$30 off During Our Annual Pro Sale. View Details »

Keeping Rails Applications on Track with Brakeman

Keeping Rails Applications on Track with Brakeman

Brakeman (http://brakemanscanner.org/) is an open source static analysis tool which provides painless vulnerability scans of Rails code from "rails new" through deployment. Running Brakeman as a part of continuous integration provides feedback during all stages of development and can alert developers immediately when a potential vulnerability is introduced. Bringing security testing as close to the developer as possible (even scanning as files are saved) means security problems are caught faster - and the sooner problems are found the cheaper they are to fix.

Justin Collins

May 23, 2012
Tweet

More Decks by Justin Collins

Other Decks in Programming

Transcript

  1. Keeping Rails Applications
    on Track with Brakeman
    Justin Collins
    @presidentbeef
    RailsConf 2012
    1

    View Slide

  2. Everyone knows they “should”
    worry about security
    2

    View Slide

  3. But when should you worry?
    3

    View Slide

  4. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Idealized Software Development
    4

    View Slide

  5. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Cost to Fix Defects
    5

    View Slide

  6. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Cost to Fix Defects
    6

    View Slide

  7. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  8. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  9. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  10. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  11. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  12. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  13. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  14. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  15. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Save
    code
    Cost to Fix Defects
    6

    View Slide

  16. brakemanscanner.org
    github.com/presidentbeef/brakeman
    @brakeman
    7

    View Slide

  17. “zero configuration”
    security scanning
    8

    View Slide

  18. gem install brakeman
    cd my_rails_app/
    brakeman
    9

    View Slide

  19. 10

    View Slide

  20. gem install brakeman
    cd my_rails_app/
    brakeman -o report.html
    11

    View Slide

  21. 12

    View Slide

  22. “Confidence” View
    Render
    Location
    Warning Type
    Line Number Code Snippet
    13

    View Slide

  23. Line 5
    14

    View Slide

  24. Static Analysis Detour
    15

    View Slide

  25. Static Analysis
    Anything that can be determined about a program
    without actually executing it
    16

    View Slide

  26. “But Ruby is way too dynamic
    for that!”
    17

    View Slide

  27. eval(File.read(gets.strip))
    18

    View Slide

  28. We don’t have to know
    everything
    19

    View Slide

  29. Most of the Action Happens Here
    Controller View Partials
    Filters
    20

    View Slide

  30. View
    <%= params[:user][:name] %>
    Start Simple:
    User Input in Views
    21

    View Slide

  31. Controller
    View
    Next: From Controllers to Views
    <%= @user[:name] %>
    @user = params[:user]
    22

    View Slide

  32. Controller
    View
    Next: From Controllers to Views
    <%= @user[:name] %>
    @user = params[:user]
    22

    View Slide

  33. Next: From Controllers to Views
    Controller
    View
    <%= params[:user][:name] %>
    @user = params[:user]
    23

    View Slide

  34. user = params[:user]
    user_id = user[:id]
    @current_user = User.find(user_id)
    @current_user.update_attributes(user)
    Really Simple Data Flow
    24

    View Slide

  35. user = params[:user]
    user_id = user[:id]
    @current_user = User.find(user_id)
    @current_user.update_attributes(user)
    Really Simple Data Flow
    24

    View Slide

  36. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(user_id)
    @current_user.update_attributes(user)
    25

    View Slide

  37. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(user_id)
    @current_user.update_attributes(user)
    25

    View Slide

  38. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    @current_user.update_attributes(user)
    26

    View Slide

  39. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    @current_user.update_attributes(user)
    26

    View Slide

  40. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    User.find(params[:user][:id]).update_attributes(user)
    27

    View Slide

  41. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    User.find(params[:user][:id]).update_attributes(user)
    27

    View Slide

  42. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    User.find(params[:user][:id]).update_attributes(params[:user])
    28

    View Slide

  43. Really Simple Data Flow
    Mass
    Assignment
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    User.find(params[:user][:id]).update_attributes(params[:user])
    28

    View Slide

  44. Brakeman Can Detect...
    • Cross site scripting
    • SQL injection
    • Command injection
    • Unrestricted mass assignment
    • Unprotected redirects
    • Unsafe file access
    • Insufficient model validation
    • Version-specific security issues
    • Dangerous use of eval
    • Dangerous use of send
    • Default routes
    • Dynamic render paths
    • …and more!
    29

    View Slide

  45. Performance
    Twitter Main App < 2m
    nventory
    (66c, 58m, 688t)
    ~1m
    Redmine
    (50c, 77m, 256t)
    ~20s
    Typo
    (34c, 47m, 113t)
    ~5s
    Brakeman 1.6.0, Ruby 1.9.3-p125
    30

    View Slide

  46. Back to SDLC
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    31

    View Slide

  47. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  48. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  49. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  50. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  51. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  52. Brakeman +
    jenkins-ci.org
    open source CI server
    33

    View Slide

  53. Brakeman +
    34

    View Slide

  54. Brakeman +
    35

    View Slide

  55. Brakeman Programatically
    require “brakeman”
    Brakeman.run “myapp”
    36

    View Slide

  56. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    37

    View Slide

  57. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    37

    View Slide

  58. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    37

    View Slide

  59. Brakeman + Rake
    brakeman --rake
    rake brakeman:run
    38

    View Slide

  60. Hardcore Mode
    brakeman -z
    39

    View Slide

  61. Comparing Brakeman Results
    brakeman -o report.json
    brakeman --compare report.json
    40

    View Slide

  62. Brakeman...All the Time?
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    41

    View Slide

  63. Brakeman...All the Time?
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Save
    code
    41

    View Slide

  64. Fast Rescanning
    Brakeman supports fast
    rescanning of changed files*
    42

    View Slide

  65. Fast Rescanning
    *If scan is kept in memory
    43

    View Slide

  66. Brakeman + Guard
    group :development do
    gem 'guard-brakeman'
    end
    44

    View Slide

  67. Brakeman + Guard
    guard init brakeman
    guard
    45

    View Slide

  68. http://www.youtube.com/
    watch?v=CMgYcr9_ONs
    Brakeman + Guard Demo
    46

    View Slide

  69. Caveats
    47

    View Slide

  70. warnings != vulnerabilities
    48

    View Slide

  71. zero warnings
    does not mean
    zero vulnerabilities
    49

    View Slide

  72. Brakeman is not omniscient
    50

    View Slide

  73. Supports
    • Rails 2.x & 3.x
    • Ruby 1.8.7 & 1.9.x
    • JRuby
    51

    View Slide

  74. brakemanscanner.org
    github.com/presidentbeef/brakeman
    @brakeman
    52

    View Slide