Your expert views on rails code security needed !

Hello All,

I wanted to know your views on how rails application code can be secured while deployment. I know there are some commercial encryption tools which can do it for you.

Anyone have any idea on this ??

Thanks, Sandip R~

Sandip Ransing wrote:

Hello All,

I wanted to know your views on how rails application code can be secured while deployment.

Just make sure no one can gain unauthorized access to the server. (That includes setting things up with proper permissions, decent passwords...you get the idea.)

I know there are some commercial encryption tools which can do it for you.

There's no need. This is not client-side code. Your Rails application lives on the server, so no end-user will ever see the source code.

Anyone have any idea on this ??

Yes: understand a little better how things work and what lives where. Then it will be easier to create an appropriate security model.

Thanks, Sandip R~ -- Ruby on Rails Developer http://sandip.sosblog.com http://funonrails.wordpress.com www.joshsoftware.com

Best,

Marven, Thanks for your reply !

I think, you missunderstood what i am saying.

Let me explain little deep.

Suppose, I have rails application as a product,

I wanted to deploy it for many clients.

They have their own servers.

What make me sure that code is not exposed.

What are your views ???

Thanks,

Sandip R~

Sandip Ransing wrote:

Marven,

If you're going to use my name, please spel it correctly. :slight_smile:

Thanks for your reply !

I think, you missunderstood what i am saying.

Let me explain little deep. Suppose, I have rails application as a product, I wanted to deploy it for many clients. They have their own servers.

What make me sure that code is not exposed.

You mean you want to hide the code from your clients? Do you really think they're going to be able to do anything with it anyway? This seems slightly pointless to me.

However, if you really need to, probably the best way would be to use JRuby and compile the whole thing as a Java application.

But as I said, I'd advise you to drop the whole idea of hiding the code.

What are your views ???

Thanks,

Sandip R~

Best,

What you're attempting here is equivalent to a DRM system; or in simpler terms, giving someone a lock and the key and expecting that the lock will provide protection.

The code's got to be run somehow, and if the clients control the server, they can get at it. Encrypted source files can be captured from memory, Java bytecodes can be decompiled, etc.

You don't need a technical solution, you need a good contract lawyer.

--Matt Jones

This question comes up regularly. Like once a month. Seriously, check the list archives.

People have gone to great lengths to protect their ruby code only to have someone figure out how to break the encryption/obsfucation with about 3 lines of code. I'm not kidding:

http://seanmountcastle.com/2007/12/15/protecting-your-ruby-source-code-for-end-user-applications/

Read the post and his rather cool trick and then how someone "broke" the encryption in about 3 lines of ruby.

Point is, you can keep the honest people honest (at which point, why bother?), but the dishonest are going to get your code if you use an interpreted language like Ruby. If you want to make it hard, use C++.