Ruby on Rails source code security / obfuscation

views:

158

answers:

Ruby on Rails source code security / obfuscation

I'm just getting started with Ruby on Rails development and I have a question concerning source code "privacy".

From what I know so far (i have not done a deployment yet, only used RoR in a local development environment), that when a RoR application is deployed, all the source code is "visible" on the server?

How can I protect my code; so to speak? By protection I mean, the main purpose being that someone (such as a server administrator on a RoR provider) not being able to "sabotage" the code by easily figuring out what place in the code to "fiddle with".

How do sites like Shopify, Yellowpages etc. that use RoR, ensure that their code isn't "sabotaged"?

UPDATE What I'm really looking for is, suppose if I have some code that's doing Credit Card transactions, I don't want some rogue employee reading "plain text source code" and sabotaging my website, say by reading my source code and then charging everyone of the signed-up users $10 as a gag. How do I prevent that sort of thing?

+7 A:

At the end of the day, there is trust involved. If your admin wants to screw you, he will, and obfuscation won't do much to stop him.

Matt Briggs 2010-09-11 07:23:12

If an app was in x86 assembler, that would make it less susceptible, right?

Zabba 2010-09-11 07:33:55

Probably, but the guy controls the server. If he wants, he could fake the styling of your app, put his own somewhere else, and redirect folks over there. Or he could just look in your database, usually that contains more valuable and sensitive things then your app code anyways

Matt Briggs 2010-09-11 07:49:45

Zabba-Only if the admin doesn't know assembly.

2010-09-11 20:50:34

+2 A:

I highly doubt a reputable hosting service will fiddle with your code. They are busy enough running their servers. And if they wanted to, there's not much you can do to stop them. Code obfuscation (in any language) is a silly thing to do.

Regarding your security concerns, I just hope you are not going to be storing any credit card information on your website. You must comply to PCI standards in order to do that, and that's not an easy thing to accomplish. Storing CC info without being PCI compliant is illegal.

So you will have to use a payment gateway (like PayPal or Authorize.net) for your payments, and I believe the user will be able to see what they are being charged.

NullUserException 2010-09-11 07:42:25

+6 A:

Similar to Matt Briggs's point is that if you don't trust your web host, you're addressing the wrong problem.If your web host wants to steal your data, cripple your website, redirect your users, etc., nothing can stop them. Even if the code is fully compiled binary code written in assembler, your admin could still find a hack, replace resources, or replace your code altogether. Moral of the story, find a web host you trust, don't bother obfuscating your code

userx 2010-09-11 07:42:31

Well, how can one trust any 3rd party anyway? When I have some "X" purpose in mind, and I have to depend on a webhost I have no control over, how can I "trust" them anyway? That's the whole question burning in my mind.

Zabba 2010-09-11 07:48:52

@Zabba You are being quite a bit paranoid here. In a sue-happy country like ours, doing anything like that would be extremely stupid on their part.

NullUserException 2010-09-11 07:50:56

The more legitimate concern is probably being on a shared server and it not properly being configured allowing your data / code to be comprised. The way more companies get around this is by buying and securing their own servers. Even with that, few actually host their servers in house. Server hosts are motivated NOT to steal from you because (a) it is illegal and they don't want to get sued and (b) if they did steal your code, no one would use their services. No offense, but your code is not likely worth more than the sum of income from all their customers for even one month.

userx 2010-09-11 08:08:56

I work at a place that hosts a lot of sites. I seriously doubt most people in a similar position have any interest in what is on the sites, nor do they have time to screw around with them. It's really not that interesting to us.

Greg 2010-09-11 18:06:34

+1 A:

From my experience, When you sell a produce that deploy to customer server. I use

http://rubyencoder.com/

It works in many platform from its loader. But like other said, rails should be open.

Jirapong 2010-09-11 08:31:46

+1 A:

A hosting company will never ever touch or investigate your code, unless you are doing things that hurt there server (like infinite loops, eating away all CPU), and even in that case they will just block that page or url.

I can imagine if you deploy your application to an intranet of a company, and they also have their developers, that one might be afraid to loose out on maintenance and support fees because they would take over themselves. But those things you cover with contracts.

The people having direct access to your ruby source-code are supposed to be co-workers or partners, were there is a clear business relationship, and normally this business-relationship is worth more. If you do not trust your co-workers or the people you work with or for, then i think you should reconsider your position.

I even believe that being as loose as possible with clients (here is the source, you can edit it if you want), generally makes them trust you even more and make them more likely to call you back.

nathanvda 2010-09-11 13:31:39

I think that this is what you are looking for

http://rubyencoder.com/overview.html

Nich 2010-09-11 18:46:37

ansaurus

tags:

views:

answers:

Ruby on Rails source code security / obfuscation

related questions