back to article Flaw-finding Ruby on Rails bot steams past humans

Boffins at MIT have designed a Ruby on Rails interpreter that can find code flaws much faster than fleshy programmers. Dubbed Space, the software has been tested against 50 popular web applications written in Rails, and found 23 previously undiagnosed security flaws. None of the programs required more than 64 seconds for a …

  1. Crazy Operations Guy

    People still use Ruby On Rails?

    I hear a lot about it a few years ago, then nothing, so I'd assumed that it was another of those passing fads that was eventually dethroned by the likes of node.js, just as Ruby replaced PHP and ASP, whihc they themselves replaced other languages, and so on until the birth of the internet.

    1. a_yank_lurker

      Re: People still use Ruby On Rails?

      About 6 months ago I heard from a very reliable source that Ruby on Rails jobs in metro Atlanta were going unfilled because there weren't enough devs to fill them.

      1. gnufrontier

        Re: People still use Ruby On Rails?

        There are probably mainframe COBOL jobs going unfulfilled too.

    2. gnufrontier

      Re: People still use Ruby On Rails?

      We all know there were no computer languages before the "birth of the Internet".

    3. mrtom84

      Re: People still use Ruby On Rails?

      I believe a lot of them returned to PHP since it is having somewhat of a renaissance at the moment.

    4. Anonymous Coward
      Anonymous Coward

      Re: People still use Ruby On Rails?

      Well I still use it quite a lot and I was quite an early adopter. Obviously I need to maintain the projects I already have. I'd like to think I haven't closed my eyes to alternatives but nothing has caught my attention yet. You can keep all that Node.js bollocks, thanks.

  2. Anonymous Coward
    Anonymous Coward

    Securing Ruby

    I don't get why they're doing this with Ruby. You can do static analysis on some of it but it's fundamentally a dynamic language with context dependence and 'magic' everywhere. You can't predict what a piece of Ruby code will do. It's neat, it's fun, but it's no more conducive to security than PHP.

    1. a_yank_lurker

      Re: Securing Ruby

      Ruby and Python are designed to be general purpose programming languages. Both have features that allow the resulting code to be reasonably robust. PHP and JavaScript suffer from many flaws stemming from their original designs that work against robustness.

      1. Anonymous Coward
        Anonymous Coward

        Re: Securing Ruby

        No they were *intended* to be general purpose scripting languages, but that was beyond the abilities designer of Ruby.

  3. irwincur

    There is something oddly interesting about people working so hard to put themselves and everyone else out of work. Coders are easily the most short sighted collective group out there.

    1. JLV
      Happy

      ???

      Unless you specifically work in security, security on websites is a very necessary evil. It gets in the way of writing what you need as fast as you can. If thinking about about could be magically shunted off to a foolproof analyzer, which I doubt, many of us outside of the security testing field would be quite happy.

      I do care about security but I'd rather not have to.

    2. Anonymous Coward
      Anonymous Coward

      "There is something oddly interesting about people working so hard to put themselves and everyone else out of work."

      This is what engineers do. The result is new opportunities. Reliability engineering and DFM put a lot of car mechanics out of work but made cars sufficiently reliable and automated that a whole new lot of systems and services are being built on them, creating new jobs.

      Automate security testing, increase capacity to design new web services that don't suck.

  4. allthecoolshortnamesweretaken

    Can the program debug itself as well? (Bugs in Space - great title for a B movie.)

    And what about false positives and how to avoid them?

  5. allthecoolshortnamesweretaken

    As the first example is about Ruby on Rails:

    Classic programmer paintings

  6. JLV

    LOL

    J2EE programmers eating their own dog food:

    https://en.m.wikipedia.org/wiki/The_Potato_Eaters

  7. Infernoz Bronze badge
    WTF?

    This is one of several reasons why major systems moved to Java.

    So some people are /still/ using Ruby for software systems especially the security bug feast called Ruby on Rails, WTF!

    Dynamic typed languages like Ruby and Python are fine for limited scripting, but not smart for larger programs, especially when they can become write-only code due to unknown interface typing and meta-programming confusion!

    Any kind of duck typing is liable to type ambiguity/abuse and any lack of strong typing of declared function/method parameters can easily become a quite stupid ticking bug-bomb, because it can make automated/manual analysis/re-factoring/testing/runtime-optimisation much harder and/or much less reliable!

    A lot of these kinds of vulnerabilities can be detected in Java by IDE source editors and existing compilers, and most of the rest get detected by the mature static analysis tools Java has had for several years now, including FindBugs and PMD.

    1. Brewster's Angle Grinder Silver badge
      Devil

      Everybody in

      I can't speak for python programmers, but Rails coders hate PHP coders and they also hate node coders. And PHP coders hate node and Rails coders. And node programmers hate PHP and Rails programmers. But there's one thing guaranteed to make us put aside our differences and unite in a common cause: and that's a smug Java programmer proclaiming the superiority of their language.

      I'd include perl programmers in the anti-Java coalition. But they have been extinct for the last 300 trillion milliseconds.

  8. JLV
    Trollface

    Must be why Java is a byword for security, right? And why it's so easy for your apps to just run on the latest and greatest patched version of Java.

    Oh, wait, what's that big fail for the hospital industry right now, that's resulting in a lot of cryptoware? Ruby-based? Python-based? What's JBoss written in again? JS?

    True to type Java afficionado. If it ain't Java, it's just not good, right?

    1. SecretSonOfHG

      "Must be why Java is a byword for security, right? And why it's so easy for your apps to just run on the latest and greatest patched version of Java."

      This comment shines your ignorance of the nature of the Java security issues: they are on the end user Java applet side, not on the server side. As for the version requirements, let me tell you a little secret: most parts of commercial apps run fine on the latest JVM version, and those that don't usually require minimal changes. However support agreements require you to run version X.Y.Z, otherwise you won't get any version support at all and it is easier for both the vendor and customer to keep using an obsolete version.

  9. Joe Cooper

    Static analysis has been a thing for decades.

    Everyone here should know that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon