Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping Rails Applications on Track with Brakeman

Justin Collins
May 23, 2012
Programming
2
480

Keeping Rails Applications on Track with Brakeman

Brakeman (http://brakemanscanner.org/) is an open source static analysis tool which provides painless vulnerability scans of Rails code from "rails new" through deployment. Running Brakeman as a part of continuous integration provides feedback during all stages of development and can alert developers immediately when a potential vulnerability is introduced. Bringing security testing as close to the developer as possible (even scanning as files are saved) means security problems are caught faster - and the sooner problems are found the cheaper they are to fix.

Justin Collins

May 23, 2012
Tweet

More Decks by Justin Collins

See All by Justin Collins
Continuous (Application) Security at DevOps Velocity
presidentbeef
0
120
The Evolution of Rails Security
presidentbeef
1
740
Brakeman RailsConf 2017 Lightning Talk
presidentbeef
0
110
Practical Static Analysis for Continuous Application Security
presidentbeef
0
160
"...But Doesn't Rails Take Care of Security for Me?"
presidentbeef
1
370
Continuous Security with Practical Static Analysis
presidentbeef
1
270
Security Automation at Twitter - Rise of the Machines
presidentbeef
0
190
"Recent Rails SQL Issues" - 2012
presidentbeef
0
62
The World of Rails Security - RailsConf 2015
presidentbeef
8
1.1k

Other Decks in Programming

See All in Programming
Pinia Colada が実現するスマートな非同期処理
naokihaba
4
230
Compose 1.7のTextFieldはPOBox Plusで日本語変換できない
tomoya0x00
0
200
カンファレンスの「アレ」Webでなんとかしませんか? / Conference “thing” Why don't you do something about it on the Web?
dero1to
1
110
CSC509 Lecture 12
javiergs
PRO
0
160
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
120
EMになってからチームの成果を最大化するために取り組んだこと/ Maximize team performance as EM
nashiusagi
0
100
as(型アサーション)を書く前にできること
marokanatani
10
2.7k
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
10
1.3k
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
聞き手から登壇者へ: RubyKaigi2024 LTでの初挑戦が 教えてくれた、可能性の星
mikik0
1
130
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
1k
Jakarta EE meets AI
ivargrimstad
0
150

Featured

See All Featured
How to train your dragon (web standard)
notwaldorf
88
5.7k
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
It's Worth the Effort
3n
183
27k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
430
KATA
mclloyd
29
14k
Optimizing for Happiness
mojombo
376
70k
Practical Orchestrator
shlominoach
186
10k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k

Transcript

  1. Keeping Rails Applications on Track with Brakeman Justin Collins @presidentbeef

    RailsConf 2012 1

  2. Everyone knows they “should” worry about security 2

  3. But when should you worry? 3

  4. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Idealized Software Development 4

  5. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Cost to Fix Defects 5

  6. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Cost to Fix Defects 6

  7. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6

  8. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6

  9. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6

  10. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6

  11. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6

  12. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6

  13. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6

  14. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6

  15. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Save code Cost to Fix Defects 6

  16. brakemanscanner.org github.com/presidentbeef/brakeman @brakeman 7

  17. “zero configuration” security scanning 8

  18. gem install brakeman cd my_rails_app/ brakeman 9

  19. 10

  20. gem install brakeman cd my_rails_app/ brakeman -o report.html 11

  21. 12

  22. “Confidence” View Render Location Warning Type Line Number Code Snippet

    13

  23. Line 5 14

  24. Static Analysis Detour 15

  25. Static Analysis Anything that can be determined about a program

    without actually executing it 16

  26. “But Ruby is way too dynamic for that!” 17

  27. eval(File.read(gets.strip)) 18

  28. We don’t have to know everything 19

  29. Most of the Action Happens Here Controller View Partials Filters

    20

  30. View <%= params[:user][:name] %> Start Simple: User Input in Views

    21

  31. Controller View Next: From Controllers to Views <%= @user[:name] %>

    @user = params[:user] 22

  32. Controller View Next: From Controllers to Views <%= @user[:name] %>

    @user = params[:user] 22

  33. Next: From Controllers to Views Controller View <%= params[:user][:name] %>

    @user = params[:user] 23

  34. user = params[:user] user_id = user[:id] @current_user = User.find(user_id) @current_user.update_attributes(user)

    Really Simple Data Flow 24

  35. user = params[:user] user_id = user[:id] @current_user = User.find(user_id) @current_user.update_attributes(user)

    Really Simple Data Flow 24

  36. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(user_id) @current_user.update_attributes(user) 25

  37. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(user_id) @current_user.update_attributes(user) 25

  38. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) @current_user.update_attributes(user) 26

  39. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) @current_user.update_attributes(user) 26

  40. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(user) 27

  41. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(user) 27

  42. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(params[:user]) 28

  43. Really Simple Data Flow Mass Assignment user = params[:user] user_id

    = params[:id] @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(params[:user]) 28

  44. Brakeman Can Detect... • Cross site scripting • SQL injection

    • Command injection • Unrestricted mass assignment • Unprotected redirects • Unsafe file access • Insufficient model validation • Version-specific security issues • Dangerous use of eval • Dangerous use of send • Default routes • Dynamic render paths • …and more! 29

  45. Performance Twitter Main App < 2m nventory (66c, 58m, 688t)

    ~1m Redmine (50c, 77m, 256t) ~20s Typo (34c, 47m, 113t) ~5s Brakeman 1.6.0, Ruby 1.9.3-p125 30

  46. Back to SDLC Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 31

  47. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32

  48. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32

  49. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32

  50. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32

  51. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32

  52. Brakeman + jenkins-ci.org open source CI server 33

  53. Brakeman + 34

  54. Brakeman + 35

  55. Brakeman Programatically require “brakeman” Brakeman.run “myapp” 36

  56. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 37

  57. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 37

  58. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 37

  59. Brakeman + Rake brakeman --rake rake brakeman:run 38

  60. Hardcore Mode brakeman -z 39

  61. Comparing Brakeman Results brakeman -o report.json brakeman --compare report.json 40

  62. Brakeman...All the Time? Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 41

  63. Brakeman...All the Time? Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing Save code 41

  64. Fast Rescanning Brakeman supports fast rescanning of changed files* 42

  65. Fast Rescanning *If scan is kept in memory 43

  66. Brakeman + Guard group :development do gem 'guard-brakeman' end 44

  67. Brakeman + Guard guard init brakeman guard 45

  68. http://www.youtube.com/ watch?v=CMgYcr9_ONs Brakeman + Guard Demo 46

  69. Caveats 47

  70. warnings != vulnerabilities 48

  71. zero warnings does not mean zero vulnerabilities 49

  72. Brakeman is not omniscient 50

  73. Supports • Rails 2.x & 3.x • Ruby 1.8.7 &

    1.9.x • JRuby 51

  74. brakemanscanner.org github.com/presidentbeef/brakeman @brakeman 52