James McGovern published an article on insecurities with Ruby on Rails recently, and has sparked some conversation with it. I am going to go ahead and address the issues I have with what was stated, as well as completely agree with what he has to offer.

Starting with the bad, I have to say that James makes a good point about the lack of tools, the lack of a managed runtime, blah blah blah (insert random serverside.com Ruby FUD here). It is all true, no matter how you cut it. Ruby does give you enough rope to hang yourself with, and if you aren't careful with it then you can have very serious problems.

Now to get to several points that are also very very true about Ruby that James did not cover. He didn't even begin to mention the presence of JRuby, which integrates fully into Java allowing you to take advantage of the security frameworks that they have in place. Ruby does have managed runtime environments in the way of the JVM and CLR/DLR. These things are much newer than the Ruby hype and I can see how they would be overlooked, so I just wanted to make everyone aware that these things DO exist.

Secondly I need to take a very serious note about some HUGE assumptions and sweeping generalizations about processes and people. James notes that people should look into secure coding practices, etc. which is VERY good advice. There is one thing that he didn't address about the general population of core Ruby developers though. The few (by few I mean few hundred) developers that I have met and coded with in the Ruby space are all very aware of secure coding practices, as well as the implications of not testing code properly. While Ruby might still be at it's infancy the core group of people professionally developing with Ruby are far from it

Lastly I would like to note some things I have heard that pretty much hit the nail on the head when it comes to analogous unjustified references (not to be rude James, but you have made some sweeping generalizations). Glen Vanderburg (I am not sure if he was the actual source but I remember him saying it) noted that bad developers will move heaven and earth to do the wrong thing. You can put all the good measures in place that you want to, but if you have a poor development team you will still suffer "code VD". Another thing that I love to point out is that you get a lot of bad developers in the Java space (there are also some really great ones too). It's not because Java is a bad language (I still get paid to write Java code) but to quote (I can't remember who said this one) "Java is like cutting with safety scissors". It's actually pretty hard to write insecure code with all of the IDE tools and analysis tools, etc. that are out there, but people still manage to produce bad Java apps just the same.

Honestly James does make some very relevant points, and there is some truth to what he says, so I really can't be that bent out of shape that he is pointing these things out. I can, however, state that what was said was said in a very uneducated fashion. If more research was done, James would have found out that not everything said was exactly true and that a closer look into the Ruby community would show that there is actually a lot of thought that goes into process, structure and quality of most of the Ruby apps being developed today.