[tyre]

Rails has excellent defaults out of the box for security. You have to go out of your way to explicitly get around them, like with parameter whitelisting and SQL sanitizing.

I don’t see as many CVEs, at least to my knowledge, with GitHub or Shopify. Not that they haven’t happened, but seem to _much_ less. Stripe is mostly ruby, though not rails, and have done well with security.

My suspicion from outside of Gitlab is that it’s a quality and prioritization problem. Security is hard. It requires very deliberate decision making and investment. Ruby and Rails are generally very stable, but you can use them to crazy ends if you allow yourself to.