« Rails Flaw Explained - Why All the Secrecy? | Main | Follow a Real-World Attack »

August 11, 2006

Ridden Out of Town on a Rail...

By Dan Cornell

Looks like yesterday's emergency Ruby on Rails 1.1.5 release didn't quite fix the problem, cause now they've released version 1.1.6.

Telling administrators "you must update this immediately" once is bad enough.  But doing it twice in one day is bound to sour some folks on Rails as an enterprise development platform.  At least they've finally opened up about the nature of the vulnerability, but their failure to do that from the outset certainly lost them a lot of points with folks in the security community.

In all, this whole "crisis" has been handled about as wrong as possible, but hopefully the Rails development folks will learn some lessons.  Rails is still new enough that the team ought to be able to ride this out and hopefully they will be stronger and smarter because of it.

--Dan
dan _at_ denimgroup.com

August 11, 2006 in Web Application Security |

Comments

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment