Your expert views on rails code security needed !

Hello All,

I wanted to know your views on how rails application code can be secured while deployment.
I know there are some commercial encryption tools which can do it for you.

Anyone have any idea on this ??

Thanks,
Sandip R~

Sandip Ransing wrote:

Hello All,

I wanted to know your views on how rails application code can be secured
while deployment.

Just make sure no one can gain unauthorized access to the server. (That
includes setting things up with proper permissions, decent
passwords...you get the idea.)

I know there are some commercial encryption tools which can do it for
you.

There's no need. This is not client-side code. Your Rails application
lives on the server, so no end-user will ever see the source code.

Anyone have any idea on this ??

Yes: understand a little better how things work and what lives where.
Then it will be easier to create an appropriate security model.

Thanks,
Sandip R~
--
Ruby on Rails Developer
http://sandip.sosblog.com
http://funonrails.wordpress.com
www.joshsoftware.com

Best,

Marven, Thanks for your reply !

I think, you missunderstood what i am saying.

Let me explain little deep.

Suppose, I have rails application as a product,

I wanted to deploy it for many clients.

They have their own servers.

What make me sure that code is not exposed.

What are your views ???

Thanks,

Sandip R~

Sandip Ransing wrote:

Marven,

If you're going to use my name, please spel it correctly. :slight_smile:

Thanks for your reply !

I think, you missunderstood what i am saying.

Let me explain little deep.
Suppose, I have rails application as a product,
I wanted to deploy it for many clients.
They have their own servers.

What make me sure that code is not exposed.

You mean you want to hide the code from your clients? Do you really
think they're going to be able to do anything with it anyway? This
seems slightly pointless to me.

However, if you really need to, probably the best way would be to use
JRuby and compile the whole thing as a Java application.

But as I said, I'd advise you to drop the whole idea of hiding the code.

What are your views ???

Thanks,

Sandip R~

Best,

What you're attempting here is equivalent to a DRM system; or in
simpler terms, giving someone a lock and the key and expecting that
the lock will provide protection.

The code's got to be run somehow, and if the clients control the
server, they can get at it. Encrypted source files can be captured
from memory, Java bytecodes can be decompiled, etc.

You don't need a technical solution, you need a good contract lawyer.

--Matt Jones

This question comes up regularly. Like once a month. Seriously,
check the list archives.

People have gone to great lengths to protect their ruby code only to
have someone figure out how to break the encryption/obsfucation with
about 3 lines of code. I'm not kidding:

http://seanmountcastle.com/2007/12/15/protecting-your-ruby-source-code-for-end-user-applications/

Read the post and his rather cool trick and then how someone "broke"
the encryption in about 3 lines of ruby.

Point is, you can keep the honest people honest (at which point, why
bother?), but the dishonest are going to get your code if you use an
interpreted language like Ruby. If you want to make it hard, use C++.