Keeping Rails Applications on Track with Brakeman

Transcript

1. Keeping Rails Applications on Track with Brakeman Justin Collins @presidentbeef

   RailsConf 2012 1

2. Everyone knows they “should” worry about security 2

3. But when should you worry? 3

4. Write code Run tests Deploy code Commit code Push to

   CI server Code review QA Testing Idealized Software Development 4

5. Write code Run tests Deploy code Commit code Push to

   CI server Code review QA Testing Cost to Fix Defects 5

6. Write code Run tests Deploy code Commit code Push to

   CI server Code review QA Testing Cost to Fix Defects 6

7. Write code Run tests Deploy code Commit code Push to

   CI server Code review QA Testing Security Review Cost to Fix Defects 6

8. Write code Run tests Deploy code Commit code Push to

   CI server Code review QA Testing Security Review Cost to Fix Defects 6

9. Write code Run tests Deploy code Commit code Push to

   CI server Code review QA Testing Security Review Cost to Fix Defects 6

10. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6

11. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6

12. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6

13. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6

14. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6

15. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Save code Cost to Fix Defects 6

16. brakemanscanner.org github.com/presidentbeef/brakeman @brakeman 7

17. “zero configuration” security scanning 8

18. gem install brakeman cd my_rails_app/ brakeman 9

19. 10

20. gem install brakeman cd my_rails_app/ brakeman -o report.html 11

21. 12

22. “Confidence” View Render Location Warning Type Line Number Code Snippet

    13

23. Line 5 14

24. Static Analysis Detour 15

25. Static Analysis Anything that can be determined about a program

    without actually executing it 16

26. “But Ruby is way too dynamic for that!” 17

27. eval(File.read(gets.strip)) 18

28. We don’t have to know everything 19

29. Most of the Action Happens Here Controller View Partials Filters

    20

30. View <%= params[:user][:name] %> Start Simple: User Input in Views

    21

31. Controller View Next: From Controllers to Views <%= @user[:name] %>

    @user = params[:user] 22

32. Controller View Next: From Controllers to Views <%= @user[:name] %>

    @user = params[:user] 22

33. Next: From Controllers to Views Controller View <%= params[:user][:name] %>

    @user = params[:user] 23

34. user = params[:user] user_id = user[:id] @current_user = User.find(user_id) @current_user.update_attributes(user)

    Really Simple Data Flow 24

35. user = params[:user] user_id = user[:id] @current_user = User.find(user_id) @current_user.update_attributes(user)

    Really Simple Data Flow 24

36. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(user_id) @current_user.update_attributes(user) 25

37. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(user_id) @current_user.update_attributes(user) 25

38. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) @current_user.update_attributes(user) 26

39. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) @current_user.update_attributes(user) 26

40. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(user) 27

41. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(user) 27

42. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(params[:user]) 28

43. Really Simple Data Flow Mass Assignment user = params[:user] user_id

    = params[:id] @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(params[:user]) 28

44. Brakeman Can Detect... • Cross site scripting • SQL injection

    • Command injection • Unrestricted mass assignment • Unprotected redirects • Unsafe file access • Insufficient model validation • Version-specific security issues • Dangerous use of eval • Dangerous use of send • Default routes • Dynamic render paths • …and more! 29

45. Performance Twitter Main App < 2m nventory (66c, 58m, 688t)

    ~1m Redmine (50c, 77m, 256t) ~20s Typo (34c, 47m, 113t) ~5s Brakeman 1.6.0, Ruby 1.9.3-p125 30

46. Back to SDLC Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 31

47. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32

48. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32

49. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32

50. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32

51. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32

52. Brakeman + jenkins-ci.org open source CI server 33

53. Brakeman + 34

54. Brakeman + 35

55. Brakeman Programatically require “brakeman” Brakeman.run “myapp” 36

56. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 37

57. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 37

58. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 37

59. Brakeman + Rake brakeman --rake rake brakeman:run 38

60. Hardcore Mode brakeman -z 39

61. Comparing Brakeman Results brakeman -o report.json brakeman --compare report.json 40

62. Brakeman...All the Time? Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 41

63. Brakeman...All the Time? Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing Save code 41

64. Fast Rescanning Brakeman supports fast rescanning of changed files* 42

65. Fast Rescanning *If scan is kept in memory 43

66. Brakeman + Guard group :development do gem 'guard-brakeman' end 44

67. Brakeman + Guard guard init brakeman guard 45

68. http://www.youtube.com/ watch?v=CMgYcr9_ONs Brakeman + Guard Demo 46

69. Caveats 47

70. warnings != vulnerabilities 48

71. zero warnings does not mean zero vulnerabilities 49

72. Brakeman is not omniscient 50

73. Supports • Rails 2.x & 3.x • Ruby 1.8.7 &

    1.9.x • JRuby 51

74. brakemanscanner.org github.com/presidentbeef/brakeman @brakeman 52