The bar is low for such tools regardless of programming language. In a language ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

slimed on Feb 5, 2020 | parent | context | favorite | on: Attacking Ruby on Rails applications (2016)

The bar is low for such tools regardless of programming language. In a language as dynamic as Ruby it's several miles into the Earth's crust. The tool won't be able to tell you much of anything you shouldn't already know. "Potentially high-impact web vulns" is a next to useless metric when provided by such a tool. The rate of false positives is high. A distraction such as this when your application surely has more serious vulnerabilities is not helpful.

dwheeler on Feb 7, 2020 [–]

Railroader and Brakeman compensate for this by not being generic analysis tools for Ruby, but instead focusing specifically only on Ruby on Rails. Because Ruby on Rails has a lot of additional conventions, it's much easier to build a specialized tool to look for violations of those conventions.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact