question is open ended that you cannot expect one answer.

For example, if you're worried about SQL Injections it is purely a framework
like Entity Framework or NHibernate is to question about or in other cases how
you're dealing with SQL queries (Are you using StringBuilder to build your
query yet?) otherwise there are answers in both the land for every __known
__security issues.

~~~
tptacek
Idiomatic code on both Rails and .NET is about equally likely to harbor SQL
injection vulnerabilities.

------
anonyfox
Since Ruby and Rails are completely open sourced, there are no _backdoors_
involved.... But every now and then some critrical _bugs_ occur.

After all the fun we had with the NSA lately, and the stories of eg. skype
calling home with your (at least) [https://](https://) links posted in the
chat... Do you trust microsoft that _every single piece_ of their
softwarestack has no backdoors? Oh, and security patches for .NET are released
regulary, so there are enough bugs, too.

This is my _current opinion_ as you asked for it.

~~~
tptacek
That is a pretty uninformed and unhelpful opinion. Microsoft's code is the
most heavily reverse engineered in the entire industry; code Microsoft ships
is just about the worst possible place to sneak an NSA backdoor, since even
innocuous weirdness is enough to generate a news story about it.

If the NSA wants your server stack, they're going to use the hardware to get
it. But the reality is, the NSA doesn't need to backdoor your servers.

~~~
mtarnovan
[http://en.wikipedia.org/wiki/NSAKEY](http://en.wikipedia.org/wiki/NSAKEY)

~~~
tptacek
Is an urban myth.

------
wglb
I just did an internal communication for my client about of two particular
platforms, which is more secure.

To start with, security isn't really a scalar measurement; a vector maybe
closer. But all it takes is one tiny vulnerability in a remote corner of the
application to open up the door to complete compromise.

Rather than vulnerabilities in underlying platforms such as .net/asp.net
ruby/rails, more vulnerabilities are the result of erroneous application
programming or mis-configuration.

And the age of the articles that you mention won't be much help in your
search, as vulnerabilities are noticed in very old platforms, such as the
recent issue with the old version of rails.

You are more likely to introduce a vulnerability in your application than
being exposed to risks by either of these two platforms.

