Hope you're not using default model binder, because M$ still allows for you to hang yourself with mass assignment attacks. Something they have yet to learn. Hope you're not running MVC 1 or MVC 2, you're still open to redirection attacks.
Really that's the point I'm trying to make. The default path in MVC isn't exactly secure. There is work to be done. I'd consider this particular rails update in line with a patch Tuesday update. Though I will say, I wish they had a better way of communicating when updates were available.
Wouldn't be so sure of safety - RoR just gets a lot more publicity when a vulnerability surfaces, although the huge amount of magic involved in RoR makes vulnerabilities more common than more static code.
The difference is that things like enabling remote errors or disabling request validation in ASP.NET requires that you explicitly change those settings. The default config doesn't expose either of those issues.
Of course people make mistakes. The point is that the framework doesn't expose you to those risks by default. You have to explicitly make those mistakes yourself.
Further, when ASP.NET does have the odd vulnerability crop up, patches roll out automatically as critical updates via Windows Update. So, these things get patched quickly even if the app or server is no longer actively maintained, as is the case with so much code out there on every platform. Ironically, it's a bit like Windows Server is the Google Chrome of server environments when it comes to frequency and pervasiveness of updates.
Bing are Microsoft dogfooding new tech. They will make mistakes.
For those of us who are conservative there are very few opportunities to make mistakes. We have checklists, security policies, code reviews and even protection components in our framework as well as completely segregated web and back end systems.
I've got to ask: could you share what app or at least industry that app is in? I've never seen 134,000 test cases before for a web app, and 220,000 assertions to boot. What's the ratio of test cases to code? It sounds like a record to me!
I've worked in a number of medium to large financial institutions, and 10M LOC is nothing, really. They had subsystems that were bigger than that by a factor of 2.
I have to wonder how many of those tests are merely performing the kinds of checks that the compiler would automatically perform were a compiled language like, say, C# or Java being used instead of Ruby.
Yes this is true but we proactively approach the problem rather than waiting for 3rd parties to find the holes. We are responsible for a couple of patch Tuesdays :)
SQL Server is anything but well engineered. What version of SQL Server are you currently running? Is it on the latest service pack only, or with the latest cumulative update applied? The later fixes critical bugs, but claimed to be "not fully tested" by Microsoft. This retarded release policy means there is no stable version of SQL Server.
