[peteforde]

I figure, if you want to attack literally any app, go through the CVE and try every vulnerability.

I don't think it's defensible to claim that Rails itself is inherently more vulnerable than other similar systems. If you disagree, feel free to cite references.

[gargarplex]

I never claimed whatsoever that Rails itself is inherently more vulnerable. I made my comment with having maintained Rails apps for many years and watching the CVE list.

[1propionyl]

The question isn't whether a framework is or is not more vulnerable than other similar systems.

It is whether using that framework <dis/en>courages developer behavior that produces more or less vulnerabilities.

Ruby in general almost certainly does encourage dangerous developer patterns, however I doubt that's the case for Rails in particular as it has largely been practically a DSL for nearly a decade.

As a corollary of "convention over configuration" and dominant patterns in popular accessory frameworks however, this only applies so long as you don't try to be too clever.

[peteforde]

I would genuinely appreciate cited references to back up your assertion that Rails almost certainly does encourage dangerous developer patterns.

I'm not trying to be pedantic; I do hear this sort of claim a lot but when pressed people rarely have anything more than pearl clutching about various metaprogramming capabilities that rarely get used outside of blog posts.

In other words, just because you can redefine + doesn't mean everyone is doing that in production code. :)