[vezzy-fnord]

As briefly as possible? Infosec is hard. Most companies have virtually no security policies. Nobody listens. Black hats are ahead in the arms race and anyone who has decent knowledge (doesn't even have to be anywhere near on a level like Homakov or Zalewski) can pull off all sorts of exploits. Even if they don't strike the application itself, they'll get you through infrastructure that your application relies on. Look at how script kiddies like the SEA can pull off high-profile hacks through social engineering, domain and DNS hijacking.

It's assured that a ton of Rails apps are vulnerable, it's just that no one has found them, or more likely, is not publicly releasing or actively exploiting them.

Also, Rails doesn't address for all security pitfalls. Some of its mechanisms are actually underdeveloped and require rolling lots of checks by yourself, such as for proper session termination, IIRC.

[jbinto]

> Infosec is hard.

In computer security, you have to get it right every single time. The bad guys only need to get it right once.

[Pxtl]

This highlights to me that our infrastructure is horrendously overcomplicated. We have all these great abstractions, but you have to worry about bugs and exploits in every possible layer of every system. Even the simplest modern web-application has an enormous surface-area to secure, and that makes getting it "right every single time" damned near impossible.

[dfc]

This is a little myopic but understandable in the context of a discussion on HN. Infosec is hard, but it is just one example of a bigger truth:

Defense is hard.

This comes up time and time again in any defensive discipline:

  Over two decades the  CIA had learned again and again that it  could not hope to
  defend against  terrorists by relying solely  on its ability to  detect specific
  attacks in  advance. No matter how many  warnings they picked up,  no matter how
  many  terrorist cells  they disrupted,  at least  some attackers  were going  to
  get  through. Officers  in  the  CTC privately  compared  themselves  to  soccer
  goalies: They wanted to  be the best in  their league, they wanted  to record as
  many shutouts as  possible, but they knew  they were going to give  up scores to
  their  opponents. Ultimately, many  of them  believed,  the only  way to  defeat
  terrorists was to get out of the net and try to take the enemy off the field.[1]

The final sentence above highlights the one pecularity of InfoSec; you do not have any offensive capabilities.

[1]: "Ghost Wars" (Steve Coll) pg 505

[Intermernet]

This is why I think some more work into client (or active) honeypots may be beneficial. If we can get an easy to install, auto updating honeypot that fights back, we may have a better offensive capability.

This may just end, like nuclear warfare, in MAD... But it would be great fun to watch!

http://en.wikipedia.org/wiki/Client_honeypot

http://books.google.com.au/books?id=YQmWtsqlvfMC&dq=active+h...

http://en.wikipedia.org/wiki/Mutual_assured_destruction

[bradleyland]

No one gets it right every single time. No one. That's a completely unrealistic expectation. What you do is establish a bar, which you share with everyone who will use your software. Then you evaluate your efforts against that bar.

One of the keys to developing good software is hiring third-parties to conduct audits. A bug bounty program is one way to incentivize people who are already probing your software to take the next step and tell you about the bugs they find.

[codygman]

What opinions does infosec in general have of correctness? What about languages like Haskell which focus on separating IO and pure functions?

[tripzilch]

well it gives the advantage that (used to?) keep desktop-Linux clear of most viruses: it's too little a fish for blackhats to go after.

until that's different it's harder to answer your actual question. my guess, it'll be better but inevitably still have some holes.

[codygman]

I specifically what infosec (or anyone involved in the industry) thought of separating pure and impure functions which affect the outside world.

It seems to me that it would drastically reduce the surface areas of attack.

[enscr]

Good to know, thanks. Any recommendation for a good read on security best practices for a python/django app?

[betenoire]

If you aren't yet familiar with OWASP, start there. https://www.owasp.org/index.php/Main_Page

Here is some OWASP material specific to Django.

If you like reading http://blog.mikeleone.com/2011/10/security-django-and-owasp-...

If you like watching http://www.youtube.com/watch?feature=player_embedded&v=sra9x...