Ridden Out of Town on a Rail…

Looks like yesterday’s emergency Ruby on Rails 1.1.5 release didn’t quite fix the problem, cause now they’ve released version 1.1.6.

Telling administrators “you must update this immediately” once is bad enough.  But doing it twice in one day is bound to sour some folks on Rails as an enterprise development platform.  At least they’ve finally opened up about the nature of the vulnerability, but their failure to do that from the outset certainly lost them a lot of points with folks in the security community.

In all, this whole “crisis” has been handled about as wrong as possible, but hopefully the Rails development folks will learn some lessons.  Rails is still new enough that the team ought to be able to ride this out and hopefully they will be stronger and smarter because of it.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *