> No bank in the US would ever dare run a stock rails site, I would bet they would be rightfully sued.
Why so? Even banking websites build on frameworks and if you'd have chosen Spring for example, there was a Remote Code Execution vulnerability in 2010. And even if you roll your own framework, you're just as likely to introduce a critical flaw. The Dutch governmental DigiD service runs rails [1]. The critical difference between the BC service and a bank or the government is that a responsible party would have secured their app immediately. The DigiD service was taken down pretty quickly and stayed down until patched. There were multiple workarounds that did not involve major patches and even if you didn't know which of your apps was vulnerable, you could filter the payload at your load-balancers if you had some [2].
[1] http://lwn.net/Articles/532224/
[2] An xml tag with the type "yaml" was required to trigger this. It's a pretty specific payload that is very unlikely to be used in a regular request.
Why so? Even banking websites build on frameworks and if you'd have chosen Spring for example, there was a Remote Code Execution vulnerability in 2010. And even if you roll your own framework, you're just as likely to introduce a critical flaw. The Dutch governmental DigiD service runs rails [1]. The critical difference between the BC service and a bank or the government is that a responsible party would have secured their app immediately. The DigiD service was taken down pretty quickly and stayed down until patched. There were multiple workarounds that did not involve major patches and even if you didn't know which of your apps was vulnerable, you could filter the payload at your load-balancers if you had some [2].
[1] http://lwn.net/Articles/532224/ [2] An xml tag with the type "yaml" was required to trigger this. It's a pretty specific payload that is very unlikely to be used in a regular request.