Rails - Apr 2006 - Online banking with Ruby on Rails?

I am wondering if it would be possible (and safe) to develop online
banking or other security-related applications with Ruby on Rails,
instead of using J2EE frameworks or .NET?
Are there any particular implications needed to write e-banking apps
with Rails? Security problems?
So... is anyone developing these types of applications with RoR?
Any advantage or disadvantage? Personal experiences are welcome!
Thanks!

To my personal knowledge no one has done such a thing... yet.

There is no specific thing that would keep that from happening and being
just as secure as a J2EE application, but its mostly an age issue. A bank
will always choose away from agile programming and towards "stable"
and
"reliable" (and "slow" and "cumbersome")
applications rather than those
which are *percieved* to be unstable. I use the word "percieved"
because on
my working with the guts of Rails and seeing the way its written, its my
opinion that its hard to get more secure. Its actually the relative
simplicity that adds the security.

A lot of the security in a bank app would come down to the security of the
natively written components for handling transactions. That''s where the
hole
might be.

It is just a matter of time though. Especially for a really small bank that
can''t pay 20MM to develop a J2EE app.

-hampton.

On 4/24/06, GbT <cguybrush@gmail.com> wrote:
>
> I am wondering if it would be possible (and safe) to develop online
> banking or other security-related applications with Ruby on Rails,
> instead of using J2EE frameworks or .NET?
> Are there any particular implications needed to write e-banking apps
> with Rails? Security problems?
> So... is anyone developing these types of applications with RoR?
> Any advantage or disadvantage? Personal experiences are welcome!
> Thanks!
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060424/98339dbe/attachment.html

> > I am wondering if it would be possible (and safe) to develop online
> > banking or other security-related applications with Ruby on Rails,
> > instead of using J2EE frameworks or .NET?
> > Are there any particular implications needed to write e-banking apps
> > with Rails? Security problems?
> > So... is anyone developing these types of applications with RoR?
> > Any advantage or disadvantage? Personal experiences are welcome!
> > Thanks!
>
> To my personal knowledge no one has done such a thing... yet.
>
> There is no specific thing that would keep that from happening and being
> just as secure as a J2EE application, but its mostly an age issue. A bank
> will always choose away from agile programming and towards
"stable" and
> "reliable" (and "slow" and "cumbersome")
applications rather than those
> which are *percieved* to be unstable. I use the word "percieved"
because on
> my working with the guts of Rails and seeing the way its written, its my
> opinion that its hard to get more secure. Its actually the relative
> simplicity that adds the security.
>
> A lot of the security in a bank app would come down to the security of the
> natively written components for handling transactions. That''s
where the hole
> might be.
>
> It is just a matter of time though. Especially for a really small bank that
> can''t pay 20MM to develop a J2EE app.
Actually, my bank (well, actually, credit union) uses ASP.Net for
their online banking.  And through no fault of ASP.Net, it''s the most
insecure thing ever.  As a test late last year, I ran a brute force
attack on my own bank account through an HTTP proxy while I was at the
library using their free WiFi.  I broke into my own bank account in
about 45 minutes.  I haven''t heard anything at all from the bank
warning me that there were over 2000 failed password attempts on my
account, and the site let me in just fine after incorrectly guessing
the password from the same IP address over 2000 times.

Of course, the reason the site is insecure is because the _only_
"security" they have is their SSL certificate.  Which they share with
like 50 other unrelated credit unions.  The password to your online
banking account is forced to be a 4-digit numeric pin number, and most
people will pick the same one they use at the ATM.  That''s exactly
10,000 possible combinations, a very tiny number when you can try
around one combination a second.  And the 5 digit account number can
be easily had off from any check.

I transferred all the money out long before I even decided to do this
since I knew that their security sucked -- I forgot my pin number at
one point and tried like 10 times before I remembered it.

Moral of the story:  No amount of enterpriseyness will undo your sheer
stupidity about security.

Second moral of the story: Those Verisign trusted badge thingys don''t
say anything at all about security.  They just tell you that the bank
has an SSL certificate.

