Hacker News new | ask | show | jobs
by veloper 4895 days ago
If everyone is really going to take the route of "My X Framework is fine b/c nothing's been reported" then I'd like to contribute these links showing vulnerability break downs...

* Rails: http://www.cvedetails.com/product/22568/Rubyonrails-Ruby-On-...

* Django: http://www.cvedetails.com/product/18211/Djangoproject-Django...

* CodeIgniter: http://www.cvedetails.com/product/11625/Codeigniter-Codeigni...

* Top 50 Products (Better stop using these too! /s): http://www.cvedetails.com/top-50-products.php
7 comments
glfomfn 4894 days ago
You are shooting your own feet with these links you know. According to your data Django had -ZERO- sql injections & code execution repots, now compare that to RoR which had 6 sql injections & 3 code execution reports since 2009. Even if you went by just the numbers RoR had way more vulnerabilities, now if you also take in consideration the kind of vulnerabilities i can tell you i feel way safer on django than RoR.

How many times did you have to stay up late at night to patch your framework ?

link
justsee 4895 days ago
Interesting.

Rails: numerous code execution and SQL injection vulnerabilities reported over the years.

Django: no code execution or SQL injection vulnerabilities reported.

link
sil3ntmac 4894 days ago
(yet).
link
tedunangst 4894 days ago
To be honest, rails does seem to be going out of its way to increase its attack surface.
link
mje__ 4894 days ago
It was pretty interesting to see the all-time details for the languages:

* Python [1,2] : 20 + 15 = 35

* Ruby [3,4] : 31 + 8 = 39

* PHP [5] : 336

Ouch :(

[1] http://www.cvedetails.com/product/2147/Python-Software-Found...

[2] http://www.cvedetails.com/product/18230/Python-Python.html?v...

[3] http://www.cvedetails.com/product/12215/Ruby-lang-Ruby.html?...

[4] http://www.cvedetails.com/product/3861/Yukihiro-Matsumoto-Ru...

[5] http://www.cvedetails.com/product/128/PHP-PHP.html?vendor_id...

edit:formatting

link
thingification 4894 days ago
That seems a little unfair on PHP if taken at face value. I don't know PHP, but doesn't it come with things like database client libraries and templating? That's not really comparable with the core Python distribution.

Presumably a fairer comparison would compare (Python + Django) with (Ruby + RoR) with PHP?

link
mars 4894 days ago
Lulz :) I mean ruby nailed it, right?
link
postmodern_mod3 4894 days ago
Vulnerability counts are misleading metric for security. They do not include the vulnerabilities which have not yet been discovered or created.
link
jpatokal 4894 days ago
And you're proposing to get a less misleading metric for undiscovered or uncreated (!?) vulnerabilities how, exactly?
link
postmodern_mod3 4894 days ago
Maybe graph the rate of vulnerabilities discovered vs. LoC/files added?

It's safer to only use vulnerability counts as a metric for how interesting software is to security researchers.

link
mikegioia 4894 days ago
Wow, good for CodeIgniter.
link
eric970 4894 days ago
Thank you.
link