Ruby on Rails in Financial Services Applications

15 Mar 2007 - 2:18pm
7 years ago
4 replies
2719 reads
Cecily Walker
2006

I was just part of a hallway conversation here at work about whether
many financial services institutions use Ruby on Rails in their secure
areas. For example, how many banks are using it in their online
banking applications, and what were their concerns about security?

If you work in the financial services arena (banks, accountancy firms,
etc.) and you've used Ruby on Rails, or if you're convinced that it
isn't secure enough to be used for financial transactions, would you
mind sharing your experiences/opinions?

Thanks!

Comments

15 Mar 2007 - 3:51pm
David Pallotta
2007

I have a couple clients using RoR, but not in the financial word. I have
heard some vague concerns with the security, but nothing too serious. My
problem is finding good candidates with RoR for NYC.

-----Original Message-----
From: discuss-bounces at lists.interactiondesigners.com
[mailto:discuss-bounces at lists.interactiondesigners.com] On Behalf Of Cecily
Walker
Sent: Thursday, March 15, 2007 3:18 PM
To: discuss at ixda.org
Subject: [IxDA Discuss] Ruby on Rails in Financial Services Applications

I was just part of a hallway conversation here at work about whether
many financial services institutions use Ruby on Rails in their secure
areas. For example, how many banks are using it in their online
banking applications, and what were their concerns about security?

If you work in the financial services arena (banks, accountancy firms,
etc.) and you've used Ruby on Rails, or if you're convinced that it
isn't secure enough to be used for financial transactions, would you
mind sharing your experiences/opinions?

Thanks!
________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss at ixda.org
List Guidelines ............ http://listguide.ixda.org/
List Help .................. http://listhelp.ixda.org/
(Un)Subscription Options ... http://subscription-options.ixda.org/
Announcements List ......... http://subscribe-announce.ixda.org/
Questions .................. lists at ixda.org
Home ....................... http://ixda.org/
Resource Library ........... http://resources.ixda.org

15 Mar 2007 - 6:46pm
Matt Pelletier
2006

Cecily,

Hi. Rails is just as secure as any other Web framework, and in my experience
tends to be more secure 'out of the box' than many frameworks because it
encourages good practices and watches for the common pitfalls. Most security
problems in the Web are the result of poorly written code, poorly designed
networks (firewalls, web servers, etc.) or are JavaScript related. Rails is
used for plenty of online ecommerce sites, and I know there are teams
working at financial companies using Rails internally.

Rails deals well with known problems like XSS, SQL injection, and so on.

My company (EastMedia) wrote an OpenID Identity server for VeriSign last
year (which has been open-sourced through the Apache Heraldry project, more
info at http://identity.eastmedia.com), and it went through a pretty
thorough series of security checks and passed them all (VeriSign *does* know
security). I would be happy to elaborate if you're interested in more
information.

What kind of application did you have in mind? The audience, the entry
points, and the general network structure will probably play a stronger role
in determining security concerns than the Web framework that is used to
build the application.

Cheers,
Matt

------------------
Matt Pelletier
http://www.eastmedia.com -- EastMedia
http://www.informit.com/title/0321483502 -- The Mongrel Book
http://identity.eastmedia.com -- OpenID, Identity 2.0

On 3/15/07, Cecily Walker <cecily.walker at gmail.com> wrote:
>
> I was just part of a hallway conversation here at work about whether
> many financial services institutions use Ruby on Rails in their secure
> areas. For example, how many banks are using it in their online
> banking applications, and what were their concerns about security?
>
> If you work in the financial services arena (banks, accountancy firms,
> etc.) and you've used Ruby on Rails, or if you're convinced that it
> isn't secure enough to be used for financial transactions, would you
> mind sharing your experiences/opinions?
>
> Thanks!
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> List Guidelines ............ http://listguide.ixda.org/
> List Help .................. http://listhelp.ixda.org/
> (Un)Subscription Options ... http://subscription-options.ixda.org/
> Announcements List ......... http://subscribe-announce.ixda.org/
> Questions .................. lists at ixda.org
> Home ....................... http://ixda.org/
> Resource Library ........... http://resources.ixda.org
>

--
------------------
Matt Pelletier
http://www.eastmedia.com -- EastMedia
http://www.informit.com/title/0321483502 -- The Mongrel Book
http://identity.eastmedia.com -- OpenID, Identity 2.0

15 Mar 2007 - 9:42pm
Mike Brown
2007

Not my experience, but I know of PlanHQ <http://www.planhq.com>, which
has just launched and is written in Ruby on Rails.

It's primarily for business planning, although has a financial services
component, and they're obviously comfortable with the security aspects
of RoR.

Mike

Cecily Walker wrote:
> I was just part of a hallway conversation here at work about whether
> many financial services institutions use Ruby on Rails in their secure
> areas. For example, how many banks are using it in their online
> banking applications, and what were their concerns about security?
>
> If you work in the financial services arena (banks, accountancy firms,
> etc.) and you've used Ruby on Rails, or if you're convinced that it
> isn't secure enough to be used for financial transactions, would you
> mind sharing your experiences/opinions?
>
> Thanks!

16 Mar 2007 - 6:51am
Fredrik Matheson
2005

[Forwarded on behalf of Aslak Hellesøy]

Short answer: RoR *is* secure enough for banking.

Longer answer: It's hard to give an exhaustive answer here - I'll give you
some views on whether I think it is secure enough on the web tier. This
really boils down to the following questions:

*1) Can a RoR app be deployed on a web server that is secure enough?*
A RoR app sits behind a regular web server and relies on this web server to
provide a HTTPS connection (secure HTTP). The most common web servers are
Apache, Lighttpd, Mongrel and Litespeed http://litespeedtech.com/. For
banking I would recommend checking out Litespeed, as it is a commercial
product and it seems to have good security characteristics. There might be
other good enough web server options too. Soon you'll be able to deploy RoR
apps in classic J2EE containers too.

*2) Does RoR provide internal mechanisms to protect against intrusion
attacks such as SQL injection and URL hacking?*
Yes it does. Only one big security hole has been found AFAIK (about 6 months
ago), and a patch to fix it was published the following day. This is the way
open source works. security holes are extremely short lived.

*3) Can you hire developers that will know how to write a RoR app in a
secure way?*
Despite technical security features in the communication protocols (HTTPS)
and application frameworks (RoR) you still need developers who won't screw
it up. Most security holes are logic errors (bugs) made by application
developers.
For more info on RoR security and banking:
JPMorgan Chase seems to be using it: http://odeo.com/audio/2326057/view
RoR's creator say's it's secure enough:
http://www.regdeveloper.co.uk/2006/02/16/ruby_rails/
A blog on RoR security: http://www.rorsecurity.info/
<http://www.rorsecurity.info/+>

As an example of how it's ready for big volumes, consider
http://www.basecamphq.com/
(over a million users), <http://basecamp.com/>http://odeo.com/ (lots of
users, not sure how many though). There are several more examples of "big"
sites built on RoR.

My 2 cents.
Cheers,

B | aslak hellesøy, cto
E | +47 982 19 452, aslak at bekk.no, http://blog.aslakhellesoy.com/
K | bekk consulting as, pb. 134 sentrum, 0102 oslo, norway
K | www.bekk.no

Syndicate content Get the feed