Cheers,
Bob Aman
--
AIM: sporkmonger
Jabber: sporkmonger@jabber.org

On Apr 24, 2006, at 16:31, Bob Aman wrote:
> Actually, my bank (well, actually, credit union) uses ASP.Net for
> their online banking.  And through no fault of ASP.Net, it''s the
most
> insecure thing ever.  As a test late last year, I ran a brute force
> attack on my own bank account through an HTTP proxy while I was at the
> library using their free WiFi.  I broke into my own bank account in
> about 45 minutes.  I haven''t heard anything at all from the bank
> warning me that there were over 2000 failed password attempts on my
> account, and the site let me in just fine after incorrectly guessing
> the password from the same IP address over 2000 times.
>
> Of course, the reason the site is insecure is because the _only_
> "security" they have is their SSL certificate.  Which they share
with
> like 50 other unrelated credit unions.  The password to your online
> banking account is forced to be a 4-digit numeric pin number, and most
> people will pick the same one they use at the ATM.  That''s exactly
> 10,000 possible combinations, a very tiny number when you can try
> around one combination a second.  And the 5 digit account number can
> be easily had off from any check.
>
> I transferred all the money out long before I even decided to do this
> since I knew that their security sucked -- I forgot my pin number at
> one point and tried like 10 times before I remembered it.
>
> Moral of the story:  No amount of enterpriseyness will undo your sheer
> stupidity about security.
Great, thank you for sharing!
> Second moral of the story: Those Verisign trusted badge thingys
don''t
> say anything at all about security.  They just tell you that the bank
> has an SSL certificate.
I assume that website had one? Aren''t those stamps awarded after some  
audit of some sort?

-- fxn

GbT wrote:
> I am wondering if it would be possible (and safe) to develop online
> banking or other security-related applications with Ruby on Rails,
> instead of using J2EE frameworks or .NET?
> Are there any particular implications needed to write e-banking apps
> with Rails? Security problems?
> So... is anyone developing these types of applications with RoR?
> Any advantage or disadvantage? Personal experiences are welcome!
> Thanks!
It seems to me that you are far more likely to run into security 
problems because of poor design, or because you don''t keep the 
technologies that you are running on up-to-date (e.g., your Linux or 
Windows boxen, Apache/IIS/IPlanet/Lighttpd, etc.).    Any lack of 
security in Rails itself would probably be patched within days (if not 
hours) of the first announcements of the flaw, and you if patch your 
servers on a regular basis, the odds that you''ll be one of the first 
ones affected are extremely low (since any tools for script-kiddies to 
exploit those flaws won''t have been written yet).  This is the same for
any platform with an active support base.

I''m sure anyone that has worked for a bank can list out dozens of 
security concerns with sites they''ve worked on before running out of 
paper--security concerns that have nothing to do with the choice of 
technology and everything to do with design, and above all arbitrary 
conventions and corporate "security" requirements.

If anything, Rails will probably be a bit more secure because it''s 
easier to avoid security holes in 1000 lines of code than it is with 
10,000 lines of code.  On top of that, Rails currently has a lot of 
attention and development, so the response time to any valid flaws is 
bound to be very fast.

That said, I can see why an investor, or non-tech business person might 
be hesitant to be the first company to put financial information on a 
Rails app.  But I really do think it''s more to do with perception that 
with security.

-- 
Posted via http://www.ruby-forum.com/.

> I assume that website had one? Aren''t those stamps awarded after
some
> audit of some sort?
Yes, the website had one.  So if an audit was done, it was a really
insanely poor one.  I believe verisign''s stamps are not indicative of
an audit.  Other stamps are.

Cheers,
Bob Aman
--
AIM: sporkmonger
Jabber: sporkmonger@jabber.org

On 24 Apr 2006, at 17:07, Bob Aman wrote:
>> I assume that website had one? Aren''t those stamps awarded
after some
>> audit of some sort?
>
> Yes, the website had one.  So if an audit was done, it was a really
> insanely poor one.  I believe verisign''s stamps are not indicative
of
> an audit.  Other stamps are.
If I recall right, the only auditing Verisign does, is verify that  
the certificate holder actually exists and says who he/she says he  
is. It doesn''t indicate security, it only makes sure you are using a  
secure connection with an existing and real company.


Best regards

Peter De Berdt

The larger banks have to check *everything* to make sure it''s secure,
and checking a program in Java can take a year or more. The people who
check these things already know the J2EE inside out, and know where
it''s strong and weak points are. If they were to check something
written in rails, they wouldn''t just check the ruby source
you''ve
written and Application.rb etc, they would have to do loads of tests
on ruby itself, making approval take a very long time. Java itself has
already been approved by all the major banks. I would hazard a guess
that ruby hasn''t been approved by any of them, and won''t be
for a long
time, if ever.
-Nathan

On 24/04/06, Peter De Berdt <peter.de.berdt@pandora.be>
wrote:
>
> On 24 Apr 2006, at 17:07, Bob Aman wrote:
>
> >> I assume that website had one? Aren''t those stamps
awarded after some
> >> audit of some sort?
> >
> > Yes, the website had one.  So if an audit was done, it was a really
> > insanely poor one.  I believe verisign''s stamps are not
indicative of
> > an audit.  Other stamps are.
>
> If I recall right, the only auditing Verisign does, is verify that
> the certificate holder actually exists and says who he/she says he
> is. It doesn''t indicate security, it only makes sure you are using
a
> secure connection with an existing and real company.
>
>
> Best regards
>
> Peter De Berdt
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>