"Cutting with Safety Scissors"
August 31st, 2007
James McGovern published an article on insecurities with Ruby on Rails recently, and has sparked some conversation with it. I am going to go ahead and address the issues I have with what was stated, as well as completely agree with what he has to offer.
Starting with the bad, I have to say that James makes a good point about the lack of tools, the lack of a managed runtime, blah blah blah (insert random serverside.com Ruby FUD here). It is all true, no matter how you cut it. Ruby does give you enough rope to hang yourself with, and if you aren't careful with it then you can have very serious problems.
Now to get to several points that are also very very true about Ruby that James did not cover. He didn't even begin to mention the presence of JRuby, which integrates fully into Java allowing you to take advantage of the security frameworks that they have in place. Ruby does have managed runtime environments in the way of the JVM and CLR/DLR. These things are much newer than the Ruby hype and I can see how they would be overlooked, so I just wanted to make everyone aware that these things DO exist.
Secondly I need to take a very serious note about some HUGE assumptions and sweeping generalizations about processes and people. James notes that people should look into secure coding practices, etc. which is VERY good advice. There is one thing that he didn't address about the general population of core Ruby developers though. The few (by few I mean few hundred) developers that I have met and coded with in the Ruby space are all very aware of secure coding practices, as well as the implications of not testing code properly. While Ruby might still be at it's infancy the core group of people professionally developing with Ruby are far from it
Lastly I would like to note some things I have heard that pretty much hit the nail on the head when it comes to analogous unjustified references (not to be rude James, but you have made some sweeping generalizations). Glen Vanderburg (I am not sure if he was the actual source but I remember him saying it) noted that bad developers will move heaven and earth to do the wrong thing. You can put all the good measures in place that you want to, but if you have a poor development team you will still suffer "code VD". Another thing that I love to point out is that you get a lot of bad developers in the Java space (there are also some really great ones too). It's not because Java is a bad language (I still get paid to write Java code) but to quote (I can't remember who said this one) "Java is like cutting with safety scissors". It's actually pretty hard to write insecure code with all of the IDE tools and analysis tools, etc. that are out there, but people still manage to produce bad Java apps just the same.
Honestly James does make some very relevant points, and there is some truth to what he says, so I really can't be that bent out of shape that he is pointing these things out. I can, however, state that what was said was said in a very uneducated fashion. If more research was done, James would have found out that not everything said was exactly true and that a closer look into the Ruby community would show that there is actually a lot of thought that goes into process, structure and quality of most of the Ruby apps being developed today.
On "getting it" and the New Risk Hotness
August 28th, 2007
So yesterday I attended a training session put on by Risk Management Insight (blog) and put a lot of pieces together. These guys simply just get it. I have worked on and off with them the past year-ish helping them develop their risk analysis software (yep... Enterprise RoR!) and learned a lot just hanging around. Yesterday put all the missing pieces together for me though, and I have to say it's well worth it to seek these guys out and get some of their risk-fu. Seriously, if you are doing anything in information security you need to at the very least read Jack Jones (of RMI) white paper and soak up a bit of what he's pouring out. Once you read it you will have a whole new light on the way things should be. So stop reading my blog and go read something useful!
Which Programming Language Are You?
August 23rd, 2007
LDAP Code From the Land of the Lost
August 22nd, 2007
So a while ago (April) I did a presentation for the CRB and I was just notified by one of the members today that I forgot to post the slides and code from the presentation. So for anyone looking for some LDAP on Ruby look no further. The slides are none to pretty because like any great speaker (not that I am...) I did my slides about an hour before the talk, but the code is good and works just fine for a pretty well rounded example of what you can do with Ruby and LDAP. To get the code click HERE and to get the slides click HERE
The New Mac Keyboard
August 21st, 2007
So being the self respecting geek that I am I had to go out and buy one of the new keyboards from the apple store. I purchased it at lunch yesterday and I must say that although it takes a little bit of getting used to, I am a fan. I would recommend this to the rest of all you slackers that haven't gone to the apple store in a while. Plus who doesn't love new apple schwag?
Score one more for Ruby
August 17th, 2007
I have no idea how I missed this one, but the Metasploit Framework has been ported to Ruby. This is probably one of the coolest and most dangerous tools in the security space. It features a robust command line toolkit, as well as a Rails powered point, click, and sploit web interface. I have also noticed that there is a gtk2 based GUI but I have yet to install the proper ruby bindings on my mac to see how it looks / works. This seems to be a full port to ruby and they have done a pretty good job of coding it. I will certainly be offering some of my time to help out with the project now as I use it quite a bit when I am doing security contract work.
Cryptographic Strength Provably Random Number Generator
August 13th, 2007
So a couple of friends and I are starting a new open source project. If any of you remember the LavaRnd project it is the basis of our idea. All you need is one of the supported cameras and a solid enclosure and you can quickly get cryptographic strength provably random numbers. What we are going to do is take this a step further and create a live cd for people to use. The goal is to create something that people can easily consume using old hardware laying around and the live cd. The feature set that has been mapped out include...
- Easy to use admin console on the console itself for configuration
- Web service to produce random data with lightweight set of input parameters
- OpenSSL signing on all requests to verify that the random data is truly coming from the expected source
- A full test suite to statistically prove that the data being generated is truly random
