I think the answer to your question is the same as any large application: pay attention to your supply chain, architect your systems well, if you don’t know how to do things securely go learn before building (or learn as you go, but that has consequences typically).
Of course, it's definitely not impossible to write secure Rails apps, just like anything else; it's hard to know from the outside what that says about Rails in particular. For example, PHP had a lot of rough edges, but Facebook still managed to take it to the highest heights as far as websites go. I'm not arguing Rails is like PHP, but I see a commonality:
- PHP had a really good developer experience (even with the rough edges, for the time), but building robust applications on PHP could prove quite challenging. It has gotten a lot better, but there are still remnants all over from the past.
- Ruby, likewise, seems to have a really good developer experience, and indeed it seems Rails apps sometimes suffer with robustness and reliability. Not just GitLab, but also Twitter in the past, too.
I think some people may read what I'm saying and think I'm just a hater, but not really. I actually just wonder if what I see with GitLab is telling us more about GitLab, or if it's telling us more about Ruby or Rails. Is it hard to make robust Rails software?
> I think the answer to your question is the same as any large application: pay attention to your supply chain, architect your systems well, if you don’t know how to do things securely go learn before building (or learn as you go, but that has consequences typically).
This is good general advice but I am aiming more specifically. I'm wondering if anyone with more expertise could answer to what classes of issues you have to work to avoid. I know Shopify was working on gradual static typing for Ruby: is dynamic typing a problem? That sort of thing.
Of course, you can write both secure and insecure code in any programming language in many different ways, but some ecosystems make it easier and harder and I think that's more what I'm getting at.
Frankly, even if it's true that it's tricky to make Rails apps secure, that wouldn't really dissuade me from still using it in some cases if it seemed like it could save me a lot of time and effort. That's pretty much exactly why I used Django to begin with; I definitely don't feel like Django was the most robust platform to write webapps in, just a very productive one (that was still decently robust in my experience, but you know, YMMV.)
Rails has excellent defaults out of the box for security. You have to go out of your way to explicitly get around them, like with parameter whitelisting and SQL sanitizing.
I don’t see as many CVEs, at least to my knowledge, with GitHub or Shopify. Not that they haven’t happened, but seem to _much_ less. Stripe is mostly ruby, though not rails, and have done well with security.
My suspicion from outside of Gitlab is that it’s a quality and prioritization problem. Security is hard. It requires very deliberate decision making and investment. Ruby and Rails are generally very stable, but you can use them to crazy ends if you allow yourself to.
I think the answer to your question is the same as any large application: pay attention to your supply chain, architect your systems well, if you don’t know how to do things securely go learn before building (or learn as you go, but that has consequences typically).