aspose file tools*
The moose likes Ruby and the fly likes Securing ruby code Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Languages » Ruby
Bookmark "Securing ruby code" Watch "Securing ruby code" New topic
Author

Securing ruby code

Balaji Loganathan
author and deputy
Bartender

Joined: Jul 13, 2001
Posts: 3150
Hi Gregory,
We have been developing Ruby on Rails projects for quite a while and one thing that kind of scare us is "source code exposure". Coming from J2EE background I wasn't much worried about "source code exposure" as Java files were compiled to .classes (and we can further even obfuscate as well).
Could you please suggest me on what could be best approach to protect the ruby/rails source code ? Should we protect or not and so on ?
Thank you.
Regards
Balaji D Loganathan


Spritle Software Blogs
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
What kind of systems are you working on? If they're web applications you're not exposing any more of your source code than you were exposing with the Java platform.


Author of Test Driven (2007) and Effective Unit Testing (2013) [Blog] [HowToAskQuestionsOnJavaRanch]
Balaji Loganathan
author and deputy
Bartender

Joined: Jul 13, 2001
Posts: 3150
Thanks Lasse.
They are all ROR web applications. What i am feeling insecure is ability to see the actual source code by anyone who got access to the server box.
Right now i protect the webapp folder access using Linux user group options.

Gregory Brown
author
Greenhorn

Joined: Jul 18, 2009
Posts: 14
Balaji Loganathan wrote:Thanks Lasse.
They are all ROR web applications. What i am feeling insecure is ability to see the actual source code by anyone who got access to the server box.
Right now i protect the webapp folder access using Linux user group options.


If someone gets access to your server, you have more than just your Ruby source code to be concerned about, for sure

Gregory Brown
author
Greenhorn

Joined: Jul 18, 2009
Posts: 14
Balaji Loganathan wrote:Hi Gregory,
We have been developing Ruby on Rails projects for quite a while and one thing that kind of scare us is "source code exposure". Coming from J2EE background I wasn't much worried about "source code exposure" as Java files were compiled to .classes (and we can further even obfuscate as well).
Could you please suggest me on what could be best approach to protect the ruby/rails source code ? Should we protect or not and so on ?
Thank you.
Regards
Balaji D Loganathan


One thing to keep in mind is that unless you try pretty hard to intentionally harden things, almost any Java class can trivially be decompiled and investigated. Obfuscation techniques may make that process annoying, but the real bad guys would cut through it anyway.

This question does come up from time in the Ruby community, but the general consensus is that it doesn't matter that much in most cases. If you're running a web application, your source isn't distributed so it is essentially a non-issue. Sure, if someone roots your box they'll get at your source, but in that case, you'll likely have bigger problems to worry about anyway.

This all having been said, if you really feel the need to protect your source, I think you might be able to work out something w. JRuby that gives you essentially the same protection Java would. Or, you can shell out some money and try ZenObfuscate, though I'm not sure if that's actively maintained anymore.

At the end of the day, I think that what you need is some decent terms of service to keep your customers honest, a good security policy at your web host, and basic common sense practices as to where and how you store your source. Obfuscating or protecting it is probably more trouble than it's worth, and you might end up spending a lot of time fighting demons that don't really exist.

Anyway, I hope this answer was helpful, even if it may not have been what you were hoping for.

-greg
Balaji Loganathan
author and deputy
Bartender

Joined: Jul 13, 2001
Posts: 3150
Gregory Brown wrote:
Balaji Loganathan wrote:
At the end of the day, I think that what you need is some decent terms of service to keep your customers honest, a good security policy at your web host, and basic common sense practices as to where and how you store your source. Obfuscating or protecting it is probably more trouble than it's worth, and you might end up spending a lot of time fighting demons that don't really exist.
Anyway, I hope this answer was helpful, even if it may not have been what you were hoping for.
-greg

Thanks Greg. I agree with you that its better to comeup with decent terms of service.
Its is just my feeling that if i am making an instance of enterprise application at customer place (say my own implementation of shopping cart checkout like SpreeCommerce), then it won't take days for someone at customer place to replicate my product by just looking at the core ruby code's.
Java provides atleast some level of startup trouble while stealing someone else core-code.
Rusty Shackleford
Ranch Hand

Joined: Jan 03, 2006
Posts: 490
I think it is a non-issue.

It is not that difficult to replicate the contract of any method. Your code is copyrighted, so that will stop most people from copying and pasting your code. The bad guys are almost always terrific programmers so can easily reverse engineer your code no matter what you do or just figure out what a method is doing and just write their own version.

How many millions of dollars does a company like Microsoft spend to try and stop this? Their code is always cracked and broken in short order. All without source code.


"Computer science is no more about computers than astronomy is about telescopes" - Edsger Dijkstra
Gregory Brown
author
Greenhorn

Joined: Jul 18, 2009
Posts: 14
Rusty Shackleford wrote:I think it is a non-issue.

It is not that difficult to replicate the contract of any method. Your code is copyrighted, so that will stop most people from copying and pasting your code. The bad guys are almost always terrific programmers so can easily reverse engineer your code no matter what you do or just figure out what a method is doing and just write their own version.

How many millions of dollars does a company like Microsoft spend to try and stop this? Their code is always cracked and broken in short order. All without source code.


I agree completely with everything but your last statement. While it's true that code with reg/activation keys are broken very quickly without source code, that's actually a different problem. The problem with Ruby code is that with the source code, you can pretty easily get a sense of how *everything* works and potentially reuse the code for your own needs (or sell it to customers). Reverse engineering large bits of functionality is a good deal more complicated than breaking an activation scheme.

But even then, terms and copyright will keep most people honest, and the bad guys will always get what they want if it's that valuable. A more important thing to remember is that most of us are not Google, Apple, or Microsoft. For the most part, no one is going to bother trying to break into our systems to steal code. It's 1000 times more likely that if someone roots your box, it's to support some spam operation

-greg
 
 
subject: Securing ruby code